Method Security Configuration should publish an OAuth2MethodSecurityExpressionHandler bean #336
Description
OAuth2MethodSecurityConfiguration configures applications with an OAuth2MethodSecurityExpressionHandler by replacing GlobalMethodSecurityConfiguration's instance of DefaultMethodSecurityExpressionHandler.
This causes an application's declared DefaultMethodSecurityExpressionHandler bean to be overridden by the auto-configuration, which is not ideal.
Also, for this to work, it relies on a specific startup order for GlobalMethodSecurityConfiguration and when its object post-processor and setters are called. This ordering was recently adjusted in Security 5.6 M1, causing this configuration mechanism to break.
A more reliable mechanism is Boot's @ConditionOnMissingBean annotation, which will provide an OAuth2MethodSecurityExpressionHandler if an instance of MethodSecurityExpressionHandler is not already published. This will cause GlobalMethodSecurityConfiguration to pick up the OAuth2MethodSecurityExpressionHandler by the same means as its other components.