Can Spring Security Use @PreAuthorize On Spring Controllers Methods?
Answer : Yes, it works fine. You need <security:global-method-security pre-post-annotations="enabled" /> in ...-servlet.xml . It also requires CGLIB proxies, so either your controllers shouldn't have interfaces, or you should use proxy-target-class = true . See Spring Security FAQ (emphasis mine). In a Spring web application, the application context which holds the Spring MVC beans for the dispatcher servlet is often separate from the main application context. It is often defined in a file called myapp-servlet.xml, where “myapp” is the name assigned to the Spring DispatcherServlet in web.xml. An application can have multiple DispatcherServlets, each with its own isolated application context. The beans in these “child” contexts are not visible to the rest of the application. The “parent” application context is loaded by the ContextLoaderListener you define in your web.xml and is visible to all the child contexts. This parent context is u...