By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account spring-security/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptor.java Lines 58 to 59 779d472

I don't understand why the security context holder is resolved only once at startup time
(created from : static MethodInterceptor preAuthorizeAuthorizationMethodInterceptor )

Because of that, the SecurityContextHolder used to resolved the authentication is always the one resolved from the Bean Initialization process... So it is always empty.

To Reproduce
Steps to reproduce the behavior.
Use a @PreAuthorize annotation on a method in a spring boot application (spring boot 3)

Expected behavior
A clear and concise description of what you expected to happen.
The authentication should be resolved at runtime. And if the authentication exists, it should be resolved.

What I would do

I would remove the parameter from AuthorizationManagerBeforeMethodInterceptor.getAuthentication and instead call SecurityContextHolder.getContextHolderStrategy() in the Supplier lambda.