I have very similar spring-security beans configuation to this example. The @Secured annotation on controller’s methods only function properly if it is on a method of a class that does not subclass another class. In other words, this following code does not work (an exception raised during the bean initializtion):

@Controller
@RequestMapping("/systeminfo")
public class SystemInfoController extends AbstractViewableController {

    @RequestMapping(method = RequestMethod.GET, value = "/")
    @Secured("ROLE_USER") // an exception below was raised
    public void view(HttpServletRequest request) {
    }
}

Here is the exception:

org.springframework.beans.factory.BeanCreationException: Error creating bean wit
h name 'systemInfoController' defined in file [C:\workspace\my\my-webapp
\target\classes\my\webapp\controller\SystemInfoController.class]: Initializa
tion of bean failed; nested exception is org.springframework.aop.framework.AopCo
nfigException: Could not generate CGLIB subclass of class [class my.webapp.c
ontroller.SystemInfoController]: Common causes of this problem include using a f
inal class or a non-visible class; nested exception is net.sf.cglib.core.CodeGen
erationException: java.lang.RuntimeException-->RequestMapping annotation cannot
be found on my.webapp.controller.SystemInfoController$$EnhancerByCGLIB$$e99f
e366

So I follow the instruction here and add proxy-target-class="true" to <global-method-security ...> (Not sure if it is related) but the security aspect is still lost. However, if the superclass is removed, then the security get applied properly, i.e. forward to login page.

Does anyone know what is going on and how to fix the problem when the controller needs to extend another class?