Authorization using Method Security annotations vs securing URLs

[citress]

Hi,

Based on what I've read in forums and documentation, it seems like the preferred approach to handle authorization is to use the more configurable and up-to-date Method Security annotations. Securing URLs using Web Security expressions seems to be described as "legacy" approach and is harder to customize (when adding custom web security expressions for example).

My application uses Spring MVC and RESTFUL API, so it seems security URLs would be a "natural" approach. I can also deny access globally and only allow grant permission to explicit URLs. This seems to be the prudent thing to do in case a developer on the team forgets to configure authorization on the new URL and exposes it to all users of the application. I don't think I can achieve this using method security annotations - if the developer does not annotate a new method call, I assume the method call is unsecured, correct?

My question is, given the securing URLs is less intrusive and does not require each method call to be annotated, why is security method calls more preferable to securing URLs?

[Rob Winch]

It is not preferable to do methods instead of URLs. It is preferable to do both in order to achieve defense in depth. This is to ensure if one layer gets bypassed (i.e. CVE-2010-3700) your application is still secured