EnableWebSecurity will provide configuration via HttpSecurity. It’s the configuration you could find with <http></http> tag in xml configuration, it allows you to configure your access based on urls patterns, the authentication endpoints, handlers etc…
EnableGlobalMethodSecurity provides AOP security on methods. Some of the annotations that it provides are PreAuthorize, PostAuthorize. It also has support for JSR-250. There are more parameters in the configuration for you
For your needs, it’s better to mix the two. With REST you can achieve everything you need only by using @EnableWebSecurity since HttpSecurity#antMatchers(HttpMethod,String...) accepts control over Http methods