Spring Security Inconsistency with PreInvocationAuthorizationAdvice in GlobalMethodSecurityConfiguration

Summary

GlobalMethodSecurityConfiguration provides a way to specify custom implementation on PreInvocationAuthorizationAdvice with preInvocationAuthorizationAdvice() and yet doesn't use it in accessDecisionManager().

Actual Behavior

When creating an AccessDecisionManager in accessDecisionManager(), ExpressionBasedPreInvocationAdvice is explicitly created. And as mentioned in SEC-2334, most methods used in accessDecisionManager() are private (like prePostEnabled(), jsr250Enabled() and methods used by those methods) which makes extending this configuration more cumbersome than it should be.

Also, it seems ExpressionBasedPreInvocationAdvice is only necessary when prePostEnabled() is true. Why not creating it only when it is then?

Expected Behavior

If it was intentional to NOT call preInvocationAuthorizationAdvice(), then make accessDecisionManager() more extensible (and please let us know why it should not use preInvocationAuthorizationAdvice()).

Otherwise either pass it as parameter in accessDecisionManager() and just call preInvocationAuthorizationAdvice(). For example and not taking into account suggestions made in SEC-2334:

if (prePostEnabled()) { decisionVoters .add(new PreInvocationAuthorizationAdviceVoter( preInvocationAuthorizationAdvice() )); }

Version

Spring Security Config 4.0.4.RELEASE

Sample

GlobalMethodSecurityConfiguration

Comment From: eleftherias

In recent Spring Security versions we've added the @EnableMethodSecurity annotation and introduced the AuthorizationManager.

This improves upon @EnableGlobalMethodSecurity and no longer requires extending GlobalMethodSecurityConfiguration to customize beans.

You can see examples of customizing the authorization in the reference documentation.

I'm going to close this issue, since we have an improved way to add the customizations.