@PreAuthorize not working with prePostEnabled = true

Question

Using @EnableGlobalMethodSecurity(prePostEnabled = true) it seems that

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
}

@PreAuthorized has no effect:

@PreAuthorize("permitAll()")
@RequestMapping(value = "/users/change-email", method = RequestMethod.GET)
public void changeEmail() {
    // ..
}

I have also moved the annotation into the service layer with the same result:

@PreAuthorize("permitAll()")
@Transactional
public void changeEmail(HttpServletResponse response, String token) throws IOException {
     // ..
}

It's not clear to my why - any ideas?

This is how I am configuring my ResourceServerConfigurerAdapter:

@Configuration
@EnableResourceServer
public class ResourceServer extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {

        http
                .exceptionHandling()
                    .authenticationEntryPoint(new AuthFailureHandler())
                .and()
                .authorizeRequests()
                    .anyRequest()
                    .authenticated();
    }
}

At the moment I am getting a AccessDeniedException:

org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE]
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE]
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]

what is a `permitAll()` if it is a method then according to a SpEL syntax it has to be written with a `@` in the beginning, isn't it? — Yuriy Tsarkov, Nov 02 '18 at 20:33
@YuriyTsarkov I don't think so. I've only seen `@PreAuthorize("permitAll")` or `@PreAuthorize("permitAll()")` so far. — Stefan Falk, Nov 02 '18 at 20:36
@Stefan Falk yes, my bad, but probably I've found a true reason. Here it is https://stackoverflow.com/questions/29643183/spring-security-preauthorize-not-working — Yuriy Tsarkov, Nov 02 '18 at 21:28
@YuriyTsarkov Just tried it. It gives the same issue. Unfortuntely I think there is no solution: https://stackoverflow.com/a/33543074/826983 — Stefan Falk, Nov 02 '18 at 21:33
@StefanFalk I can't explain it yet, but the easiest way should be to remove the `@PreAuthorize`. It is the same as `permitAll`. — dur, Nov 03 '18 at 10:09

@PreAuthorize not working with prePostEnabled = true

0 Answers0

Linked