Should spring security method level annotations be applied at the controller layer or the service layer?

"It depends" :). If your application has a service layer through which all your business logic is applied then that is usually a clean place to apply your security constraints and be certain that you haven't missed out any corner cases.

Web code is generally messier, there's more of it, it changes more rapidly and you may end up calling the same service methods from multiple places. Someone might add a new controller and forget to secure it properly. Alternatively you might have different types of clients calling the same services.

But it depends on how your application is structured and what your use cases are. You may have a good argument for why you want to secure a controller.

Think in terms of code reuse. Are you going to use your service elsewhere? Not just to feed your web tier? We also reuse our services with jms bridges so we secure our service layer.

I think the Service is the better place to use it.

Despites some problems that @PreAuthorize could create on Controller and the Spring Security FAQ recommendation to put this kind of annotation on Service, I understand that the authorization for some action is more a business rule then a responsibility for the web tier.