Spring Security @PreAuthorize: authentication is resolved to null from the security context holder

Describe the bug

Hello, Unfortunately @PreAuthorize does not work for me after upgrading to spring 6.0.11 with spring-security 6.1.2. (it used to work fine with spring 5.3.8)

https://github.com/spring-projects/spring-security/blob/779d4725a7b48eea275bdb75284947e5f0284dc6/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptor.java#L58-L59

I don't understand why the security context holder is resolved only once at startup time (created from : static MethodInterceptor preAuthorizeAuthorizationMethodInterceptor)

Because of that, the SecurityContextHolder used to resolved the authentication is always the one resolved from the Bean Initialization process... So it is always empty.

To Reproduce Steps to reproduce the behavior. Use a @PreAuthorize annotation on a method in a spring boot application (spring boot 3)

Expected behavior A clear and concise description of what you expected to happen. The authentication should be resolved at runtime. And if the authentication exists, it should be resolved.

What I would do

I would remove the parameter from AuthorizationManagerBeforeMethodInterceptor.getAuthentication and instead call SecurityContextHolder.getContextHolderStrategy() in the Supplier lambda.

Comment From: libetl

this is probably linked to https://github.com/spring-projects/spring-security/issues/12877

Comment From: rishiraj88

Waiting...

Comment From: rishiraj88

Thanks, @libetl

Comment From: libetl

I think I'll just override the Security Context Holder mode to be only Thread Local.

Comment From: jzheaux

This is fixed by #12877