spring-projects · Siggen · Apr 16, 2026
diff --git a/...k/security/config/annotation/method/configuration/PrePostMethodSecurityConfiguration.java b/...k/security/config/annotation/method/configuration/PrePostMethodSecurityConfiguration.java
@@ -32,6 +32,7 @@
 import org.springframework.context.annotation.ImportAware;
 import org.springframework.context.annotation.Role;
 import org.springframework.core.type.AnnotationMetadata;
+import org.springframework.security.access.PermissionEvaluator;
 import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
 import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
@@ -127,6 +128,11 @@ void setAuthorizationManagerFactory(AuthorizationManagerFactory<MethodInvocation
 		this.expressionHandler.setAuthorizationManagerFactory(authorizationManagerFactory);
 	}
 
+	@Autowired(required = false)
+	void setPermissionEvaluator(PermissionEvaluator permissionEvaluator) {
+		this.expressionHandler.setPermissionEvaluator(permissionEvaluator);
+	}
+
 	@Autowired(required = false)
 	void setTemplateDefaults(AnnotationTemplateExpressionDefaults templateDefaults) {
 		this.preFilterMethodInterceptor.setTemplateDefaults(templateDefaults);

diff --git a/...urity/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java b/...urity/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java
@@ -1527,13 +1527,13 @@ MethodSecurityExpressionHandler methodSecurityExpressionHandler() {
 
 	}
 
+	@Configuration
 	@EnableMethodSecurity
 	static class CustomPermissionEvaluatorConfig {
 
 		@Bean
-		MethodSecurityExpressionHandler methodSecurityExpressionHandler() {
-			DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
-			expressionHandler.setPermissionEvaluator(new PermissionEvaluator() {
+		PermissionEvaluator permissionEvaluator() {
+			return new PermissionEvaluator() {
 				@Override
 				public boolean hasPermission(Authentication authentication, Object targetDomainObject,
 						Object permission) {
@@ -1545,8 +1545,7 @@ public boolean hasPermission(Authentication authentication, Serializable targetI
 						Object permission) {
 					throw new UnsupportedOperationException();
 				}
-			});
-			return expressionHandler;
+			};
 		}
 
 	}