WebInvocationPrivilegeEvaluator is not using rules defined with @PreAuthorize annotation.

Summary

The class WebInvocationPrivilegeEvaluator is not using rules defined with the @PreAuthorize annotation.

Actual Behavior

When calling the method WebInvocationPrivilegeEvaluator.isAllowed() the evaluator is not using the rules defined with the @PreAuthorize annotation. It does use the rules defined in the WebSecurityConfigurerAdapter, but if the annotation @PreAuthorize is used in the application the evaluator will say that the user has access to something that doesn't have access.

Expected Behavior

When the annotation @PreAuthorize is being used in a controller end point, the WebInvocationPrivilegeEvaluator must add that rule in the evaluation.

Configuration

@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
      .authorizeRequests()
      .antMatchers("/ok/greetings/**").access("hasRole('ADMIN')")
      .anyRequest().authenticated()
      .and()
      .requestCache()
      .requestCache(new NullRequestCache())
      .and()
      .httpBasic();
  }

  @Autowired
  public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth.inMemoryAuthentication().withUser("admin").password("password").roles("ADMIN");
    auth.inMemoryAuthentication().withUser("noaccess").password("password").roles("NO_ACCESS");
  }
}

@PreAuthorize("hasRole('ADMIN')")
@RequestMapping(value = "/bug/greetings", method = RequestMethod.GET)

Version

Spring Boot 1.4.2 RELEASE Spring Security 4.1.3 RELEASE

Spring Security 4.2.0.RELEASE presents the same problem.

Sample

https://github.com/andcuevas/spring-security-priv-eval-problem

spring-projects / spring-security