Spring Security not processing pre/post annotations

I'm trying to get pre/post annotations working with a web application, but for some reason nothing is happening with spring-security.

web.xml:

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/rvaContext-business.xml
        /WEB-INF/rvaContext-security.xml  
    </param-value>
</context-param>

<!-- Spring security filter -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<servlet>
    <servlet-name>rva</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>rva</servlet-name>
    <url-pattern>/rva/*</url-pattern>
 </servlet-mapping>

rvaContext-security.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
  xmlns:beans="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
       http://www.springframework.org/schema/security
       http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<global-method-security pre-post-annotations="enabled"/>

<http use-expressions="true">
    <form-login login-page="/login" />
    <logout />
    <remember-me />
</http>
...

LoginController class:

@Controller
@RequestMapping("/login")
public class LoginController {

    @RequestMapping(method = RequestMethod.GET)
    public String login(ModelMap map){
        map.addAttribute("title", "Login: AD Credentials");
        return("login");
    }

    @RequestMapping("/secure")
    @PreAuthorize("hasR开发者_StackOverflow社区ole('ROLE_USER')")
    public String secure(ModelMap map){
        return("secure");
    }
}

To enable secuity annotations on the controllers you should declare <security:global-method-security .../> in the context where controllers are declared, that is in rva-servlet.xml.

Indeed, you need to redefine in the config file which is also used for your controllers. In Spring Roo this is webmvc-config.xml. When configuring security with Roo, the config file applicationContext-security.xml is initially configured to enable those annotations. This was a little confusing...

See Spring Security FAQ (emphasis mine).

In a Spring web application, the application context which holds the Spring MVC beans for the dispatcher servlet is often separate from the main application context. It is often defined in a file called myapp-servlet.xml, where “myapp” is the name assigned to the Spring DispatcherServlet in web.xml. An application can have multiple DispatcherServlets, each with its own isolated application context. The beans in these “child” contexts are not visible to the rest of the application. The “parent” application context is loaded by the ContextLoaderListener you define in your web.xml and is visible to all the child contexts. This parent context is usually where you define your security configuration, including the element). As a result any security constraints applied to methods in these web beans will not be enforced, since the beans cannot be seen from the DispatcherServlet context. You need to either move the declaration to the web context or moved the beans you want secured into the main application context.

Generally we would recommend applying method security at the service layer rather than on individual web controllers.

If you apply pointcuts to service layer you only need to set <global-method-security> in your app's security context.