When upgrading from spring-boot 3.2.1 to 3.2.2 one the following SPEL security annotations stopped working. Now, it always gives a 401. Apparently, Spring security version did not upgrade between the two versions. The annotation that includes the ID works, but the one that uses the object doesn't.
This one DOES NOT work:
@PreAuthorize("hasPermission(#organization, 'WRITE')")
<S extends Organization>S save(S organization);
This one works:
@PreAuthorize("hasPermission(#id, 'com.company.app.Organization', 'READ')")
Optional<Organization> findById(Long id);
I don't even see anything in the logs that can help me identify the problem. It has worked in all versions prior to spring-boot 3.2.2
This turns out to be a bug in the Spring-boot 3.2.2 / Spring Framework 6.1.3
Parameter based cache keys on repository methods can't resolve after 6.1.2->6.1.3
https://github.com/spring-projects/spring-boot/issues/39261 https://github.com/spring-projects/spring-framework/issues/32087
Solution will be released in 3.2.3