...but it is working in my service layer. It has to be something with my configuration but I can't seem to figure it out. Another set of eyes might help:

security config:
Code:
	<global-method-security secured-annotations="enabled" />

	<http use-expressions="true" access-denied-page="/accessDenied.jsp">
		<intercept-url pattern="/accessDenied.jsp" filters="none" />
		<intercept-url pattern="/login.jsp" filters="none" />
		<intercept-url pattern="/resources/**" filters="none" />
		<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
		<form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=1" />
		<logout logout-success-url="/login.jsp?logout=1"/>
	</http>
...
The intercept url for /** may be the (or one of the) problem(s) but even when I remove it I still am able to get to the controller on a method I secured with an annotation:

Code:
	@Secured ("ROLE_ADMIN")
	@RequestMapping(value="/DeleteRoot", method=RequestMethod.GET)
	public ModelAndView deleteRoot(@RequestParam(value="rootToDelete") long rootId) 
	{
		Node rootNode = nodeService.getNode(rootId);
		if (!rootNode.isPublished())
		{
			nodeService.deleteRoot(rootId);
		}
		return home();
	}
Just out of curiousity I added the annotation to my service and it worked (meaning I got a 403 Access is denied error as I would have expected):
Code:
	@Secured ("ROLE_ADMIN")
	public void deleteRoot(long rootId)
	{
		nodeDAO.deleteNode(rootId);
	}
So my question is how come it works in my service but not in the controller. What am I missing? Thanks to anyone who can provide some direction. I am using spring security 3.0.5, spring 3.0.5.