If you manually define both a RoleHierarchy bean and a MethodSecurityExpressionHandler, the RoleHierarchy isn't injected in the MethodSecurityExpressionHandler bean. As a result, the role hierarchy isn't applied when calling hasRole() when securing a method with @PreAuthorize.

To Reproduce

1. Define a RoleHierarchy bean
2. Manually define the bean for the MethodSecurityExpressionHandler. For example, by inheriting DefaultMethodSecurityExpressionHandler.

Expected behavior
The RoleHierarchy bean is injected in the manually defined MethodSecurityExpressionHandler and can be used with @PreAuthorize and hasRole()

Current behavior
When you launch the application the following happens in order:

1. PrePostMethodSecurityConfiguration initialize expressionHandler with a manually created DefaultMethodSecurityExpressionHandler
2. The RoleHierarchy bean is injected in PrePostMethodSecurityConfiguration and expressionHandler.setRoleHierarchy is called
3. The manually defined MethodSecurityExpressionHandler. bean is injected in PrePostMethodSecurityConfiguration and the configuration is adapted, but the method setRoleHierarchy isn't called on the new bean.