java - Using @PreAuthorize or @Secured with Jersey when using Configuration Class -

i having problem similar preauthorize annotation doesn't work jersey. created configuration class spring security , authentication works authorization not.

here code

springsecurityconfig.java

@configuration @enablewebsecurity @enableglobalmethodsecurity(prepostenabled = true, securedenabled = true) @order(1) @componentscan({"com.foo.rest.resources.template"}) public class springsecurityconfig extends websecurityconfigureradapter {      private final userservice userservice;     private final tokenauthenticationservice tokenauthenticationservice;      public springsecurityconfig() {         super(true);         this.userservice = new userservice();         tokenauthenticationservice = new tokenauthenticationservice("toomanysecrets", userservice);     }      @override     protected void configure(httpsecurity http) throws exception {             http                 .exceptionhandling().and()                 .anonymous().and()                 .servletapi().and()                 .headers().cachecontrol().and()                 .authorizerequests()                 // allow anonymous logins                 .antmatchers("/auth/**").permitall()                 // other request need authenticated                 .anyrequest().authenticated().and()                  // custom token based authentication based on header given client                 .addfilterbefore(new statelessauthenticationfilter(tokenauthenticationservice),                         usernamepasswordauthenticationfilter.class);     }      @override     protected void configure(authenticationmanagerbuilder auth) throws exception {         auth.userdetailsservice(userdetailsservice()).passwordencoder(new bcryptpasswordencoder());     }      @bean     @override     public authenticationmanager authenticationmanagerbean() throws exception {         return super.authenticationmanagerbean();     }      @bean     @override     public userservice userdetailsservice() {         return userservice;     }      @bean     public tokenauthenticationservice tokenauthenticationservice() {         return tokenauthenticationservice;     } } 

and template.java

@component @path("/template") @produces(mediatype.application_json) public class template {      @get     @secured("role_editor")     public user gettemplate() {         return new template();     } } 

my guess authentication handled in filter chain never comes around after authorization tag reached. idea how make work?

i think @componentscan configured wrongly , doesn't pick template resource correctly.

according @componentscan documentation value alias basepackages have given class instead of package. try , change following , see.

@componentscan({"com.foo.rest.resources.*"}) 

and make sure haven't missed steps in jersey spring integration per documentation