JSR 250 method level security does not work in Spring MVC

I try to move from @Configuration based security to JSR 250 method level security. The code below works as follows:

Access to my page is configured in configure(HttpSecurity http) inside SecurityConfiguration.class. Everyone is allowed to access "all" page, if someone try "protected" then the default login page is displayed, if the role is wrong then "Access denied" message is shown. Fine.

Now, I would like to do exactly the same thing but by using JSR 250 Annotations. So:

I have removed configure(HttpSecurity http) method, added to dispatcher servlet context configuration

@EnableGlobalMethodSecurity(jsr250Enabled = true, proxyTargetClass = true, mode = AdviceMode.ASPECTJ, prePostEnabled=true)

and obviously @PermitAll and @RolesAllowed inside the controller.

These changes do not work properly. If I try to access any page I am asked about credentials (default login page), If I fill them then I am able to access any page in any role :(

Have I forgotten about something?

Thank you in advance for any help you can provide, Marek

Application Context:

public class AppConfiguration {
  // entityManagerFactory, transactionManager, localValidatorFactoryBean, methodValidationPostProcessor 

public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

  public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

  public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();

  protected void configure(HttpSecurity http) throws Exception {



@EnableGlobalMethodSecurity(jsr250Enabled = true, proxyTargetClass = true, mode = AdviceMode.ASPECTJ, prePostEnabled=true)
@ComponentScan(basePackages = "")
public class WebMvcConfiguration extends WebMvcConfigurerAdapter {
  // addInterceptors, addViewControllers, templateResolver, templateEngine, thymeleafViewResolver


public class HomeController {
  @RequestMapping(value = "/all**", method = RequestMethod.GET)
  public String allPage(Model model) {
    return "all";

  @RequestMapping(value = "/protected**", method = RequestMethod.GET)
  public String protectedPage(Model model) {
    return "protected";

  @RequestMapping(value = "/confidential**", method = RequestMethod.GET)
  public String superAdminPage(Model model) {
    return "confidential";




  • I noticed that your @ EnableGlobalMethodSecurity annotation uses proxy mode AdviceMode.ASPECTJ but your dependencies don't list AspectJ.

    If you're trying to use AspectJ proxies, then you need to provide the dependency and add configuration to compile using AspectJ compiler.

    If you do not intend to use AspectJ proxies, then try without the 'mode = AdviceMode.ASPECTJ' parameter.

    Edit - This might not be obvious. For using AspectJ proxies, you need to:

    1. specify dependencies
    2. provide aspectj plugin configuration to compile with AspectJ compiler

    Here's an example of maven configuration: Running JDK8 for aspectj

    Here's one for gradle: