@PreAuthorize not working with prePostEnabled = true

问题

Using @EnableGlobalMethodSecurity(prePostEnabled = true) it seems that

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
}

@PreAuthorized has no effect:

@PreAuthorize("permitAll()")
@RequestMapping(value = "/users/change-email", method = RequestMethod.GET)
public void changeEmail() {
    // ..
}

I have also moved the annotation into the service layer with the same result:

@PreAuthorize("permitAll()")
@Transactional
public void changeEmail(HttpServletResponse response, String token) throws IOException {
     // ..
}

It's not clear to my why - any ideas?

This is how I am configuring my ResourceServerConfigurerAdapter:

@Configuration
@EnableResourceServer
public class ResourceServer extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {

        http
                .exceptionHandling()
                    .authenticationEntryPoint(new AuthFailureHandler())
                .and()
                .authorizeRequests()
                    .anyRequest()
                    .authenticated();
    }
}

---

At the moment I am getting a AccessDeniedException:

org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE]
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233) ~[spring-security-core-5.0.6.RELEASE.jar:5.0.6.RELEASE]
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119) ~[spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) [spring-security-web-5.0.6.RELEASE.jar:5.0.6.RELEASE]

来源：https://stackoverflow.com/questions/53125388/preauthorize-not-working-with-prepostenabled-true