Describe the bug
On a controller method annotated with multiple instances of @PreAuthorize, only the first annotation is registered by PrePostAnnotationSecurityMetadataSource and therefore included in the collection of ConfigAttribute for that method. This causes any other @PreAuthorize annotations to not take effect.
To Reproduce
In my particular case I have custom annotations that themselves are annotated with @PreAuthorize. Each of these intercept a path parameter pointing to a particular method in my SecurityExpressionRoot. I chose to use 2 of these on one controller method and observed that one was not actually being invoked.
Expected behavior
This restriction could at least be documented. I could see a case an enhancement to consider all @PreAuthorize annotations on a particular method. I could also see the argument that all pre authorization actions should be able to be preformed by just 1 annotation.
Sample
Apologies, no sample, but the getAttributes method of PrePostAnnotationSecurityMetadataSource is where the registering of the list of ConfigAttribute happens.
Comment From: adase11
Thinking about it more, this it mostly related to my own implementation of my custom annotations. @PreAuthorize is not annotated with @Repeatable. I'll close this