@PreAuthorize not being invoked

Dear Team
I am currently trying to implement Spring Security in my sample maven project.I am using Eclipse Indigo with java6.
The requirement is to give a user access to methods based on his permission.
Plan is to implement this using @PreAuthorize hasRole('ROLE_XYZ')
Problem is @PreAuthorize is not being invoked.ie all users are able to access all my methods.

I have set the global-security-method pre-post-annotation as enabled.
Filter is PRE_AUTH_FILTER with custom class.
At first I had put the @PreAuthorize in my controller class but later on move to a service and @Autowired it.
As I debug my code I can see the principal and grantedAuthoroties with correct values.
I read that the hasRole looks for SecurityExpressionRoot value so implemented the expression handler property RootHierarchy.But this class is not being parsed while debugging.

Can anyone please give a checklist of sorts on implementing hasRole?
I did go through the document in site ,its good; but I am not able to identify why the annotations are being ignored and how to set my ROLE.

you probably need CGLIB in your classpath inorder for annotations to work. try including it and see if it works.

I have included CGLIB.But annotations are not being invoked still.

sharing your configuration would aid us to guide you better !

These are the dependencies in my pom.xml

Quote:

---

<!-- Spring 3 dependencies -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>${spring.version}</version>
</dependency>

<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>${spring.version}</version>
</dependency>

<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
</dependency>

<!-- Spring Security -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${spring.version}</version>
</dependency>

<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring.version}</version>
</dependency>

<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-acl</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-expression</artifactId>
<version>3.0.3.RELEASE</version>
</dependency>

<dependency>
<groupId>cglib</groupId>
<artifactId>cglib</artifactId>
<version>2.2.2</version>
</dependency>


<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.4</version>
</dependency>
</dependencies>

---

this is my spring security.xml located in WEB-INF

Quote:

---

<global-method-security pre-post-annotations="enabled">
<expression-handler ref ="methodSecurityExpressionHandler" />
</global-method-security>

<http auto-config="true" use-expressions="true">
<!-- matches the bean name for HeaderAuthenticationFilter class above -->
<custom-filter position="PRE_AUTH_FILTER" ref="ssoHeaderFilter" />
<intercept-url pattern="/*" access="hasRole('ROLE_USER')"/>
</http>

<authentication-manager alias="authenticationManager">
<authentication-provider ref="preauthAuthProvider" />
</authentication-manager>

---

This is context.xml

Quote:

---

<bean id="ssoHeaderFilter" class="com.poc.common.security.HeaderAuthenticatio nFilter">
<!-- fall back to other authentication providers is OAM SSO is not there -->
<property name="exceptionIfHeaderMissing" value="false" />
<property name="principalRequestHeader" value="OAM_REMOTE_USER"/>
<property name="authenticationManager" ref="authenticationManager" />

<property name="authenticationDetailsSource">
<bean class="com.poc.common.security.HeaderAuthenticatio nDetails">
<property name="userRoles2GrantedAuthoritiesMapper">
<bean class="org.springframework.security.core.authority .mapping.SimpleAttributes2GrantedAuthoritiesMapper ">
<property name="convertAttributeToUpperCase" value="true" />
</bean>
</property>

</bean>
</property>
</bean>
<bean id="preauthAuthProvider" class="org.springframework.security.web.authentica tion.preauth.PreAuthenticatedAuthenticationProvide r">
<property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" />
</bean>
<bean id = "methodSecurityExpressionHandler" class ="org.springframework.security.access.expression.m ethod.DefaultMethodSecurityExpressionHandler">
<property name ="roleHierarchy">
<bean class="com.poc.common.security.MethodExpressionHan dler"/>
</property>
<property name="permissionEvaluator" >
<bean class="com.poc.common.security.CustomPermission"></bean>
</property>
</bean>
<!-- magically map the user header to a valid user object -->
<bean id="preAuthenticatedUserDetailsService" class="org.springframework.security.web.authentica tion.preauth.PreAuthenticatedGrantedAuthoritiesUse rDetailsService" />
<bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.web.servletapi .SecurityContextHolderAwareRequestFilter" />

---

Both above two xml's have been specified in web.xml