@Secured ignored with @RequestMapping

[liquidcool]

When I add @Secured to a method with @RequestMapping in a @Controller, it is ignored. I'm using Spring Security 3.0.2. Here is my configuration (the relevant parts, at least):

appContext-security.xml:

Code:

    <http> 
        <form-login  login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1" />
        <intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https" />
        <intercept-url pattern="/remoting**" access="ROLE_USER" />
 		<intercept-url pattern="/members/**" access="ROLE_USER" />
        <remember-me />
        <custom-filter before="FORM_LOGIN_FILTER" ref="facebookAuthenticationFilter" />
    </http>
    
    <global-method-security secured-annotations="enabled" jsr250-annotations="enabled" />

springMVC-servlet.xml:

Code:

	<context:component-scan base-package="com.example.web"/>

PasswordController.java:

Code:

@Controller
@RequestMapping("/password")
public class PasswordController {

    @Autowired
    AccountService accountService;
    
    @Secured("ROLE_USER")
    @RequestMapping(value = "/change", method = RequestMethod.GET)
    public String getChangeForm() {
        return "changePassword";
    }

What I have tried so far:

• Copied (and moved) <global-method-security> to servlet XML, as suggested in the other thread on this topic.
• Added proxy-target-class="true" to the aforementioned tag (even though the controller doesn't implement an interface, thought I'd give it a shot).
• Ensured that @Secured does work in a service class.

Any ideas? I assume I'm doing something wrong, but could this be a known bug? Thanks in advance.

[Luke Taylor]

Check this FAQ.

[liquidcool]

Thanks Luke, it turns out it was Firefox not clearing the cache or doing a full refresh when requested. (Firefox has been pretty flaky for me lately and I often have to restart it to clear the cache.) I loaded it in IE8 and it showed up immediately. Thanks again for a great product!