PreAuthorize and custom AuthenticationFilter with Spring boot

Spring Security has always been tedious to configure, and the only foolproof ways are:

  • either being an expert on it and be prepared to look in the sources and then you can do hard things by hand
  • or use as much as possible of what is provided by framework using examples from the documentation whenever possible

For the configuration of an X509AuthenticationFilter, HttpSecurity javadoc gives the method x509 with following example (adapted to your config - see javadoc for original one) :

@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {    

     @Override
     protected void configure(HttpSecurity http) throws Exception {
         http
             .authorizeRequests().anyRequest().permitAll()
             // Example x509() configuration
             .x509();
     }
 }

with following indication: method returns the X509Configurer for further customizations.

Unless you have a good reason to do differently (and if it is the case please say it) I strongly advise you to stick to that method.

But it is really a bad idea to use pre-post annotation on a controller, for what could be done directly in HttpSecurity configuration. It forced you to use proxyTargetClass = true.

Pre and post annotation are normally applied to methods of service layer what do not require proxyTargetClass=true since services are normally wired to controller through interfaces allowing JDK proxying.