Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2.7.6 -> 3.0.1 @EnableMethodSecurity Not Registered For @SpringBootTest with @AutoConfigureMockMvc #33645

Closed
adase11 opened this issue Dec 28, 2022 · 2 comments
Closed

2.7.6 -> 3.0.1 @EnableMethodSecurity Not Registered For @SpringBootTest with @AutoConfigureMockMvc #33645

adase11 opened this issue Dec 28, 2022 · 2 comments
Labels
for: external-project For an external project and not something we can fix

Comments

@adase11
Copy link

adase11 commented Dec 28, 2022
edited
Loading

I'm migrating from v2.7.6 -> 3.0.1 and I had previously upgraded SpringSecurity to v5.8 in preparation for the full 3.x upgrade (as suggested in the Spring Boot 3.0 Migration Guide ). For v5.8 I had opted into the v6 defaults as outlined in the 5.8 guide and transitioned from using @EnableGlobalMethodSecurity to @EnableMethodSecurity.

I have tests that use the following setup:

@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, classes = {MyApplication.class, CustomMockMvcConfiguration.class})
@AutoConfigureMockMvc

My tests use a custom implementation of @WithSecurityContext to set up the security context.

I use @PreAuthorize for method security in my application and enable @PreAuthorize annotations with @EnableMethodSecurity. My class annotated with @EnableMethodSecurity looked like this:

@EnableMethodSecurity
public class MethodSecurityConfig {

}

After upgrading to Spring Boot v3.0.1 I found that my tests started to fail when the test expected a forbidden response. The request should have been failing a @PreAuthorize condition but was not.

After some investigation I was able to determine that my @PreAuthorize logic was no longer being executed for the failing tests. This looks to be because @EnableMethodSecurity dropped the meta annotation @Configuration between version 5.8 & 6.x. I am ok with fixing this by also annotating my MethodSecurityConfig class with @Configuration however I think that it could be useful for WebMvcTypeExcludeFilter to include org.springframework.security.config.annotation classes or at least mention this change in the migration guide.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Dec 28, 2022
@wilkinsona
Copy link
Member

I think that it could be useful for WebMvcTypeExcludeFilter to include org.springframework.security.config.annotation classes

I don't think that this would help. The filter only applies to beans that are found via component scanning. Without @Configuration on @EnableMethodSecurity, it won't be annotated with @Component so it won't be found by scanning irrespective of what the filter does.

or at least mention this change in the migration guide

I think it would be worth mentioning this change in Spring Security 6.0's migration guide. Can you please open a Spring Security issue?

@wilkinsona wilkinsona closed this as not planned Won't fix, can't repro, duplicate, stale Jan 3, 2023
@wilkinsona wilkinsona added for: external-project For an external project and not something we can fix and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 3, 2023
@adase11
Copy link
Author

adase11 commented Jan 5, 2023

Thanks @wilkinsona - I'll open something with Spring Security. Appreciate you taking a look

@adase11 adase11 mentioned this issue Jan 5, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
for: external-project For an external project and not something we can fix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wilkinsona @spring-projects-issues @adase11