The real difference is that @PreAuthorize
can work with Spring Expression Language (SpEL). You can:
- Access methods and properties of
SecurityExpressionRoot
. -
Access method arguments (requires compilation with debug info or custom
ParameterNameDiscoverer
):@PreAuthorize("#contact.name == principal.name") public void doSomething(Contact contact)
- (Advanced feature) Add your own methods (override
MethodSecurityExpressionHandler
and set it as<global-method-security><expression-handler ... /></...>
).