Skip to content
Spring MVC Integration with Spring Security's @PreAuthorize Annotation
Latest commit b60f0b4 Dec 7, 2012 @andyxchang andyxchang Update
Failed to load latest commit information.
src/main Fixed comment Sep 24, 2012 Update Dec 7, 2012
pom.xml Added sample maven managed web project Sep 24, 2012


Spring MVC Integration with Spring Security's @PreAuthorize Annotation

Read the introductory post on our blog:

This is a sample web project with a few extended Spring MVC classes demonstrating how to integrate Spring Security's @PreAuthorize annotation into Spring MVC's request routing mechanism:

public String authenticatedHomePage() {
    return "authenticatedHomePage";

public String homePage() {
    return "homePage";

Normally, the code above would not work in Spring MVC because there's a duplicate mapping. Using this project, Spring MVC will route a request for "/" to authenticatedHomePage() if the user is authenticated. Otherwise it will go to homePage().

Within an expression, you can reference hasPermission(), authentication, principal, and, depending on the SecurityExpressionHandler in use, request. You can also reference any path variables defined in the @RequestMapping annotation:

@PreAuthorized(" == #name")
public String securePage() {
    return "securePage";

Finally, if a handler is matched for a request based on the @RequestMapping specification but fails the security expression (and there are no other suitable handlers), an AccessDeniedException is thrown for Spring Security's ExceptionTranslationFilter to deal with as it sees fit.

Something went wrong with that request. Please try again.