Home  >  Spring Security

Spring Security using @Secured Annotation

By Arvind Rai, December 26, 2013
In this page we learn, how to secure a service layer method using annotation in our application with spring security. Spring security provides @Secured annotation and to enable annotation based security we need to configure global-method-security namespace. @Secured can allow method access for more than one role. In the application it is our choice which method should be secure and which is not.

<global-method-security> in Spring Security

global-method-security is the namespace which is the first step to configure. It has the attribute secured-annotations which is enabled to get annotation based security. We configure it as
<global-method-security secured-annotations="enabled" />

How to configure @Secured in Spring Security

Suppose we have roles like ROLE_USER and ROLE_ADMIN. So we can define a method by annotating
public void deleteUser(String name);
For more than two role we can define it like
@Secured ({"ROLE_USER", "ROLE_ADMIN"})
public void addUser(String name, String pwd);
Now we will discuss the demo. In our example we have taken two user and two role. One user is ram with password con1234 and role ROLE_ADMIN and another user is rahim with password con1234 and role ROLE_USER. In service layer we have an interface as IUserService. There is two method addUser and deleteUser. We have secured deleteUser() method for the ROLE_ADMIN and addUser() method can be accessed by both role. Find all the configurations.
package com.concretepage.service;
import org.springframework.security.access.annotation.Secured;
public interface IUserService {
	@Secured ({"ROLE_USER", "ROLE_ADMIN"})
	public void addUser(String name, String pwd);
	public void deleteUser(String name);

package com.concretepage.service;
public class UserService implements IUserService {
	public void addUser(String name, String pwd) {
		System.out.println("user added");
	public void deleteUser(String name) {
		System.out.println("user deleted");
In the controller we calling both the method of service layer.
package com.concretepage.security.controller;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import com.concretepage.service.IUserService;
public class LoginController {
	public IUserService userService;
	@RequestMapping(method = RequestMethod.GET)
	public String success(ModelMap map) {		
		userService.addUser("ABC", "abc");
		map.addAttribute("msg", "Done Successfully");
		return "success";

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
	<http auto-config="true">
		<intercept-url pattern="/login" access="ROLE_USER,ROLE_ADMIN" />
		<logout logout-success-url="/login" />
	    <user name="ram" password="con1234" authorities="ROLE_ADMIN" />
	    <user name="rahim" password="con1234" authorities="ROLE_USER" />
   <global-method-security secured-annotations="enabled" />
   <beans:bean name="userService" class="com.concretepage.service.UserService"/>  

Output UI

Spring Security using @Secured Annotation

Login with user ram and you will get success message.

Spring Security using @Secured Annotation

Login with user rahim and you will get access denied message.

Spring Security using @Secured Annotation

Now look at the output. First login with user ram. There will be no error because this is authorized for both role. But when we login with rahim. It will deny access for deleteUser() method.

Download Source Code


©2019 concretepage.com | Privacy Policy | Contact Us