Spring-boot: Spring security + boot with @EnableGlobalMethodSecurity and Custom MethodSecurityExpressionHandler @Bean throws exceptions fails to start.

Upon further research... turns out it was this related to:

http://stackoverflow.com/questions/23638462/how-do-i-add-method-based-security-to-a-spring-boot-project

A workaround is proposed and works but.... Is it possible to make the error message less cryptic? I've probably spent 10-16 hrs on this issue trying to figure out what was the root cause... and no hints were given that the PermissionEvaluator was the cause... and others on the stackoverflow page indicated they spent a lot of time on it, too.

It is very common (and natural) to have a Custom PermissionEvaluator bean be placed inside the Spring Security config (and not in its own config class)

Voting this one up, I'm SO glad I hit this on my first Google search, otherwise I would have spent I have no idea how long searching.

I have just encountered this issue whilst migrating an old XML based config to Java config and it was quite frustrating as the error didn't really make a lot of sense. Is there any way to improve this functionality?

+1 Same error for me using the EnableGlobalMethodSecurity annotation. Does anyone find a workaround?

The workaround suggested on stackoverflow worked for me: http://stackoverflow.com/questions/23638462/how-do-i-add-method-based-security-to-a-spring-boot-project

Hi @roberthunt @rattek @airduster I face same issue in Spring Brixton.sr*. (I don't have this problem is Brixton.m5)

(I also have some dependencies to spring-boot-starter-websocket and related libraries)

This is my global security config file:

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfiguration extends GlobalMethodSecurityConfiguration {

    // it cause that famous error !!
    @Autowired AuthenticationInstanceIdResolver authenticationInstanceIdResolver;

    @Override
    protected MethodSecurityExpressionHandler createExpressionHandler() {
        return new RealtimeMethodSecurityExpressionHandler(authenticationInstanceIdResolver);
    }
}

If i comment @Autowired line, it work well, but in other cases I face this error:

Error starting ApplicationContext. To display the auto-configuration report enable debug logging (start with —debug)


2016-11-26 13:52:13.371 ERROR [realtime-messaging-api,,,]Disconnected from the target VM, address: '127.0.0.1:61593', transport: 'socket'
 15010 —- [           main] o.s.boot.SpringApplication               : Application startup failed

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'defaultServletHandlerMapping' defined in class path resource [org/springframework/boot/autoconfigure/web/WebMvcAutoConfiguration$EnableWebMvcConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.web.servlet.HandlerMapping]: Factory method 'defaultServletHandlerMapping' threw exception; nested exception is java.lang.IllegalArgumentException: A ServletContext is required to configure default servlet handling
  at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:599)
  at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1123)
  at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1018)
  at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:510)
  at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:482)
  at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306)
  at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
  at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302)
  at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
  at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:776)
  at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:861)
  at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:541)
  at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122)
  at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:759)
  at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:369)
  at org.springframework.boot.SpringApplication.run(SpringApplication.java:313)
  at org.springframework.boot.SpringApplication.run(SpringApplication.java:1185)
  at org.springframework.boot.SpringApplication.run(SpringApplication.java:1174)
  at ir.pegahtech.backtory.RealtimeMessagingApplication.main(RealtimeMessagingApplication.java:32)
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.web.servlet.HandlerMapping]: Factory method 'defaultServletHandlerMapping' threw exception; nested exception is java.lang.IllegalArgumentException: A ServletContext is required to configure default servlet handling
  at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:189)
  at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:588)
  ... 18 common frames omitted
Caused by: java.lang.IllegalArgumentException: A ServletContext is required to configure default servlet handling
  at org.springframework.util.Assert.notNull(Assert.java:115)
  at org.springframework.web.servlet.config.annotation.DefaultServletHandlerConfigurer.<init😠DefaultServletHandlerConfigurer.java:53)
at org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport.defaultServletHandlerMapping(WebMvcConfigurationSupport.java:456)
  at org.springframework.boot.autoconfigure.web.WebMvcAutoConfiguration$EnableWebMvcConfiguration$$EnhancerBySpringCGLIB$$5b22f7d5.CGLIB$defaultServletHandlerMapping$45(<generated>)
  at org.springframework.boot.autoconfigure.web.WebMvcAutoConfiguration$EnableWebMvcConfiguration$$EnhancerBySpringCGLIB$$5b22f7d5$$FastClassBySpringCGLIB$$6d3f1a84.invoke(<generated>)
  at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:228)
  at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:356)
  at org.springframework.boot.autoconfigure.web.WebMvcAutoConfiguration$EnableWebMvcConfiguration$$EnhancerBySpringCGLIB$$5b22f7d5.defaultServletHandlerMapping(<generated>)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  at java.lang.reflect.Method.invoke(Method.java:497)
  at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:162)
  ... 19 common frames omitted


Process finished with exit code 1

Would you please help me overcome this problem?

This is still a problem with 1.4.3.RELEASE. Numerous log messages are output that indicate that it's a problem with premature initialisation:

017-01-09 14:58:54.115  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration' of type [class org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration$$EnhancerBySpringCGLIB$$e6a7a577] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:04.767  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'objectPostProcessor' of type [class org.springframework.security.config.annotation.configuration.AutowireBeanFactoryObjectPostProcessor] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:04.771  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler@415156bf' of type [class org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:04.912  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'spring.mvc-org.springframework.boot.autoconfigure.web.WebMvcProperties' of type [class org.springframework.boot.autoconfigure.web.WebMvcProperties] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:04.943  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'spring.resources-org.springframework.boot.autoconfigure.web.ResourceProperties' of type [class org.springframework.boot.autoconfigure.web.ResourceProperties] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:04.953  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'spring.http.encoding-org.springframework.boot.autoconfigure.web.HttpEncodingProperties' of type [class org.springframework.boot.autoconfigure.web.HttpEncodingProperties] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:04.958  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.boot.autoconfigure.web.HttpMessageConvertersAutoConfiguration$StringHttpMessageConverterConfiguration' of type [class org.springframework.boot.autoconfigure.web.HttpMessageConvertersAutoConfiguration$StringHttpMessageConverterConfiguration$$EnhancerBySpringCGLIB$$9b28063d] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:04.968  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'stringHttpMessageConverter' of type [class org.springframework.http.converter.StringHttpMessageConverter] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:04.972  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.boot.autoconfigure.web.JacksonHttpMessageConvertersConfiguration$MappingJackson2HttpMessageConverterConfiguration' of type [class org.springframework.boot.autoconfigure.web.JacksonHttpMessageConvertersConfiguration$MappingJackson2HttpMessageConverterConfiguration$$EnhancerBySpringCGLIB$$2936303d] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:04.977  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration$JacksonObjectMapperConfiguration' of type [class org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration$JacksonObjectMapperConfiguration$$EnhancerBySpringCGLIB$$a98d5cce] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:04.992  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'spring.jackson-org.springframework.boot.autoconfigure.jackson.JacksonProperties' of type [class org.springframework.boot.autoconfigure.jackson.JacksonProperties] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:04.996  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration$Jackson2ObjectMapperBuilderCustomizerConfiguration' of type [class org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration$Jackson2ObjectMapperBuilderCustomizerConfiguration$$EnhancerBySpringCGLIB$$16f104d6] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.002  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'standardJacksonObjectMapperBuilderCustomizer' of type [class org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration$Jackson2ObjectMapperBuilderCustomizerConfiguration$StandardJackson2ObjectMapperBuilderCustomizer] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.012  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration$JacksonObjectMapperBuilderConfiguration' of type [class org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration$JacksonObjectMapperBuilderConfiguration$$EnhancerBySpringCGLIB$$5bda1ee7] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.018  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration' of type [class org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration$$EnhancerBySpringCGLIB$$8b98fa5d] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.049  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'jsonComponentModule' of type [class org.springframework.boot.jackson.JsonComponentModule] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.054  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'jacksonObjectMapperBuilder' of type [class org.springframework.http.converter.json.Jackson2ObjectMapperBuilder] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.086  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'jacksonObjectMapper' of type [class com.fasterxml.jackson.databind.ObjectMapper] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.094  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'mappingJackson2HttpMessageConverter' of type [class org.springframework.http.converter.json.MappingJackson2HttpMessageConverter] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.097  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.boot.autoconfigure.web.HttpMessageConvertersAutoConfiguration' of type [class org.springframework.boot.autoconfigure.web.HttpMessageConvertersAutoConfiguration$$EnhancerBySpringCGLIB$$deb1fb9d] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.110  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'messageConverters' of type [class org.springframework.boot.autoconfigure.web.HttpMessageConverters] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.116  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.boot.autoconfigure.web.WebMvcAutoConfiguration$WebMvcAutoConfigurationAdapter' of type [class org.springframework.boot.autoconfigure.web.WebMvcAutoConfiguration$WebMvcAutoConfigurationAdapter$$EnhancerBySpringCGLIB$$38fd34b9] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.119  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration' of type [class org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.120  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.boot.autoconfigure.web.WebMvcAutoConfiguration$EnableWebMvcConfiguration' of type [class org.springframework.boot.autoconfigure.web.WebMvcAutoConfiguration$EnableWebMvcConfiguration$$EnhancerBySpringCGLIB$$a5277f46] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.134  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'mvcContentNegotiationManager' of type [class org.springframework.web.accept.ContentNegotiationManager] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.147  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'enableGlobalAuthenticationAutowiredConfigurer' of type [class org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration$EnableGlobalAuthenticationAutowiredConfigurer] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.150  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'initializeUserDetailsBeanManagerConfigurer' of type [class org.springframework.security.config.annotation.authentication.configuration.InitializeUserDetailsBeanManagerConfigurer] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.155  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'initializeAuthenticationProviderBeanManagerConfigurer' of type [class org.springframework.security.config.annotation.authentication.configuration.InitializeAuthenticationProviderBeanManagerConfigurer] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.160  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration' of type [class org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration$$EnhancerBySpringCGLIB$$4d4ddaa7] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.183  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'securityProperties' of type [class org.springframework.boot.autoconfigure.security.SecurityProperties] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.187  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'springBootAuthenticationConfigurerAdapter' of type [class org.springframework.boot.autoconfigure.security.AuthenticationManagerConfiguration$SpringBootAuthenticationConfigurerAdapter] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.191  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'bootGlobalAuthenticationConfigurationAdapter' of type [class org.springframework.boot.autoconfigure.security.BootGlobalAuthenticationConfiguration$BootGlobalAuthenticationConfigurationAdapter] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.192  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration' of type [class org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration$$EnhancerBySpringCGLIB$$3270afec] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.192  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'gh4875Application' of type [class com.example.Gh4875Application$$EnhancerBySpringCGLIB$$146c3ade] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.198  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'expressionHandler' of type [class org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.199  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration' of type [class org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration$$EnhancerBySpringCGLIB$$b7c4829] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2017-01-09 14:59:05.210  INFO 19306 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'methodSecurityMetadataSource' of type [class org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)

The problem can be reproduced more simply than shown above:

package com.example;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Bean;
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@SpringBootApplication
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class Gh4875Application extends WebSecurityConfigurerAdapter {

    @Bean
    public MethodSecurityExpressionHandler expressionHandler() {
        return new DefaultMethodSecurityExpressionHandler();
    }

    public static void main(String[] args) {
        SpringApplication.run(Gh4875Application.class, args);
    }
}

The error message is produced by Spring Framework and it's not clear how it could be improved as it has no knowledge of this specific problem and nor should it.

We'd like to improve things here but it's not immediately apparent how we can do so.

Hello! Same problem here. I've Googled a lot, but I couldn't find any working solution.
Is there any workaround for the case when PermissionEvaluator is not even used?

So my MethodSecurityConfig is just:

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {

  @Autowired
  private OAuth2SecurityConfiguration securityConfig;

  @Override
  protected MethodSecurityExpressionHandler createExpressionHandler() {
    return new OAuth2MethodSecurityExpressionHandler();
  }
}

Hi Lex4hex,

If you use in-memory database, can you please give a try with this?

@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {

    @Override
    protected MethodSecurityExpressionHandler createExpressionHandler() {
        return new OAuth2MethodSecurityExpressionHandler();
    }
}

In the pom.xml, add this.

>              <dependency>
>           <groupId>com.h2database</groupId>
>           <artifactId>h2</artifactId>
>       </dependency>
> 

@Lex4hex, I've had the same issue in my project. Solution was pretty simple: I've moved @EnableGlobalMethodSecurity annotation from MethodSecurityConfig class to another SecurityConfig class, that extend WebSecurityConfigurerAdapter. Hope, it will help you

already i try this but no use, any alternate please.

I've got my project to start up.
You can check short example of my configuration:

@Configuration
public class Oauth2Configuration {

    @Configuration
    @EnableResourceServer
    protected static class ResourceServer extends ResourceServerConfigurerAdapter {

        private final TokenStore tokenStore;

        @Autowired
        public ResourceServer(TokenStore tokenStore) {
            this.tokenStore = tokenStore;
        }

        @Override
        public void configure(ResourceServerSecurityConfigurer resources)
            throws Exception {
            resources.tokenStore(tokenStore);
        }

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests()
                .antMatchers(HttpMethod.POST, "/api/shop/cart/{\\d+}/add/{\\d+}")
                .permitAll() // Add product to customer
                .antMatchers(HttpMethod.POST, "/api/shop/cart/customer/{\\d+}")
                .permitAll() // Create cart
                .antMatchers(HttpMethod.POST, "/api/shop/customer/{\\d+}/order")
                .permitAll() // Create order
                .antMatchers(HttpMethod.GET, "/api/shop/products").permitAll() // Get all products
                .antMatchers("/api/shop/**")
                .hasAuthority("ADMIN") // All other actions require admin role
                .and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
        }
    }

    @Configuration
    @EnableAuthorizationServer
    protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {

        @Autowired
        public OAuth2Config(@Qualifier("dataSource") DataSource dataSource,
            AuthenticationManager auth) {
            this.dataSource = dataSource;
            this.auth = auth;
        }

        private final DataSource dataSource;

        private final AuthenticationManager auth;

        private BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();

        @Bean
        public JdbcTokenStore tokenStore() {
            return new JdbcTokenStore(dataSource);
        }

        @Bean
        protected AuthorizationCodeServices authorizationCodeServices() {
            return new JdbcAuthorizationCodeServices(dataSource);
        }

        @Override
        public void configure(AuthorizationServerSecurityConfigurer security)
            throws Exception {
            security.passwordEncoder(passwordEncoder);
        }

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints)
            throws Exception {
            endpoints.authorizationCodeServices(authorizationCodeServices())
                .authenticationManager(auth).tokenStore(tokenStore())
                .approvalStoreDisabled();
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            clients.jdbc(dataSource);
        }
    }
}

@Configuration
public class Oauth2Configuration {

    @Configuration
    @EnableResourceServer
    protected static class ResourceServer extends ResourceServerConfigurerAdapter {

        private final TokenStore tokenStore;

        @Autowired
        public ResourceServer(TokenStore tokenStore) {
            this.tokenStore = tokenStore;
        }

        @Override
        public void configure(ResourceServerSecurityConfigurer resources)
            throws Exception {
            resources.tokenStore(tokenStore);
        }

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests()
                .antMatchers(HttpMethod.POST, "/api/shop/cart/{\\d+}/add/{\\d+}")
                .permitAll() // Add product to customer
                .antMatchers(HttpMethod.POST, "/api/shop/cart/customer/{\\d+}")
                .permitAll() // Create cart
                .antMatchers(HttpMethod.POST, "/api/shop/customer/{\\d+}/order")
                .permitAll() // Create order
                .antMatchers(HttpMethod.GET, "/api/shop/products").permitAll() // Get all products
                .antMatchers("/api/shop/**")
                .hasAuthority("ADMIN") // All other actions require admin role
                .and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
        }
    }

    @Configuration
    @EnableAuthorizationServer
    protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {

        @Autowired
        public OAuth2Config(@Qualifier("dataSource") DataSource dataSource,
            AuthenticationManager auth) {
            this.dataSource = dataSource;
            this.auth = auth;
        }

        private final DataSource dataSource;

        private final AuthenticationManager auth;

        private BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();

        @Bean
        public JdbcTokenStore tokenStore() {
            return new JdbcTokenStore(dataSource);
        }

        @Bean
        protected AuthorizationCodeServices authorizationCodeServices() {
            return new JdbcAuthorizationCodeServices(dataSource);
        }

        @Override
        public void configure(AuthorizationServerSecurityConfigurer security)
            throws Exception {
            security.passwordEncoder(passwordEncoder);
        }

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints)
            throws Exception {
            endpoints.authorizationCodeServices(authorizationCodeServices())
                .authenticationManager(auth).tokenStore(tokenStore())
                .approvalStoreDisabled();
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            clients.jdbc(dataSource);
        }
    }
}

If any of you have similar configuration to below :

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
public class MethodSecurityConfiguration extends GlobalMethodSecurityConfiguration {

    // it cause that famous error !!
     @Autowired
    private OAuth2SecurityConfig securityConfig;

    @Override
    protected MethodSecurityExpressionHandler createExpressionHandler() {
        return new OAuth2MethodSecurityExpressionHandler();
    }
}

which causes this error :

Caused by: java.lang.IllegalArgumentException: A ServletContext is required to configure default servlet handling
 ```

Just move that pesky autowired which causes the error to new configuration file

```java
@Configuration
public class OAuth2SecurityLoaderConfig {

    @Autowired
    private OAuth2SecurityConfig securityConfig;
}

It seems that MethodSecurityConfiguration is trying to premature instantiate OAuth2SecurityConfig, which causes the error above. (MethodSecurityConfiguration class is forcing it to be instantiated before the ServletContext is ready)

I had a similar problem where I had something like

public class MethodSecurityConfiguration extends GlobalMethodSecurityConfiguration {

    // it cause that famous error !!
     @Autowired
    private MyService myService;
...

with @EnableGlobalMethodSecurity making all the @Transaction annotations get ignored in MyService.
turns out that just adding an @Lazy annotation to the autowired declaration here fixed it for me.

running with undertow so no tomcat issues here.

We think this is fixed in 1.5 now.