Skip to content

@PreAuthorize not working in Spring Security 6+ due to deprecation #17487

New issue
New issue
Open
Open
@PreAuthorize not working in Spring Security 6+ due to deprecation#17487
Labels
status: waiting-for-triageAn issue we've not yet triagedtype: enhancementA general enhancement
@armorcodehemant

Description

@armorcodehemant
armorcodehemant
opened on Jul 5, 2025

Expected Behavior

When a user annotates a configuration class with @EnableGlobalMethodSecurity in Spring Security 6.x, the framework should either:

  • Automatically register the method-security infrastructure (metadata source, interceptor, expression handler), or

  • Emit a clear startup warning or error indicating that @EnableGlobalMethodSecurity is deprecated and pointing to the new @EnableMethodSecurity annotation.

Current Behavior

In Spring Security 6.2.7, if you only supply @EnableGlobalMethodSecurity, no method-security beans (e.g. MethodSecurityInterceptor) are registered, and no warning or error is logged. As a result, annotations like @PreAuthorize silently have no effect.

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: waiting-for-triageAn issue we've not yet triagedtype: enhancementA general enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions