I have a project in which I'm using Spring MVC and Spring Security and I have an issue that is getting me crazy. I have a controller which I have annotated with @Controller and a method inside annotated with @RequestMapping to map it to an URL. The problem comes when I try to establish the access to this method based on roles with the @PreAuthorize annotation.
I have this in my context file *-servlet.xml:
and I can see in the logs that the code is injected:
<sec:global-method-security pre-post-annotations="enabled" />
However, I debugged the application and I could see that the UserServiceImpl instance that is used by the Controller is different from the instance that is injected by Spring Security. That's why the controller is accessed without restrictions and the PreAuthorize annotation seems to be not working.
218481 DEBUG PrePostAnnotationSecurityMetadataSource - @org.springframework.security.access.prepost.PreAuthorize(value=hasRole('ROLE_ADMINISTRATION')) found on specific method: public java.util.List com.example.services.UserServiceImpl.findAll()
Any idea? Am I doing anything wrong?