👀 Views: 69 💬 Answers: 1 📅 Created: 2025-06-15

spring-security java-17 spring-boot Java

Quick question that's been bugging me - I'm currently working with an scenario with method security annotations in my Spring Boot application. I'm using Spring Security 5.6.0 with Java 17, and I've annotated a service method with `@PreAuthorize("hasRole('ADMIN')")`. However, it seems that the security check is not being enforced, and I'm able to access the method with a user who doesn't have the ADMIN role. I have the `@EnableGlobalMethodSecurity(prePostEnabled = true)` annotation on my main application class, but it doesn't seem to have any effect. Here’s a snippet of my service: ```java @Service public class UserService { @PreAuthorize("hasRole('ADMIN')") public void deleteUser(Long userId) { // logic to delete user } } ``` Also, I have configured my security settings in a `WebSecurityConfigurerAdapter` like this: ```java @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/admin/**").hasRole("ADMIN") .anyRequest().authenticated() .and() .formLogin(); } } ``` Despite using Postman to call the method without the ADMIN role, I receive a 200 OK response instead of a 403 Forbidden. I’ve checked my user roles in the database and everything seems correct. Has anyone encountered a similar scenario, or does anyone have suggestions on what I might be missing? I've also tried cleaning and rebuilding the project, but the question continues. Any help would be greatly appreciated! This is part of a larger CLI tool I'm building.