Spring Security's @PreAuthorize
is used for authorizing access to methods. It doesn't know really much about Spring MVC, in particular about its @RequestMapping
annotation.
Names like #cmd
will refer to method parameters, and your cmd
parameter is null. Change it to:
@PathVariable("cmd") String cmd
This way, cmd
path variable will be bound to cmd
method parameter, which will then be bound by #cmd
in @PreAuthorize
.