Describe the bug We just updated Spring Security to version 6 in our project , and replaced the @EnableGlobalMethodSecurity with @EnableMethodSecurity, both with adviceMode ASPECTJ. Furthermore, we have a @PostFilter on some getters in our entities, so we also use the aspectj maven plugin. Previously, this worked perfectly, but since the upgrade, the permission checks on methods in components are executed twice instead of once.
To Reproduce See attached project.
Expected behavior Permission checks are executed once.
Sample test.zip
Comment From: jzheaux
Thanks for the report, @rolevinks.
It appears this is due to the fact that the AOP Advisor bean is registered even when ASPECTJ mode is activated.
You can address this in your application for the moment by changing the annotation to:
@EnableMethodSecurity(prePostEnabled = false, mode = ASPECTJ)
And then publishing the following bean:
@Bean
fun preAuthorizeAuthorizationMethodInterceptor(expressionHandler: MethodSecurityExpressionHandler): MethodInterceptor {
val authorizationManager = PreAuthorizeAuthorizationManager()
authorizationManager.setExpressionHandler(expressionHandler);
return AuthorizationManagerBeforeMethodInterceptor.preAuthorize(authorizationManager);
}
The reason this works is because it is publishing the same bean as a MethodInterceptor instead of an Advisor, meaning that Spring doesn't try picking it up as an AOP Advisor as well.
To fix this passively in Spring Security may take a bit of research; however, I believe one way to address it is to publish a different configuration class when the advice mode is ASPECTJ. In that case, the components can be registered as MethodInterceptors instead.
Comment From: rolevinks
Hi Josh,
Thanks for the quick reply, the workaround will do for now.
Comment From: marcusdacoregio
Just a heads up that this has been reopened for 6.0.x and 6.1.x