Spring Security EnableGlobalMethodSecurity prePostEnabled broken in 4.1.2.RELEASE+

Summary

We are using EnableGlobalMethodSecurity with prePostEnabled=true.

Actual Behavior

With spring security 4.1.1.RELEASE and below, it works fine. With 4.1.2.RELEASE and higher, PreAuthorize and PostAuthorize annotations aren't taken into account anymore. This is the only change we've made.

Expected Behavior

PreAuthorize and PostAuthorize should work fine in any subsequent fix version.

Configuration

Our pom.xml versions:

<spring.version>4.3.2.RELEASE</spring.version> <spring.integration.version>4.3.1.RELEASE</spring.integration.version> <spring.boot.version>1.4.0.RELEASE</spring.boot.version> <spring.data.commons.version>1.12.2.RELEASE</spring.data.commons.version> <spring.data.jpa.version>1.10.2.RELEASE</spring.data.jpa.version> <spring.security.version>4.1.1.RELEASE</spring.security.version> <spring.security.test.version>4.0.0.M2</spring.security.test.version>

Version

spring security 4.1.1.RELEASE works fine. 4.1.2.RELEASE and 4.1.3.RELEASE aren't processing PreAuthorize and PostAuthorize annotations.

Sample

Our web security config: https://gist.github.com/jloisel/b9dd4d563a98971b8ead3834cc35f106

Comment From: rwinch

@jloisel Thanks for the report!

Do you think you can provide a sample of this problem? I am unable to reproduce it with the information you have provided.

Comment From: jloisel

I can setup a gotomeeting tomorrow to show you the issue and provide more code if required. We have JUnits running a spring security test environment which is not affected by the issue, but the configuration is a little different from the production config.

How can I help?

Comment From: jloisel

I have put our application startup log (spring boot 1.4.0.RELEASE) with spring security-4.1.1.RELEASE and spring-security-4.1.2.RELEASE here: https://gist.github.com/jloisel/42e82ac463776581dcd4ad0195aec543

The difference is BeanPostProcessorChecker is not logging info about proxying our beans in 4.1.2 and above.

Comment From: rwinch

@jloisel Likely I'm going to need a project that can reproduce the issue. Without a sample, I cannot run it through a debugger to figure out what is happening.

Comment From: jloisel

I'm going to try to setup a project which reproduces the issue and post it in a public repository.

Comment From: jloisel

After more investigation, it's apparently not an issue with Spring security. It's my mistake. Our app frontend stores separate sessions for separate browser tabs. I thought it was using the same session in both, and got confused when I could access to both logged in user resources.

I tried to setup a separate project with minimal dependencies. Everything worked fine with any of the versions I mentioned above.

I'm closing this thread because the issue is between the keyboard and chair!