- securing URLs using
authorizeRequests()in XML/Java config (also called web security or URL security)
- securing individual method invocations using
- securing domain objects using ACL
The second works (with a default configuration) for service layer components, but not for controllers. This is because you usually add Spring Security in root application context and, since controllers live in web application context, Spring Security cannot access them. Still, very often developers try to apply global method security to controller methods. Spring Security FAQ has even an answer to such question. Usually the solution is to move
<global-method-security>to web application context.
I think that many of those developers actually don't need global method security on controller methods. For example see these four threads: , ,  and  - they all require a simple "hasRole(XXX)" check. So I think that what they really need is to configure some authorization mechanism using annotations directly on controller methods (because it is more convenient than configuring it using URL patterns). It doesn't matter, if it's web security or global method security. However, they choose global method security, because it supports annotations.
In this post I would like to show an alternative approach - something that is between web security and global method security. It will use web security expressions, but will be configured by annotations applied to controller methods. Let's see how this can be implemented.