spring-bootspring-securityspring-annotationsspring-el

Spring method security SpEL annotations always give 401 after upgrading Spring-boot to 3.2.2


When upgrading from spring-boot 3.2.1 to 3.2.2 one the following SPEL security annotations stopped working. Now, it always gives a 401. Apparently, Spring security version did not upgrade between the two versions. The annotation that includes the ID works, but the one that uses the object doesn't.

This one DOES NOT work:

@PreAuthorize("hasPermission(#organization, 'WRITE')")
<S extends Organization>S save(S organization);

This one works:

@PreAuthorize("hasPermission(#id, 'com.company.app.Organization', 'READ')")
Optional<Organization> findById(Long id);    

I don't even see anything in the logs that can help me identify the problem. It has worked in all versions prior to spring-boot 3.2.2


Solution

  • This turns out to be a bug in the Spring-boot 3.2.2 / Spring Framework 6.1.3

    Parameter based cache keys on repository methods can't resolve after 6.1.2->6.1.3

    https://github.com/spring-projects/spring-boot/issues/39261 https://github.com/spring-projects/spring-framework/issues/32087

    Solution will be released in 3.2.3