WebSecurityConfiguration should autowire PermissionEvaluator the same way GlobalMethodSecurityConfiguration does

[candrews]

GlobalMethodSecurityConfiguration autowires PermissionEvaluator from the context:
https://github.com/spring-projects/spring-security/blob/4.1.3.RELEASE/config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java#L154

WebSecurityConfiguration should do the same thing.

Currently, it's surprising that when a PermissionEvaluator is set up, it just works (with no configuration other than declaring the PermissionEvaluator bean) when used from Java annotations but the same expression always returns denied (as that's what the default configuration does) when used from in a web context (such as in a JSP sec: expression).

[rwinch]

Thanks for creating the issue! Would you be interested in submitting a PR?

[candrews]

@rwinch PR submitted. Thanks in advance for working with me on this issue.

[candrews]

I've updated the PR to include testing.

Note that I've followed the style/approach of #4020

[rwinch]

@candrews Thanks!