Spring security @PreAuthorize gives NullPointerException. Why?

I'm trying to implement a check of User's role in the controller, so when User is calling a particular web adress he gets access to the page (or not).

So I put @PreAuthorize("hasPermission...) in one of my controller's (URL GET) method and created my custom *PermissionEvaluator*.
It takes a two strings as a parameters (entity name - String, permission name - String), which I'll later take from User's role object.
For the testing purposes now it always returns "true".

The problem: I always get a NullPointerException when placing @PreAuthorize. The text inside CustomPermissionEvaluator is not even called.
Could you please explain what am I doing wrong?

Controller

@RequestMapping(value = "goal/new", method = RequestMethod.GET) @PreAuthorize("hasPermission('GOAL', 'WRITE')") public String add (Model model,  RedirectAttributes redirect) {   User user = AuthUtils.getCurrentUser();   Goal goal = new Goal();   Set<Unit> units = unitService.getUnitsByRole(user.getRoles());   model.addAttribute("goal", goal);   model.addAttribute("units", units); return WEB_FORM_URL; }

Permission evaluator
@Component public class CustomPermissionEvaluator implements PermissionEvaluator {    @Override    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {        System.out.println("Permission eveluator: called");        boolean permissionGranted = true;        return permissionGranted;    }    @Override    public boolean hasPermission(Authentication authentication, Serializable serializable, String targetType,                                 Object permission) {        return false;    } }

GlobalMethodSecurityConfiguration
@Configuration @EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, jsr250Enabled = true, proxyTargetClass = true) public class CustomMethodSecurityConfig extends GlobalMethodSecurityConfiguration {    @Autowired    CustomPermissionEvaluator permissionEvaluator;    @Bean    public MethodSecurityExpressionHandler methodSecurityExpressionHandler() {        DefaultMethodSecurityExpressionHandler handler = new DefaultMethodSecurityExpressionHandler();        handler.setPermissionEvaluator(permissionEvaluator);        return handler;    } }

Error stack
java.lang.NullPointerException: null    at org.springframework.security.access.expression.SecurityExpressionRoot.hasPermission(SecurityExpressionRoot.java:177) ~[spring-security-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_201]    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_201]    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_201]    at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_201]    at org.springframework.expression.spel.support.ReflectiveMethodExecutor.execute(ReflectiveMethodExecutor.java:130) ~[spring-expression-5.1.5.RELEASE.jar:5.1.5.RELEASE]    at org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:138) ~[spring-expression-5.1.5.RELEASE.jar:5.1.5.RELEASE]    at org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:94) ~[spring-expression-5.1.5.RELEASE.jar:5.1.5.RELEASE]    at org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:114) ~[spring-expression-5.1.5.RELEASE.jar:5.1.5.RELEASE]    at org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:300) ~[spring-expression-5.1.5.RELEASE.jar:5.1.5.RELEASE]    at org.springframework.security.access.expression.ExpressionUtils.evaluateAsBoolean(ExpressionUtils.java:26) ~[spring-security-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]    at org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice.before(ExpressionBasedPreInvocationAdvice.java:59) ~[spring-security-core-5.1.4.RELEASE.jar:5.1.4.RELEASE]

I think instead of adding a methodSecurityExpressionHandler() bean factory to your configuration subclass, you should override the getExpressionHandler() method to return your permissionEvaluator. Set a breakpoint inside of it or add a logging statement to see if the auto-wired permissionEvaluator is not null.

Note that the @Configuration annotation on your CustomMethodSecurityConfig is redundant; it's already implied by @EnableGlobalMethodSecurity.

Stephan van Hulst wrote: Set a breakpoint inside of it or add a logging statement to see if the auto-wired permissionEvaluator is not null.

Thank you. I've checked wheter the auto-wired permissionEvaluator is null and its surprisingly null.
But why?

Stephan van Hulst wrote:
I think instead of adding a methodSecurityExpressionHandler() bean factory to your configuration subclass, you should override the getExpressionHandler() method to return your permissionEvaluator.

Could you please explain how (or provide any links)?
According to Spring's doc it's final, so I've got an appropriate error (can't be overridden)
I'm trying to add it like this: protected final MethodSecurityExpressionHandler getExpressionHandler()

Surprisingly my permissionEvaluater started to work when I fully commented methodSecurityExpressionHandler. Now I'm even more confused...

George Smithss wrote:I've checked wheter the auto-wired permissionEvaluator is null and its surprisingly null.
But why?

Because @Configuration components are initialized before other components, so your CustomMethodSecurityConfig class is initialized by Spring before your CustomPermissionEvaluator is created.

Could you please explain how (or provide any links)?
According to Spring's doc it's final

Sorry, this is my bad. I read the docs but I missed this modifier.

Surprisingly my permissionEvaluater started to work when I fully commented methodSecurityExpressionHandler. Now I'm even more confused...

The handler you injected via that factory method didn't work because you initialized it with a null permissionEvaluator. Removing the factory method caused Spring to use its own MethodSecurityExpressionHandler, and it's possible that the default handler picked up on your CustomPermissionEvaluator automatically.

This one worked:
@Override
   protected MethodSecurityExpressionHandler createExpressionHandler() {