The real difference is that @PreAuthorize can work with Spring Expression Language (SpEL). You can:
- Access methods and properties of
SecurityExpressionRoot. -
Access method arguments (requires compilation with debug info or custom
ParameterNameDiscoverer):@PreAuthorize("#contact.name == principal.name") public void doSomething(Contact contact) - (Advanced feature) Add your own methods (override
MethodSecurityExpressionHandlerand set it as<global-method-security><expression-handler ... /></...>).