WebSecurityConfiguration should autowire PermissionEvaluator

[candrews]

This issue effectively reopens #4077.

GlobalMethodSecurityConfiguration autowires PermissionEvaluator from the context:
https://github.com/spring-projects/spring-security/blob/4.1.3.RELEASE/config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java#L154

WebSecurityConfiguration should do the same thing.

Currently, it's surprising that when a PermissionEvaluator is set up, it just works (with no configuration other than declaring the PermissionEvaluator bean) when used from Java annotations but the same expression always returns denied (as that's what the default configuration does) when used from in a web context (such as in a JSP sec: expression).

Using thymeleaf spring security extras, you can conditionally show elements like this:
<div sec:authorize="hasPermission(#vars.study,'DELETE')">

The DefaultWebSecurityExpressionHandler that ends up being used has a type of org.springframework.security.access.expression.DenyAllPermissionEvaluator instead of the permission evaluator.

This behavior worked as expected with the commit accepted from my pull request, 3bf6bf1, but some polish was done that made it no longer work, 8a66d0c.

Thanks again in advance for looking into this issue.

[rwinch]

Thanks for the report. A fix is now pushed to master and 5.0.x

[candrews]

Thank you for addressing the issue so quickly!

[rwinch]

No problem. Thanks for the report! If you get a chance it would be nice to hear if the changes work for you. The SNAPSHOTs should be published within 30 minutes if you want to give it a try.