Spring Security Unable to override DefaultMethodSecurityExpressionHandler.createSecurityExpressionRoot(Authentication, MethodInvocation)

Describe the bug For spring-security 5.8.1 (and also for latest master): I'm unable to properly override DefaultMethodSecurityExpressionHandler.createSecurityExpressionRoot(Authentication authentication, MethodInvocation invocation) because createEvaluationContext(Supplier<Authentication> authentication, MethodInvocation mi) uses the overloaded method: createSecurityExpressionRoot(Supplier<Authentication> authentication, MethodInvocation invocation) which is private.

To Reproduce

public class MyMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler {

    @Override
    protected MethodSecurityExpressionOperations createSecurityExpressionRoot(
            Authentication authentication, MethodInvocation invocation) {
        return new MyMethodSecurityExpressionRoot(authentication,  invocation);
    }
}

And PreAuthorizeAuthorizationManager uses DefaultMethodSecurityExpressionHandler.createEvaluationContext(Supplier<Authentication> authentication, MethodInvocation mi)

    @Override
    public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation mi) {
                ...
        EvaluationContext ctx = this.registry.getExpressionHandler().createEvaluationContext(authentication, mi);

And DefaultMethodSecurityExpressionHandler.createEvaluationContext(Supplier<Authentication> authentication, MethodInvocation mi) delegates to createSecurityExpressionRoot(Supplier<Authentication> authentication, MethodInvocation mi)

    @Override
    public EvaluationContext createEvaluationContext(Supplier<Authentication> authentication, MethodInvocation mi) {
        MethodSecurityExpressionOperations root = createSecurityExpressionRoot(authentication, mi);
        MethodSecurityEvaluationContext ctx = new MethodSecurityEvaluationContext(root, mi,
                getParameterNameDiscoverer());

A workaround would be to override createEvaluationContext to just change the root to the correct one, but the needed class MethodSecurityEvaluationContext is package protected and I can't use it as well.

Expected behavior To extend DefaultMethodSecurityExpressionHandler and just override createSecurityExpressionRoot(Authentication authentication, MethodInvocation invocation) and any instantiation of the evaluation context using the method createEvaluationContext would honor my customization with the overridden method.

Comment From: marcusdacoregio

Thanks, @ratoaq2, for reaching out. We introduced some breaking changes in this major release, and this is one of them. Please see https://github.com/spring-projects/spring-security/issues/12331 for details.