@PreAuthorize: authentication is resolved to null from the security context holder #13641
Assignees
Labels
in: core
An issue in spring-security-core
status: duplicate
A duplicate of another issue
type: bug
A general bug
Comments
libetl
added
status: waiting-for-triage
|
this is probably linked to #12877 |
|
Waiting... |
|
Thanks, @libetl |
|
I think I'll just override the Security Context Holder mode to be only Thread Local. |
jzheaux
added
in: core
|
This is fixed by #12877 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Hello,
Unfortunately @PreAuthorize does not work for me after upgrading to spring 6.0.11 with spring-security 6.1.2. (it used to work fine with spring 5.3.8)
spring-security/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptor.java
Lines 58 to 59 in 779d472
I don't understand why the security context holder is resolved only once at startup time
(created from : static MethodInterceptor preAuthorizeAuthorizationMethodInterceptor)
Because of that, the SecurityContextHolder used to resolved the authentication is always the one resolved from the Bean Initialization process... So it is always empty.
To Reproduce
Steps to reproduce the behavior.
Use a @PreAuthorize annotation on a method in a spring boot application (spring boot 3)
Expected behavior
A clear and concise description of what you expected to happen.
The authentication should be resolved at runtime. And if the authentication exists, it should be resolved.
What I would do
I would remove the parameter from
AuthorizationManagerBeforeMethodInterceptor.getAuthenticationand instead callSecurityContextHolder.getContextHolderStrategy()in the Supplier lambda.The text was updated successfully, but these errors were encountered: