Spring Security has three annotations that can be applied to methods with restricted, confidential, or exclusive access. The @Secured annotation is used when there is only one authorized role allowed to execute a specific method based on the security policies. But if there is more than one role allowed in the access, with some special and complicated conditions, @PreAuthorize and @PostAuthorize must be used.

@PreAuthorize verifies the roles before executing the method, while @PostAuthorize checks the roles after executing the restricted method. The latter works most often with functions because its verification always includes returnObject together with the attached roles. Both of the annotations use Spring Expression Language in establishing the access control. It can restrict the access only to hasRole("ADMIN") AND hasRole("HR"), or to users who are both hasRole("ADMIN") AND hasRole("USER"). @Secured does not support expression-based access control.

These annotations will not serve their purpose if the @EnableGlobalMethodSecurity is not configured at the class-level of the security context definition. This main annotation has three properties to set:

• prePostEnabled: This is a Boolean property that enables or disables the use of @PreAuthorize and @PostAuthorize
• secureEnabled: This is a Boolean property that enables or disables the use of @Secured
• jsr250Enabled: This is a Boolean property that enables or disables the use of some JSR-250 annotations for restrictions

Lastly, method restrictions can be applied not only to service methods, but also to @Controller request handlers, as shown by the RestrictedController.