Description
Describe the bug
Referencing parameter names in a @PreAuthorize("#x...") fails when using kotlin coroutines.
@PreAuthorize("#action.getUserId() == 1")
suspend fun save(action: Action)
Fails with:
Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1004E: Method call: Method getUserId() cannot be found on type java.lang.Object[]
Because in org.springframework.expression.spel.ast.MethodReference the value/targetObject is not of the expected Type Action but of type Object[] holding
[0] = "Action(userId=1)"
[1] = "Continuation at com.example.demoActionServiceTest$save...."
To Reproduce
See sample README.
Expected behavior
I expect to be able to reference parameters by their name.
Sample
https://github.com/RobertHeim/spring-security-bug-preauth-coroutines
Note that the sample uses SNAPSHOT, but the RC1 has the same bug.
Workaround
First, recognize that the problem only occurs when referencing the last parameter (because this is the one "transformed" to an object in order to hold the argument ([0]) as well as the coroutine continuation ([1])).
Adding [0] works:
@PreAuthorize("#action[0].getUserId() == 1")
Also removing the suspend and returning Mono works as well:
@PreAuthorize("#action.getUserId() == 1")
fun save(action: Action) : Mono<Unit>