I am trying to apply @Secured annotations to my controller methods, but it does not seem to be working. Is there something that I am doing wrong? I have my spring security config in a separate file, is there any chance that the "global-method-security" annotation needs to be read before the controller definition is loaded?

I have enabled global method security:
Code:
<security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>
I have a web controller method
Code:
public class CreateUserController extends AbstractMultiActionController implements ICreateUserController {
  @Secured(MyPermissions.USER_ADD)
  public ModelAndView fetch(HttpServletRequest request, HttpServletResponse response) throws Exception {
...
  }
}
I even created a security annotated interface in case that was somehow required:
Code:
public interface ICreateUserController {
	@Secured(MyPermissions.USER_ADD)
	public ModelAndView fetch(HttpServletRequest request, HttpServletResponse response) throws Exception;

	@Secured(MyPermissions.USER_ADD)
	public ModelAndView create(HttpServletRequest request, HttpServletResponse response) throws Exception;
}