Spring boot 3.2.5 @Preauthorize gives forbidden

[Kryptonian-C]

Hi Team,
After upgrading to Spring boot 3.2.5 The methods annotated with @Preauthorize("isAuthenticated()") starts throwing Forbidden error.
If I simply downgrade to 3.2.4 then everything works normal.

My Security class looks like below.

@Configuration
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class GraphqlSecurityConfig {

  private AuthenticationManager authenticationManager;

  private final SecurityContextRepository securityContextRepository;

  @Autowired
  public GraphqlSecurityConfig(
      AuthenticationManager authenticationManager,
      SecurityContextRepository securityContextRepository) {
    this.authenticationManager = authenticationManager;
    this.securityContextRepository = securityContextRepository;
  }

  @Bean
  public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity httpSecurity) {

    return httpSecurity
        .csrf(ServerHttpSecurity.CsrfSpec::disable)
        .httpBasic(ServerHttpSecurity.HttpBasicSpec::disable)
        .formLogin(ServerHttpSecurity.FormLoginSpec::disable)
        .authenticationManager(authenticationManager)
        .securityContextRepository(securityContextRepository)
        .authorizeExchange(it -> it.pathMatchers("*").permitAll())
        .build();
  }
}

AuthenticationManager and SecurityContextRepository have the logic for token validation which takes the token from the Authorization header and creates a UsernamePasswordAuthenticationToken.

Also, in 3.2.5 If we remove the @PreAuthorize then I am able to access the Principal and Credentials from the ReactiveSecurityContextHolder.getContext() after passing the Authorization in the header.

And simply downgrading to 3.2.4 everything works fine.

[wilkinsona]

Thanks for the report. I suspect that this isn't caused by Spring Boot itself but, most likely, by a change in Spring Security. That said, it's hard to be certain as we don't have the full picture here. For example, you haven't shown the code where you're using @PreAuthorize.

If you would like us to spend some more time investigating, please spend some time providing a complete yet minimal sample that reproduces the problem. You can share it with us by pushing it to a separate repository on GitHub or by zipping it up and attaching it to this issue.

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[spring-projects-issues]

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.