I just came across this one again and wanted to make sure you're not lost without any feedback. I think I didn't expect the …Enabled attributes of the annotation to default to false and thus was just observing it not to be working at all. I was using the annotation on a superclass, so that was probably why SPR-11251 played into this. Anyway, I can confirm this working with current versions of Spring Framework and Security. Thanks for taking a look!