Spring Security Method security aspects not woven in spring-security-config tests

Summary

When running the test suite for spring-security-config, tests that exercise AspectJ are not seeing relevant advice woven in at runtime.

This behavior is confirmed for NamespaceGlobalMethodSecurityTests, which has two AspectJ tests that, to date, only confirm that the application context was correctly wired. Repairing this issue would allow these two tests to be enhanced to verify method security behavior when configured to use AspectJ.

For reference, the repo has samples whose test suite exercises AspectJ correctly. The Gradle build file is materially different between spring-security-samples-javaconfig-aspectj and spring-security-config:

Gradle Configuration for spring-security-config

(AspectJ advice not woven in tests)

dependencies {
        optional 'org.aspectj:aspectjweaver'
}

Gradle Configuration for spring-security-samples-javaconfig-aspectj

(AspectJ advice woven in tests)

apply plugin: 'aspectj'

dependencies {
    aspectpath project(':spring-security-aspects')

    runtime project(':spring-security-aspects')
}

As an initial sanity check, I copied the classes from spring-security-samples-javaconfig-aspectj into spring-security-config and ran them there. When they were launched from within spring-security-config, they failed to wire the appropriate advice as well.

Actual Behavior

When using @EnableGlobalMethodSecurity(mode = AdviceMode.ASPECTJ, prePostEnabled = true), for example, the following method is allowed:

public class MethodSecurityService {
    @PreAuthorize("denyAll")
    public String denyAll() {
        return "you shall not pass";
    }
}

Expected Behavior

Invoking the above-mentioned denyAll method would throw an AccessDeniedException, as indicated by the AspectJ advice. And generally, all Spring Security-supported pointcuts would also work.

Configuration

Edit a test that uses AspectJ, specifically to invoke a method on a @PreAuthorize-annotated bean that would precipitate a denial from the AspectJ advice. Then, run the test.

Version

Spring Security 5.1.0.M1

Sample

See https://github.com/spring-projects/spring-security/tree/master/config for a misconfigured project See https://github.com/spring-projects/spring-security/tree/master/samples/javaconfig/aspectj for a working project