@ preauthorize at the type level of Java – spring security cannot be overridden at the method level

I try to protect the controller with a type level @ preauthorize annotation and try to override this behavior by using different @ preauthorize annotation methods However, the problem is that spring first evaluates method annotations (grant access) and then class annotations (access denied)

Is there any way to reverse this order? I haven't figured it out yet

Edit:

At the method level, I only want to grant access to unregistered users:

@PreAuthorize("isAnonymous()")
@RequestMapping(value = "/create",method = RequestMethod.GET)
public String renderCreateEntity(ModelMap model) {
    return userService.renderCreateEntity(model);
}@H_502_9@ 
 
但是,该控制器的标准应该是允许完全认证的用户：
 
  
 
@Controller
@RequestMapping(value = "/user")
@PreAuthorize("isFullyAuthenticated()")
public class UserController { [...] }@H_502_9@ 
 
当调试逐步通过应用程序,我看到isAnonymous()被先评估,然后isFullyAuthenticated(),从而导致访问权限的授予,并立即拒绝访问.

Solution
Thank you for all your replies
I'll put this here in case someone else has the same problem
I registered a custom validator in the @ initbinder annotation method This binding method is called the method call requested on the controller Moreover, the request was rejected because this binding method did not use the @ preauthorize annotation
The solution is annotation binding, as follows:
@InitBinder
@PreAuthorize("permitAll")
public void initBinder(WebDataBinder binder) {
    binder.setValidator(validator);
}@H_502_9@ 
 
然后,该方法从我的OP调用像预期一样.