SpEL expressions containing argument references (e.g., @PreAuthorize("@spELIssueDemoController.evaluateAccess(#allowAccess)")) throws the below exception in Spring Boot 3.2.0-RC2. This works without any issues in Spring Boot 3.1.5. 

java.lang.IllegalArgumentException: Failed to evaluate expression '@spELIssueDemoController.evaluateAccess(#allowAccess)'
    at org.springframework.security.authorization.method.ReactiveExpressionUtils.lambda$evaluateAsBoolean$0(ReactiveExpressionUtils.java:41)

Here is a sample project that demonstrates this issue. Please refer to the README for more details about this issue and the steps to reproduce this issue.

A workaround for this issue is to add the "-parameters" flag during compilation. However, this isn't required in Spring Boot 3.1.5, which makes me believe it's a bug introduced in Spring Boot 3.2.0-RC2. Please let me know if you need more details.

Comment From: philwebb

This is almost certainly due to https://github.com/spring-projects/spring-framework/issues/29559. Compiling with -parameters is the correct solution.

Comment From: wilkinsona

With Spring Boot 3.1.x (Framework 6.0), you will see a warning being logged like this:

16:01:49.222 [Test worker] WARN org.springframework.core.LocalVariableTableParameterNameDiscoverer -- Using deprecated '-debug' fallback for parameter name resolution. Compile the affected code with '-parameters' instead or avoid its introspection: com.example.spelissuedemo.SPELIssueDemoUnitTest$ReactiveMethodSecuritySPELTestConfiguration$MyService

With Framework 6.1, compilation with -parameters is now required:

LocalVariableTableParameterNameDiscoverer has been removed in 6.1. Compile your Java sources with the common Java 8+ -parameters flag for parameter name retention (instead of relying on the -debug compiler flag) in order to be compatible with StandardReflectionParameterNameDiscoverer. With the Kotlin compiler, we recommend the -java-parameters flag.).

Comment From: ajujacob

Thank you, this is super helpful! I'll add the -parameters flag.

However, -parameters is unchecked by default in STS (4.20.1.RELEASE). Can we enable it by default in STS since it's required by the framework?