Expected Behavior
If I create my own factory method, instantiating PreInvocationAuthorizationAdvice, which will be used in the GlobalMethodSecurityConfiguration.accessDecisionManager(), or at least if I override the preInvocationAuthorizationAdvice(), the result to be used when constructing the access decision manager.
Current Behavior
Currently, the accessDecisionManager() constructs its own instance of PreInvocationAuthorizationAdvice(ExpressionBasedPreInvocationAdvice), which is not even taken from its factory method PreInvocationAuthorizationAdvice preInvocationAuthorizationAdvice() In fact, I currently don't see the point of this factory method.
Context
In this way, I could inject my custom implementation of PreInvocationAuthorizationAdvice. Now if I want to extend the behavior accessDecisionManager(), I have to copy/paste the original code and customize, while in my case, it's sufficient if I extend the ExpressionBasedPreInvocationAdvice class and use it in a factory method.
Comment From: eleftherias
@gkgeorgiev As a workaround, could you override GlobalMethodSecurityConfiguration.createExpressionHandler()?
This would allow you to customize the MethodSecurityExpressionHandler used in the ExpressionBasedPreInvocationAdvice.
Or is there a different customization you need to add to the ExpressionBasedPreInvocationAdvice?
Comment From: gkgeorgiev
@eleftherias, Thank you for your reply. Actually my goal was to influence the behavior of the AccessDecisionManager, which by default has a Voter based on the ExpressionBasedPreInvocationAdvice, but I found my work-around. I'm aware it's a specific case, but IMHO the code would make more sense in with the improvement request I've posted. Thx again!