Spring Security Method level @PreAuthorize does not overwrite a type level one

According to docs method level security settings must overwrite repository level settings. But it fails when it comes to URI conversion:

Failed to convert from type [java.net.URI] to type [kz.toyville.back.catalog.domain.entity.Category] for value '/category/1'; nested exception is org.springframework.security.access.AccessDeniedException: Access is denied"},"message":"Failed to convert /category/1 into kz.toyville.back.catalog.domain.entity.Category!

To Reproduce

@PreAuthorize("hasRole('ADMIN')")
interface CategoryRepository : CrudRepository<Category, Long> {

    @PreAuthorize("permitAll()")
    override fun findAll(): MutableIterable<Category>

    @PreAuthorize("permitAll()")
    override fun findById(id: Long): Optional<Category>

}

Expected behavior Test List toys for a category (in CatalogWebTest) must not fail.

Sample https://github.com/yerzhant/spring-rest-data-security

Comment From: jzheaux

@yerzhant thanks for reaching out.

The docs you point to are from Spring Data and refer to Spring Data annotations. Also, Spring Security's conversion support is limited to its domain of authentication and authorization, it doesn't extend into repository datatypes.

I'd recommend filing this issue with the Spring Data team or posting a question to StackOverflow for further guidance.

Comment From: yerzhant

@jzheaux Ok, thanks for clarification.