When using spring-addons-oidc-starter, is @PreAuthorize automatically enabled?

[bdruth]

Related question to #135, we're trying to do something similar - using Cognito as our IDP. We're not seeing evidence that @PreAuthorize is even being used ... do we need to do something special to enable this when using the oidc starter?

[bdruth]

We were able to get @PreAuthorize to work by adding

@Configuration
@EnableMethodSecurity(prePostEnabled = true)
public class MyWebSecurityConfig {}

in the classpath. Is this the right way to do it?

[ch4mpy]

Yes this is the standard spring security way to enable method security in servlet application.

This is just an opt-in and spring-addons never enables it automatically: you don't have to use method security. The gateway in BFF tutorial, for instance, does not need method security.

[ch4mpy]

By the way, prePostEnabled is true by default with @EnableMethodSecurity (it is false in the deprecated @EnableGlobalMethodSecurity).

Also, you can put this annotation on any @Configuration class (including the @SpringBootApplication), you don't have to create a configuration class just for that (but this probability makes things clearer).

[bdruth]

Excellent, thank you for the quick response!