You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on May 31, 2022. It is now read-only.
OAuth2MethodSecurityConfiguration configures applications with an OAuth2MethodSecurityExpressionHandler by replacing GlobalMethodSecurityConfiguration's instance of DefaultMethodSecurityExpressionHandler.
This causes an application's declared DefaultMethodSecurityExpressionHandler bean to be overridden by the auto-configuration, which is not ideal.
Also, for this to work, it relies on a specific startup order for GlobalMethodSecurityConfiguration and when its object post-processor and setters are called. This ordering was recently adjusted in Security 5.6 M1, causing this configuration mechanism to break.
A more reliable mechanism is Boot's @ConditionOnMissingBean annotation, which will provide an OAuth2MethodSecurityExpressionHandler if an instance of MethodSecurityExpressionHandler is not already published. This will cause GlobalMethodSecurityConfiguration to pick up the OAuth2MethodSecurityExpressionHandler by the same means as its other components.
The text was updated successfully, but these errors were encountered:
OAuth2MethodSecurityConfiguration
configures applications with anOAuth2MethodSecurityExpressionHandler
by replacingGlobalMethodSecurityConfiguration
's instance ofDefaultMethodSecurityExpressionHandler
.This causes an application's declared
DefaultMethodSecurityExpressionHandler
bean to be overridden by the auto-configuration, which is not ideal.Also, for this to work, it relies on a specific startup order for
GlobalMethodSecurityConfiguration
and when its object post-processor and setters are called. This ordering was recently adjusted in Security 5.6 M1, causing this configuration mechanism to break.A more reliable mechanism is Boot's
@ConditionOnMissingBean
annotation, which will provide anOAuth2MethodSecurityExpressionHandler
if an instance ofMethodSecurityExpressionHandler
is not already published. This will causeGlobalMethodSecurityConfiguration
to pick up theOAuth2MethodSecurityExpressionHandler
by the same means as its other components.The text was updated successfully, but these errors were encountered: