Currently Spring Security does not allow binding parameters on Spring Data Repositories. Right now there are two problems:
- LocalVariableTableParameterNameDiscoverer cannot locate the variable name because the interface does not contain debug information about the variable name (interfaces cannot contain debug info)
- AopProxyUtils.ultimateTargetClass(targetObject) resolves the target class to be SimpleJpaRepository which does not have a method with the correct signature (it is a generic method)
One option to resolve this is to rely on the parameter names defined by SimpleJpaRepository and update the logic of MethodSecurityEvaluationContext so that it can resolve the variable name from there.
Another option is to use an annotation on the interface to explicitly define the parameter name. We could use @Param from Spring Data or use our own generic annotation.