Describe the bug I perforrmed the method security migration, to replace deprecated EnableGlobalMethodSecurity annotations with the new EnableMethodSecurity annotations, and I've got an exception when using CGLIB and the PreAuthorize annotation.

To Reproduce 1. Clone the sample repository 2. Run the application 3. Navigate to the http://localhost:8080/hello 4. Provide credentials: username: user, password: pass 5. Notice the exception:

org.springframework.core.annotation.AnnotationConfigurationException: Found more than one annotation of type interface org.springframework.security.access.prepost.PreAuthorize attributed to public org.springframework.http.ResponseEntity com.example.preauth.SayHelloController.sayHello() Please remove the duplicate annotations and publish a bean to handle your authorization logic.
    at org.springframework.security.authorization.method.AuthorizationAnnotationUtils.findUniqueAnnotation(AuthorizationAnnotationUtils.java:65) ~[spring-security-core-6.1.2.jar:6.1.2]
    at org.springframework.security.authorization.method.PreAuthorizeExpressionAttributeRegistry.findPreAuthorizeAnnotation(PreAuthorizeExpressionAttributeRegistry.java:71) ~[spring-security-core-6.1.2.jar:6.1.2]

Expected behavior 1. Clone the sample repository 2. Comment line 15 in the SecurityConfiguration class 3. Uncomment line 17 in the SecurityConfiguration class 4. Run the application 5. Navigate to the http://localhost:8080/hello 6. Provide credentials: username: user, password: pass 7. Application produces hello response

Sample

sample repository

Comment From: patrick-sager

I am facing the same issue and was preparing to report it when I found this. My use case is slightly different, I am using Spring Data JPA's pattern for customizing repositories (https://docs.spring.io/spring-data/jpa/docs/current/reference/html/#repositories.custom-implementations) and attempting to add PreAuthorize on the interface for the custom repository. I have created my own sample repo here: https://github.com/patrick-sager/method-security-issue.

As @rawfg pointed out, it works with the now deprecated EnableGlobalMethodSecurity annotation.