Allows authorization on controller methods using annotations.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

Spring-security-controller-auth is a library, which allows you to apply authorization rules to controller methods using annotations without moving <global-method-security> or @EnableGlobalMethodSecurity to web application context. It provides a solution, which is something between web security and global method security. It operates on HTTP request level (just like web security), but it is configured by annotations (like global method security).


The library is not in any maven repository, so you have to install it manually to your local repo:

git clone
cd spring-security-controller-auth
git checkout 0.9.0
mvn javadoc:jar source:jar install


After installation add the following dependency to your pom.xml:


Then you have to make some configuration. The central class in this library is HandlerSecurityInterceptor. It is a Spring MVC interceptor, which handles authrorization annotations. To use spring-security-controller-auth in your project you have to create and configure this interceptor. The simplest config looks like this:

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  public AuthenticationManager authenticationManagerBean() {
    try {
      return super.authenticationManagerBean();
    } catch (Exception e) {
      throw new IllegalStateException(e);

  public HandlerSecurityInterceptor handlerSecurityInterceptor() {
    HandlerSecurityInterceptor interceptor = HandlerSecurityInterceptor.create();
    return interceptor;


public class WebConfig extends WebMvcConfigurerAdapter

  private WebSecurityConfig webSecurityConfig;

  public void addInterceptors(InterceptorRegistry registry) {


The only not-so-obvious thing here is the overriden authenticationManagerBean() method. It is necessary because HandlerSecurityInterceptor requires an AuthenticationManager and by default WebSecurityConfigurerAdapter doesn't expose it as a bean (see javadoc for WebSecurityConfigurerAdapter.authenticationManagerBean() for more information).

After configuration, you can easily use it in your controllers, for example:

public String index() {

@AuthorizeRequest("hasRole('ROLE_ADMIN') and hasIpAddress('')")
public String admin() {

The AuthorizeRequest annotation accepts all web security expressions.

A more complex configuration and usage example can be found in my spring4-webbapp project. It shows how to configure this library with a RoleHierarchy. You can also read more about spring-security-controller-auth on my blog.