#oauth2 security expressions on method level

Question

What should I do to be able to use #oauth2 security expressions on method level like on the example below?

@RequestMapping(value = \"email\", method = Reques         


        

Answer 1

To enable #oAuth2 security expressions it is only needed to set default expression handler as OAuth2MethodSecurityExpressionHandler instead of DefaultMethodSecurityExpressionHandler. Because OAuth2MethodSecurityExpressionHandler extends it anyway then the whole previous functionality remains the same. I my configuration I use both GlobalMethodSecurityConfiguration and WebSecurityConfigurerAdapter.

@Configuration
@EnableGlobalMethodSecurity
public class MethodSecurityConfiguration extends GlobalMethodSecurityConfiguration {

  @Override
  protected MethodSecurityExpressionHandler createExpressionHandler() {
    return new OAuth2MethodSecurityExpressionHandler();
  }
}

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
  ...
}


@Configuration
@Import({ SecurityConfiguration.class, MethodSecurityConfiguration.class })
public class AppConfiguration {
  ...
}

Answer 2

I think you also need to add: @EnableGlobalMethodSecurity(prePostEnabled = true) in order to get it to work.

Answered on deferent page

Answer 3

For me, it was the combination of this answer

// spring configuration class annotation
@EnableGlobalMethodSecurity(prePostEnabled = true)

and this other answer

// gradle dependencuy
compile('org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.0.4.RELEASE')

Answer 4

A simpler solution would be to let Spring Boot autoconfigure. Adding the following dependency solved this for me:

compile('org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.0.4.RELEASE')

Answer 5

I had the same problem, but only in a unit test (@WebMvcTest). I had to add @EnableGlobalMethodSecurity on the inner class that defined the configuration for the test:

@RunWith(SpringRunner.class)
@WebMvcTest(MyController.class)
public class MyControllerTest {

  @TestConfiguration
  @Import({JacksonCustomizations.class,SecuritySettings.class,
        OAuth2ServerConfiguration.class, WebSecurityConfiguration.class,
        TokenGrantersConfiguration.class})
  @EnableGlobalMethodSecurity
  public static class TestConfig {
  }
}

UPDATE: In Spring Boot 2.x, you might get:

java.lang.IllegalStateException: In the composition of all global method configuration, no annotation support was actually activated

The reason is that you added @EnableGlobalMethodSecurity without actually enabling anything. To fix it, set at least one of the properties of the annotation to true. E.g:

@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)