Add MethodSecurityConfig to enable method-level security for non-dev profiles

emmanuelknafo · emmanuelknafo · commit 89877935cf59 · 2026-04-21T21:23:58.000-04:00
diff --git a/sample-app/api/src/main/java/com/example/evidence/config/MethodSecurityConfig.java b/sample-app/api/src/main/java/com/example/evidence/config/MethodSecurityConfig.java
@@ -0,0 +1,15 @@
+package com.example.evidence.config;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
+
+/**
+ * Enables @PreAuthorize method-level security only for non-dev profiles.
+ * In dev profile, all endpoints are open for exploration before Entra ID setup.
+ */
+@Configuration
+@Profile("!dev")
+@EnableMethodSecurity
+public class MethodSecurityConfig {
+}
diff --git a/sample-app/api/src/main/java/com/example/evidence/config/SecurityConfig.java b/sample-app/api/src/main/java/com/example/evidence/config/SecurityConfig.java
@@ -21,7 +21,6 @@
 import java.util.stream.Collectors;
 
 @Configuration
-@EnableMethodSecurity
 public class SecurityConfig {
 
     @Value("${app.cors.allowed-origins:http://localhost:4200}")
