spring @PreAuthorize not working with @EnableGlobalMethodSecurity(prePostEnabled = true)

Question

Here is my code:

@Configuration
@ComponentScan(basePackages = \"com.webapp\")
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public cl         


        

Answer 1

Normally, Spring Security becomes available in the root application context and Spring MVC beans are initialized in a child context. Hence org.springframework.security.config.annotation.configuration.AutowireBeanFactoryObjectPostProcessor can't detect your controller beans because they live in a child context that is unknown to the root context.

@EnableGlobalMethodSecurity or <global-method-security> has to be placed inside the same configuration class or xml file where your Spring MVC configration lives in order to enable @PreAuthorize and @PostAuthorize.