spring security에서 @PreAuthorize가 안먹힐때 (SpringBoot 3.0 이상)

나는 컨트롤러 메소드에 API별로 @PreAuthorize를 넣었는데

시큐리티가 해당 어노테이션을 수행하지 않았다.

그래서 검색해봤다.

 

클래스 상단에 @EnableMethodSecurity를 붙여주면 해결된다.

import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;

 

 

아쉽게도 spring security6버전 이상 자료는 아직 많이 없는 듯 하다....

package com.nahwasa.springsecuritybasicsettingforspringboot3.controller;

import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.security.core.userdetails.User;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;

@Controller
@RequestMapping("/view")
@EnableMethodSecurity
public class ViewController {

    @GetMapping("/login")
    public String loginPage() {
        return "login";
    }

    @GetMapping("/join")
    public String joinPage() {
        return "join";
    }

    @GetMapping("/dashboard")
    public String dashboardPage(@AuthenticationPrincipal User user, Model model) {
        model.addAttribute("loginId",user.getUsername());
        model.addAttribute("loginRoles",user.getAuthorities());
        return "dashboard";
    }

    @GetMapping("/setting/admin")
    @PreAuthorize("hasAnyRole('ADMIN')")
    public String adminSettingPage() {
        return "admin_setting";
    }

    @GetMapping("/setting/user")
    @PreAuthorize("hasAnyRole('USER')")
    public String userSettingPage() {
        return "user_setting";
    }
}

 

REFERENCE : https://stackoverflow.com/questions/74783349/preauthorize-not-working-after-upgrading-to-spring-boot-3-spring-security-6

@PreAuthorize not working after upgrading to Spring Boot 3 (Spring Security 6)