I've just converted a Spring 2.5 Web Application to version 3.06 with the intention of using @PreAuthorized and @PostAuthorized SpEL annotations to protect my repository layer.

I added the “global-method-security...” tag to my main application context and to my servlet context but for some reason it just gets ignored when I try to access a method with the incorrect role. Any help would be appreciated.

Here are my configuration files:

Fragment of web-xml
------------------------

<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">

<!-- Beans in these files will makeup the configuration of the root web application context -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:/security-config.xml,
classpath:/repository-config.xml,
classpath:/webapp-config.xml,
</param-value>
</context-param>

<!-- Bootstraps the root web application context before servlet initialization -->
<listener>
<listener-class>org.springframework.web.context.ContextLoade rListener</listener-class>
</listener>

<!-- Deploys the 'user' dispatcher servlet whose configuration resides in /WEB-INF/users-servlet-config.xml -->
<servlet>
<servlet-name>user</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherSe rvlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>

<!-- Maps all /user URLs to the 'user servlet' -->
<servlet-mapping>
<servlet-name>user</servlet-name>
<url-pattern>/user/*</url-pattern>
</servlet-mapping>

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFil terProxy</filter-class>
</filter>

<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<welcome-file-list>
<welcome-file>forward.jsp</welcome-file>
</welcome-file-list>
</web-app>



security-config.xml
---------------------

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schem...-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">

<global-method-security pre-post-annotations="enabled"/>

<http auto-config="true"
use-expressions="true"
access-denied-page="/user/accessDenied.html">

<intercept-url pattern="/user/accessDenied.html" access="permitAll" />
<intercept-url pattern="/user//*Error.html" access="permitAll" />
<intercept-url pattern="/user/welcome.html" access="permitAll" />
<intercept-url pattern="/user/findUser.html*" access="hasRole('ROLE_SUPPORT') and fullyAuthenticated" />
<intercept-url pattern="/user/supportUser.html*" access="hasRole('ROLE_SUPPORT') and fullyAuthenticated " />
<intercept-url pattern="/user/**" access="hasRole('ROLE_USER') and fullyAuthenticated" />

<form-login login-page="/user/welcome.html"
authentication-failure-url="/user/welcome.html?error=Failed Authentication"
default-target-url="/user/login.html"/>

<logout invalidate-session="true"
logout-url="/logout.html"
success-handler-ref="logoutSuccessHandler"/>
</http>




user-servlet.xml
------------------

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schem...-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">

<security:global-method-security pre-post-annotations="enabled" secured-annotations="enabled" jsr250-annotations="enabled"/>

<!-- Configuration for the user dispatcher servlet -->

<!-- Configure a message source to retrieve messages from -->
<bean id="messageSource" class="org.springframework.context.support.Reloada bleResourceBundleMessageSource">
<property name="basename" value="/WEB-INF/messages/validation" />
</bean>

<!-- Handles welcome requests -->
<bean id="welcomeController" class="com.gatorsktch.tminup.web.controller.Welcom eController">
<!-- <constructor-arg ref="userRepository" />
<constructor-arg ref="messageSource" /> -->
</bean>

<!-- Handles login validation requests -->
<bean id="loginController" class="com.gatorsktch.tminup.web.controller.LoginC ontroller">
<!-- <constructor-arg ref="userRepository" />
<constructor-arg ref="messageSource" /> -->
</bean>

<!-- Handles register requests -->
<bean id="registerController" class="com.gatorsktch.tminup.web.controller.Regist erController">
<constructor-arg ref="userRepository" />
<constructor-arg ref="registrationMailSender" />
</bean>

<!-- Handles requestPassword requests -->
<bean id="requestPasswordController" class="com.gatorsktch.tminup.web.controller.Reques tPasswordController">
<constructor-arg ref="userRepository" />
<constructor-arg ref="requestedPasswordMailSender" />
</bean>


<!-- Handles /*Error requests -->
<bean id="exceptionController" class="com.gatorsktch.tminup.web.controller.Except ionController">
</bean>

<bean id="exceptionResolver" class="org.springframework.web.servlet.handler.Sim pleMappingExceptionResolver">
<property name="defaultErrorView" value="defaultError"/>
<property name="exceptionMappings">
<value>
org.apache.commons.fileupload.FileUploadBase$SizeL imitExceededException=fileSizeLimitError
org.springframework.web.multipart.MaxUploadSizeExc eededException=fileSizeLimitError
java.lang.NullPointerException=nullPointerError
javax.servlet.ServletException=servletError
com.gatorsktch.tminup.web.security.AccessDeniedExc eption=accessDeniedError
</value>
</property>
</bean>

<bean id="templateViewResolver" class="org.springframework.web.servlet.view.Resour ceBundleViewResolver">
<property name="basename" value="views"/>
</bean>

<!-- Configure Apache Tiles for the view -->
<bean id="tilesConfigurer" class="org.springframework.web.servlet.view.tiles2 .TilesConfigurer">
<property name="definitions">
<list>
<value>/WEB-INF/layouts/layouts.xml</value>
<value>/WEB-INF/views/views.xml</value>
</list>
</property>
</bean>

<bean id="viewResolver" class="org.springframework.web.servlet.view.UrlBas edViewResolver">
<property name="requestContextAttribute" value="requestContext"/>
<property name="viewClass" value="org.springframework.web.servlet.view.tiles2 .TilesView"/>
</bean>

</beans>


Fragment of the User Repository Implementation
-------------------------------------------------------

package com.gatorsktch.tminup.internal.repository.impl;

import org.springframework.security.access.prepost.PreAut horize;
import org.springframework.stereotype.Repository;
import org.springframework.transaction.annotation.Transac tional;


/**
* Repository used to manage all user related requests.
* (User, UserProfile, Security &amp; GroupAllocation)
*
* @author djwright
*
*/
@Repository
public class HibernateUserRepository extends HibernateRepository implements UserRepository
{
/**
* Creates an new hibernate-based user repository.
* @param sessionFactory the Hibernate session factory required to obtain sessions
*/
public HibernateUserRepository( SessionFactory sessionFactory )
{
super( sessionFactory );
}

...

/**
* Saves the data from the passed in user object.
*
* @param user User which contains the data to be saved.
*
* @return id of the saved user.
*/
@PreAuthorize("hasRole('ROLE_SUPPORT')")
@Transactional
public Long save( User user )
{
Session session = getCurrentSession();

Long ownerId = user.getOwnerId();

// Check if a new owner group is required.
if ( ownerId.longValue() == 0 )
{
ownerId = allocateNewOwnerGroupId( session );
user.setOwnerId( ownerId );
}

// Create a blank Credentials object for the User.
Credentials credentials = (Credentials)EntityHelper.createUnOwnedEntity( Credentials.class );
Long credentialsId = save( credentials );
user.setCredentialsId( credentialsId );

Long id = (Long)session.save( user );
return( id );
}