Spring Security @PreAuthorize("isAnonymous()") needs more config to effect

First,thank you for design this great framework. Describe the bug @PreAuthorize("isAnonymous()") needs more config to effect than what I get from Spring Security Reference 5.3.2

To Reproduce When I do this

@Configuration @EnableGlobalMethodSecurity(prePostEnabled = true) public class SecurityConfig{}

@RestController public class TestController { @GetMapping("/test1") @PreAuthorize("isAnonymous()") public String test1(){ return "success"; } } It has no affection,and the following code is also has no affection @Configuration @EnableGlobalMethodSecurity(prePostEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter {}

Then I did this @EnableGlobalMethodSecurity(securedEnabled = true,prePostEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { // here has nothing } }

Now,@PreAuthorize("isAnonymous()") is effective. I don't know if you guys design this,but it will cost lots time when security is fresh to a guy.

Thank you for reading.

Expected behavior Hopeing this code can be useful for anonymous @Configuration @EnableGlobalMethodSecurity(prePostEnabled = true) public class SecurityConfig{}

@RestController public class TestController { @GetMapping("/test1") @PreAuthorize("isAnonymous()") public String test1(){ return "success"; } }

Comment From: DukeTiny

Igore this i did it wrong

Comment From: rwinch

Thanks for the quick follow up @DukeTiny!