Are multiple roles allowed in the @Secured annotation with 'or' condition in Spring Security

Question

I am using spring and spring security 4 in my project. I have to call my dao method with ROLE_USER or ROLE_TIMER_TASK.

Currently I am using this annotation -

<

Answer 1

For or, use a @PreAuthorize annotation instead:

@PreAuthorize("hasRole('ROLE_USER') or hasRole('ROLE_TIMER_TASK')")

In Spring Security version 4 the ROLE_ prefix can be omitted:

@PreAuthorize("hasRole('USER') or hasRole('TIMER_TASK')")

Make sure you have pre- and post-annotations enabled in your security config.