While lots of sites on line describe adding the @Secured tag to your Spring Security-enabled web app, and some even describe role hierarchies, I was unable to find any that did so with JavaConfig. Most of them wanted to give me XML, which isn’t where I wanted to go today. Here’s what I’ve learned, in the hopes it saves you some time.

My application has two application contexts, one for MVC, and a root application context. In order to make use of Spring Security in both JSPs and server-side in components, my SecurityConfig is included in the root context via an @Import annotation:

@Import({ DBConfig.class, SecurityConfig.class })
public class AppConfig {

The security config class in turn enables Web Security and Global Method Security to turn on annotations too. It also defines a role hierarchy. I found lots of examples of configuring such a hierarchy in XML, but none in JavaConfig. Turns out you just do it via the constructor, with a string.

public class SecurityConfig extends WebSecurityConfigurerAdapter {
private RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();

public SecurityConfig() {

This code defines a simple hierarchy where “administrator_2” has all the rights of “administrator”, which in turn has all the rights of “account_holder” etc.

For HTTP security, this config also defines the security configuration:

protected void configure(HttpSecurity http) throws Exception {
.antMatchers("/login", "/login/**", "/logout", "/register").permitAll()
.logoutUrl("/logout") .logoutSuccessUrl("/login")

The only thing left to do is to hook up the access decision manager, and point it to the role hierarchy.

public AffirmativeBased getAccessDecisionManager() {
DefaultWebSecurityExpressionHandler expressionHandler = new DefaultWebSecurityExpressionHandler();

WebExpressionVoter webExpressionVoter = new WebExpressionVoter();

List<AccessDecisionVoter<? extends Object>> voters = new ArrayList<>();

return new AffirmativeBased(voters);

With that, I simply add “@Secured(“ROLE_ADMINISTRATOR”)” to my methods on classes decorated with @Component or @Controller, and access roles are enforced by Spring on my behalf. Here’s a simple example:

public String adminSystemMenu(Principal princpal) {
return "/admin/system";


RSS feed | Trackback URI

1 Comment »

Comment by Alex Tsilingiris
2016-04-19 04:24:51

Spent the last few hours looking for a java config approach. Thanks a lot for this post!

Name (required)
E-mail (required - never shown publicly)
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> in your comment.