Spring – @Secured does not work in controller, but intercept-url seems to be working fine


It doesn't look like @Secured on methods in my @Controller are being read. When security filtering based on sec:intercept-url is being used, this seems to be working just fine. The following code results in Spring Security giving me this log entry:

DEBUG: org.springframework.security.web.access.intercept.FilterSecurityInterceptor – Public object – authentication not attempted




<!-- Creates the Spring Container shared by all Servlets and Filters -->

<!-- Processes application requests -->

<!-- Filter security -->

servlet-context.xml holds the configuration of the viewResolvers and all the marshalling. This configuration is annotation-driven.


    <sec:global-method-security secured-annotations="enabled" />

<sec:http auto-config="true">

<!-- Declare an authentication-manager to use a custom userDetailsService -->
        <sec:password-encoder ref="passwordEncoder" />

    id="passwordEncoder" />
<sec:user-service id="userDetailsService">
    <sec:user name="john" password="john" authorities="ROLE_USER, ROLE_ADMIN" />
    <sec:user name="jane" password="jane" authorities="ROLE_USER" />


public class PingController {

    @RequestMapping(value = "/ping", method = RequestMethod.GET)
    public void ping() {


This doesn't seem to have any relation to which authentication method I'm using, so the basic-http-tag can be overlooked.

I have this idea that the @Secured doesn't work because of it being used in another context than the root-context.xml in which the security is being configured. I've tried to move this configuration to the servlet-context.xml, but it doesn't seem to reach the springSecurityFilterChain. Any thoughts on the problem and and my theory?

Best Answer

You are right, <global-method-security> is applied at per-context basis. However, you don't need to move the whole security configuration to servlet-context.xml, just add a <global-method-security> element to it.

Related Topic