Spring Security 6, a core component of the Spring Boot 3 ecosystem, introduced a significant and welcome simplification to how method-level security is configured. The legacy annotation, @EnableGlobalMethodSecurity, has been officially deprecated in favor of the new, more streamlined @EnableMethodSecurity.

This tutorial will guide you through the key differences between the two annotations and provide a practical guide on migrating your existing Spring Security configurations.

1. Understanding the Old Way: @EnableGlobalMethodSecurity

In Spring Security 5 and earlier, you would use @EnableGlobalMethodSecurity on a configuration class to enable method-level security. This annotation required you to explicitly enable the types of security you wanted to use.

Here’s an example of a typical configuration:

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;

@Configuration
@EnableGlobalMethodSecurity(
    prePostEnabled = true,
    securedEnabled = true,
    jsr250Enabled = true
)
public class MethodSecurityConfig {
    // No bean definitions are usually required here.
}

• prePostEnabled = true: Enabled @PreAuthorize and @PostAuthorize for expression-based security.
• securedEnabled = true: Enabled the simpler @Secured annotation, which uses role names.
• jsr250Enabled = true: Enabled the JSR-250 annotations, such as @RolesAllowed.

While functional, this approach was verbose and required developers to remember which booleans to enable for their desired functionality.

2. The New Standard: @EnableMethodSecurity

Spring Security 6 simplifies this configuration significantly with @EnableMethodSecurity. This new annotation provides sane defaults and is designed to be much easier to use. It’s the recommended approach for all new Spring Security 6+ applications.

Here is the equivalent configuration using the new annotation:

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;

@Configuration
@EnableMethodSecurity
public class MethodSecurityConfig {
    // No special configuration is needed.
}

That’s it! By default, @EnableMethodSecurity does the following:

• Enables @PreAuthorize and @PostAuthorize: The most common and powerful method security annotations are enabled out of the box.
• Enables @Secured and @RolesAllowed: These are also enabled by default for backward compatibility and simpler use cases.

This means you can simply add @EnableMethodSecurity to your configuration and immediately start using annotations like @PreAuthorize("hasRole('ADMIN')") or @Secured("ROLE_USER") on your service or controller methods.

3. Migrating an Existing Application

The migration process is straightforward. You only need to make a small change to your security configuration class.

Step 1: Replace the Annotation Change the import and the annotation from @EnableGlobalMethodSecurity to @EnableMethodSecurity.

Before:

import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;

@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration {
    // ...
}

After:

import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;

@EnableMethodSecurity
public class SecurityConfiguration {
    // ...
}

Step 2: Remove the Old Attributes The prePostEnabled, securedEnabled, and jsr250Enabled attributes are no longer available on @EnableMethodSecurity. Since the most common use cases are enabled by default, you can simply remove them.

If you had a custom configuration, you’ll need to check the Spring Security documentation for the new, more modular way of doing things. However, for 99% of use cases, simply replacing the annotation is all that’s required.

4. What if I Need to Disable a Feature?

If, for some reason, you need to disable a specific type of annotation (e.g., you want to use only @PreAuthorize and disable @Secured), the new @EnableMethodSecurity annotation provides attributes for that as well.

@Configuration
@EnableMethodSecurity(
    securedEnabled = false,      // Disable @Secured
    jsr250Enabled = false        // Disable JSR-250 annotations
)
public class MethodSecurityConfig {
    // Now only @PreAuthorize and @PostAuthorize will work.
}

This gives you the same level of control as the old annotation but in a cleaner, more readable format.