I am writing condition in @PreAuthorize() which i want to be checked before execution of controller method, but the method defination is first checked when the request comes to that controller method. Below is the controller method.
@PreAuthorize("isAuthenticated()")
@RequestMapping(value = "/list", method = RequestMethod.GET)
public ModelAndView report_get(@ModelAttribute(KEY_LOGGED_IN_USER) User whoLoggedIn, @ModelAttribute("reportForm") ReportForm reportForm, HttpServletRequest request) {
<method defination>
}
when i make request to '/list' without log in it should throw 'Access denied', but it is getting 'Expected session attribute 'who_logged_in'', means the method defination is first checked, before checking condition of @PreAuthorize, why is it so?
