Method Security Configuration should publish an OAuth2MethodSecurityExpressionHandler bean #336

jzheaux · 2021-07-24T03:49:14Z

OAuth2MethodSecurityConfiguration configures applications with an OAuth2MethodSecurityExpressionHandler by replacing GlobalMethodSecurityConfiguration's instance of DefaultMethodSecurityExpressionHandler.

This causes an application's declared DefaultMethodSecurityExpressionHandler bean to be overridden by the auto-configuration, which is not ideal.

Also, for this to work, it relies on a specific startup order for GlobalMethodSecurityConfiguration and when its object post-processor and setters are called. This ordering was recently adjusted in Security 5.6 M1, causing this configuration mechanism to break.

A more reliable mechanism is Boot's @ConditionOnMissingBean annotation, which will provide an OAuth2MethodSecurityExpressionHandler if an instance of MethodSecurityExpressionHandler is not already published. This will cause GlobalMethodSecurityConfiguration to pick up the OAuth2MethodSecurityExpressionHandler by the same means as its other components.

The text was updated successfully, but these errors were encountered:

jzheaux added type: enhancement in: autoconfigure labels Jul 24, 2021

jzheaux added this to the 2.6.0-M1 milestone Jul 24, 2021

jzheaux self-assigned this Jul 24, 2021

jzheaux closed this as completed in 4288519 Jul 24, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Method Security Configuration should publish an OAuth2MethodSecurityExpressionHandler bean #336

Method Security Configuration should publish an OAuth2MethodSecurityExpressionHandler bean #336

jzheaux commented Jul 24, 2021

Method Security Configuration should publish an OAuth2MethodSecurityExpressionHandler bean #336

Method Security Configuration should publish an OAuth2MethodSecurityExpressionHandler bean #336

Comments

jzheaux commented Jul 24, 2021