Open andcuevas opened 7 years ago
Apparently WebInvocationPrivilegeEvaluator is not compatible with:
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
In order to use WebInvocationPrivilegeEvaluator, the above annotation must be avoided.
Summary
The class WebInvocationPrivilegeEvaluator is not using rules defined with the @PreAuthorize annotation.
Actual Behavior
When calling the method WebInvocationPrivilegeEvaluator.isAllowed() the evaluator is not using the rules defined with the @PreAuthorize annotation. It does use the rules defined in the WebSecurityConfigurerAdapter, but if the annotation @PreAuthorize is used in the application the evaluator will say that the user has access to something that doesn't have access.
Expected Behavior
When the annotation @PreAuthorize is being used in a controller end point, the WebInvocationPrivilegeEvaluator must add that rule in the evaluation.
Configuration
Version
Spring Boot 1.4.2 RELEASE Spring Security 4.1.3 RELEASE
Spring Security 4.2.0.RELEASE presents the same problem.
Sample
https://github.com/andcuevas/spring-security-priv-eval-problem