2008-07-12: Comment: It is indeed a lot simpler using spring-security, as Craig Walls demonstrates in this posting in his blog “Spring-Loaded”).

In order to activate the post processing for the @Secured annotations, a spring configuration such as the following is required:

    <!-- Bean post-processor for activating any advisors -->
    <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"/>

    <!-- The advisor that creates secured proxies for beans using security annotations such as @Secured -->
    <bean class="org.acegisecurity.intercept.method.aopalliance.MethodDefinitionSourceAdvisor">
        <constructor-arg>
            <ref bean="myMethodInterceptor"/>
        </constructor-arg>
    </bean>

Where myMethodInterceptor is a MethodSecurityInterceptor, which may be configured like this:

    <bean id="myMethodInterceptor" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
        <property name="validateConfigAttributes" value="false"/>
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="accessDecisionManager" ref="accessDecisionManager"/>
        <property name="objectDefinitionSource" ref="objectDefinitionSource"/>
    </bean>

With a suitable AuthenticationManager, AccessDescisionManager and and objectDefinitionSource of type MethodDefinitionSource.

Often it is the case that annotated bean classes must be proxied directly, rather than proxying some implemented interface.

If you get an exception such as

Failed to convert property value of type [$Proxy70] to required type ...
no matching editors or conversion strategy found


Your solution might be to force the proxying of the target class itself using:

    <!-- Bean post-processor for auto-activating all advisors -->
    <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator">
        <property name="proxyTargetClass" value="true" />
    </bean>