Spring Security 3: Method Level Access Failure -

i have url-level security in placed, , also, method level. method level security bypassed once user has been authenticated @ url-level! looked @ further , seems following url-level security:

intercept-url pattern="/**" access="role_user"

would override of method level security (like below code snippet).

@preauthorize("hasrole('role_supervisor')") public string supervisorroleonly()  {       return "success!!!" ; } 

i think method throw access-denied error, no, role_user can access method once authenticated @ url-level.

i have in security-config.xml:

<global-method-security pre-post-annotations="enabled" >     <expression-handler ref="expressionhandler"/> </global-method-security> 

what missing?

i guess applies more future readers, when set debug logging spring security see similar following:

looking pre/post annotations method 'supervisorroleonly' on target class 'yourclassname' no expression annotations found adding security method [cachekey[yourclassname; public yourreturntype yourclassname.supervisorroleonly()]] attributes [role_user] 

preauthorize being ignored.