Skip to content
This repository was archived by the owner on May 31, 2022. It is now read-only.

Method Security Configuration should publish an OAuth2MethodSecurityExpressionHandler bean #336

Closed
jzheaux opened this issue Jul 24, 2021 · 0 comments

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Jul 24, 2021

OAuth2MethodSecurityConfiguration configures applications with an OAuth2MethodSecurityExpressionHandler by replacing GlobalMethodSecurityConfiguration's instance of DefaultMethodSecurityExpressionHandler.

This causes an application's declared DefaultMethodSecurityExpressionHandler bean to be overridden by the auto-configuration, which is not ideal.

Also, for this to work, it relies on a specific startup order for GlobalMethodSecurityConfiguration and when its object post-processor and setters are called. This ordering was recently adjusted in Security 5.6 M1, causing this configuration mechanism to break.

A more reliable mechanism is Boot's @ConditionOnMissingBean annotation, which will provide an OAuth2MethodSecurityExpressionHandler if an instance of MethodSecurityExpressionHandler is not already published. This will cause GlobalMethodSecurityConfiguration to pick up the OAuth2MethodSecurityExpressionHandler by the same means as its other components.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Development

No branches or pull requests

1 participant