What's the difference between @Secured and @PreAuthorize in spring security 3?

The real difference is that @PreAuthorize can work with Spring Expression Language (SpEL). You can:

• Access methods and properties of SecurityExpressionRoot.

• Access method arguments (requires compilation with debug info or custom ParameterNameDiscoverer):

  @PreAuthorize("#contact.name == principal.name")
  public void doSomething(Contact contact)
  

• (Advanced feature) Add your own methods (override MethodSecurityExpressionHandler and set it as <global-method-security><expression-handler ... /></...>).

If you wanted to do something like access the method only if the user has Role1 and Role2 then you would have to use @PreAuthorize

@PreAuthorize("hasRole('ROLE_role1') and hasRole('ROLE_role2')")

Using

@Secured({"role1", "role2"}) // is treated as an OR

Simply, @PreAuthorize is newer than @Secured.

So I say it is better to use @PreAuthorize as it is "expression-based" and you can use expressions like hasRole, hasAnyRole, permitAll, etc.

To learn about expressions, see these example expressions.