Spring Security does a search for annotations in a slightly different way than TYPE_HIERARCHY. It does the following:

  1. If it finds the annotation on the target method, then it stops searching
  2. Otherwise, it looks one level up (superclass + interfaces). If it finds the annotation on more than one, it errors; otherwise if it finds it on just one, it stops searching
  3. Otherwise, recursively return to level 2 for each class/interface

In other words, Security wants to use the @PreAuthorize annotation (for example) that is closest to the method being invoked, and if more than one is equally close, it errors.

The traversal logic is similar in many ways to AnnotationScanner, but I haven't found a way to exercise the API to achieve the above.

In talking with @sbrannen, it was thought that getAggregateIndex might allow for this kind of searching; however that does not appear to work, so this may be a bug.

Currently, Security duplicates the method hierarchy traversal logic in AnnotationsScanner in its authorization support. Whether a bug or an enhancement, being able to rely on MergedAnnotations instead would be more secure and easier to support.