I use Spring 2.5.4, Spring Security 2.0.3 and Hibernate 3.2.5.

I have the following Domain Object Structure:
AbstractDomainObject (abstract class implementing interface IDomainObject)
- SpecificDomainObjectA (class extending abstract class, implementing specific interface ISpecificDomainObjectA)
- SpecificDomainObjectB (class extending abstract class, implementing specific interface ISpecificDomainObjectB)

The domain objects are created via hibernate (using DAOs).
I use domain object security to secure my domain objects (http://static.springframework.org/sp...main-acls.html).

Now, I want to do the following...

The AbstractDomainObject has a convenience method:
Code:
@Secured({"ROLE_MANAGER","ACL_DOMAINOBJECT_DELETE"})
boolean isDeletable() {
  return true;
}
... which intends, that the domain object knows itself about being deletable or not.

I wrote a test case that setup a user with inufficient authorities in the security context and expect an AccessDeniedException.
The method returns always true and the exception is never thrown.
I assume that the @Secured annotation is not interpreted by Spring.

I did not found any example where ACLs are used with the @Secured annotation.

Is it possible to use @Secured annotations for beans not created in the application context / created by Hibernate?

Another solution would be to implement that "isDeleteable"-question to a service which is created by Springs BeanFactory. There the annotation should work, or?

Tanks for an answer. Ideas are very welcome!