Spring Security PreAuthorize annotation doesn't work properly with super class

Describe the bug https://stackoverflow.com/questions/25380661/spring-security-and-super-class PreAuthorize annotation currently does not protect properly the methods defined in the super class

To Reproduce

abstract class AbstractMyController {

    @GetMapping("/find-super")
    open fun findSuper(): String {
        return "super"
    }
}

@PreAuthorize("hasAnyAuthority('ADMIN')")
@RestController
@RequestMapping("/my-controller")
open class MyController : AbstractMyController() {

    @GetMapping("/find-top")
    open fun findTop(): String {
        return "top"
    }
}

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
open class WebSecurityConfiguration {
}

currently is only method findTop() protected with the role ADMIN, findSuper() is unprotected

Expected behavior when annotation PreAuthorize is present on the sub class I expect to be propagated to all methods of the super class which means that both methods in the example above need to be protected with the role ADMIN

see org/springframework/security/access/prepost/PrePostAnnotationSecurityMetadataSource

Comment From: sjohnr

Thanks for reaching out, @littlejoe3!

Reviewing PrePostAnnotationSecurityMetadataSource, it appears that this behavior is intentional and has been in the framework for quite a long time. The reason for this is that these annotations are intended to perform method-level security.

The annotation is allowed at the class level of the declaring class of a method, but by design does not apply to methods declared in other classes. If, for example, you add the annotation only to the abstract class, then all methods of that class will require authorization instead of methods on the subclass.

I don't believe we would want to make a change to this behavior, as it would be very surprising for quite a number of users and we don't want to introduce significant breaking changes. There may be other possible solutions, but I believe you can always override a method to cause it to inherit the class-level annotation since it would now be declared in the class with the annotation.

With that in mind, I'm going to close this issue. If you feel there's anything I've missed, feel free to add additional comments and we can re-open if necessary.

Comment From: sjohnr

Related gh-4546