How to debug Spring Security authorization annotations?

You can add to your application.yaml:

logging.level.org.springframework.security: DEBUG

Or add to application.properties:

logging.level.org.springframework.security=DEBUG

Or add to your WebSecurityConfig annotation EnableWebSecurity with debug = true:

@Configuration
@EnableWebSecurity(debug = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  // ...
}

Set the log level of org.springframework.security to debug. On invoking the method with annotations, you can find log messages that indicate interceptor being applied, especially look for: DEBUG MethodSecurityInterceptor

Updated: That means there is some config difference between your sample app and main app Some pointers to look for:

  • the <global-method-security> tag needs to be in the same context as your Spring MVC configuration otherwise your controllers will not be post processed. Refer: http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/faq.html#faq-method-security-in-web-context

  • you might need pre-post-annotations="enabled", with expressionHandler set.

  • make sure tag <global-method-security> is in application context