Spring Security The denyAll() security config statement sometimes stops from accessing a PreAuthorize() annotated controller

Summary

By using the latest Spring Security, and Spring Boot releases, a non PreAuthorize() controller gets Access Denied (as expected), although some controllers, which come with PreAuthorize() annotation, do get that Access Denied error too.

Actual Behavior

The issue I've described here:

• https://stackoverflow.com/questions/75698804/how-to-deny-access-to-controllers-which-have-no-preauthorize-annotation

By now, what I observe, that if I stick to this configuration: .authorizeHttpRequests(auth -> auth.shouldFilterAllDispatcherTypes(false) .requestMatchers("/", "/login*").permitAll() .anyRequest().denyAll()).formLogin()

1. I can log into the Web application
2. On accessing a controller which has no PreAuthorize() annotation, I get Access Denied error
3. On accessing a controller which does have a PreAuthorize() annotation, I get into the controller, and it displays data on view
4. Although, on some controllers, which do have the PreAuthorize() annotation, I still cannot enter that controller, i.e., I get Access Denied error
5. A user which accesses that PreAuthorize() annotated controller, has the right permissions to access it

Expected Behavior

I'm expecting that:

1. On accessing a controller which has no PreAuthorize() annotation, I get Access Denied error
2. On accessing a controller which does have a PreAuthorize() annotation, I get into the controller, and it displays data on view

Configuration

The configuration I've provided under that link above.

Version

The present version related information is this: - Java 17 - Spring Boot 3.0.4 - Spring Security 6.0.2 - Jetty 11 server

Sample

Comment From: marcusdacoregio

Hi @mvezelis, thanks for reaching out.

I cannot see clearly a problem in Spring Security from what you have provided, I assume that since you have a StackOverflow question, you created an issue based on a problematic behavior of Spring Security. However, if this is just a question I would recommend refraining from opening an issue. Can you clarify that for me?

That said, it would be great if you could provide a minimal, reproducible sample so we can go straight to the core of the problem and that helps us understand better what is happening.

Comment From: mvezelis

Hi, @marcusdacoregio. Yes, I observed a problematic behaviour, and I have suspicion, that something is not right with it. I've seen on the stackoverflow.com, with the latest Spring Boot/Security version, that some other people are faling to make the feature work, and are having the same issues that I do.

Can you deduce anything wrong with my current set-up, so that, to eliminate my concerns?

Unfortunatelly, I cannot provide a working sample of it, exhibiting the issue, because I am overloaded by work.

Best regards

Comment From: marcusdacoregio

Can you deduce anything wrong with my current set-up, so that, to eliminate my concerns?

It's hard to tell if there is something wrong without knowing too much of the context. I think the best thing to do is to add logging.level.org.springframework.security=TRACE to your application.properties and analyze the information that is printed on the console.

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.