@RolesAllowed vs. @PreAuthorize vs. @Secured

Question

I have a basic SpringBoot app. using Spring Initializer, embedded Tomcat, Thymeleaf template engine, and package as an executable JAR file.

I want to secure a controller

Answer 1

All of these are basically the same for your purpose, but @PreAuthorize is the best fit for controllers and controller methods. @Secured and @RolesAllowed are intended for describing service layer security attributes.

Also be aware for @PreAuthorize annotation to work you must define a configuration class:

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
...
}