Spring Security DefaultMethodSecurityExpressionHandler can't be extended anymore ?

Upgrading to Spring Security 6, it seems I can't use my own SecurityExpressionRoot like i previously did.

Describe the bug

I used to extend DefaultMethodSecurityExpressionHandler, overwriting createSecurityExpressionRoot to specify my own SecurityExpressionRoot.

But method isn't invoked anymore. DefaultMethodSecurityExpressionHandler and its callers migrated to functional-style, and there is a second createSecurityExpressionRoot taking Supplier as parameter.

New method is private so I can't overwrite it anymore.

To Reproduce

My 5.x code used to do exactly what Baeldung told me to do :) : In his sample code, he created a CustomMethodSecurityExpressionHandler kinda like me and overwrite createSecurityExpressionRoot. Can't setup the same kind of configuration with the new version, because overwritten method isn't invoked anymore.

Expected behavior

I guess the second createSecurityExpressionRoot should be protected as well, so we still could setup our own SecurityExpressionRoot and overwrite the method taking Supplier<Authentication> as param.

Documentation doesn't provides any other way to do the same thing https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html There may be a new way to inject our own SecurityExpressionRoot, but I didn't find it... And in this case my issue shouldn't be set as a "Bug".

Comment From: jzheaux

Thanks, @mfrechePgest, for reaching out and for updating to Spring Security 6. We introduced some breaking changes in this major release, and this is one of them. Please see https://github.com/spring-projects/spring-security/issues/12331 for details.