Being the resource server, we are enabling global method security so that every method exposing an API is secured, as shown in the following code snippet:

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SpringSecurityConfig extends GlobalMethodSecurityConfiguration {
  @Override
  protected MethodSecurityExpressionHandler createExpressionHandler() {
      return new OAuth2MethodSecurityExpressionHandler();
  }
}

Here, we are using OAuth2MethodSecurityExpressionHandler as the method security exception handler so that we can use annotations, as follows:

@PreAuthorize("#oauth2.hasScope('movie') and #oauth2.hasScope('read')")