Spring Security @PreAuthorize (on a method of @RestController implementing an interface) removes it from HandlerMapping and I got 404

Describe the bug In my project, I have a @RestController implementing an interface. That interface has the definition of methods and the annotations like @GetMapping, etc. In the class I have the annotation @RestController. Up to now, all is good, the problem comes when I annotate a method in the class with @PreAuthorize, in that moment, the mapping in "HandlerMapping" at DispatcherServlet disappear and I cannot invoke to my Rest endpoint, I get 404 instead of 401 or 403.

In the attached example, I have two methods, one in the interface (its a default method) and another one in the class, but we can reproduce the issue in that way or, for example, defining the methods' prototypes (with @GetMapping annotations) in the interface and implementing the methods in the class.

To Reproduce To reproduce it, we can start the project that I attach and try to invoke to /api/hello/world. It you remove the @PreAuthorize annotation, you will be success, but if no, you will get 404.

Expected behavior I suppose that the fact that have an @PreAuthorize annotation in a method shouldn't affect to handlerMapping.

Sample

This is the project to reproduce it https://github.com/admoca60/springbugpreauthorizecontrollerinterface

My suspect is that the proxy for classes with annotated method wrap the class as a proxy instead of @RestController and the spring parser to include the controller in HandlerMapping doesn't work propertly.

NOTE: if you don't define any method in the interface (all code is in the class, the issue is not reproducible). Thank you so much

Comment From: jzheaux

Thanks for the report, @admoca60.

This has less to do with Spring Security than it does with Spring AOP, which Method Security uses. When using AOP proxies on controllers that implement interfaces, the Spring Framework reference guide indicates that class-based proxies should be used.

You can change your Spring Security configuration to use class-based proxies like so:

@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)

This will result in a proxy where RequestMappingHandlerMapping can still find the annotations.

Note that there is a related Spring Framework Issue that may be of interest.