Spring security

The secured object is an abstract representing whatever is secured. It may be a MethodInvocation in case of @Secured, @RolesAllowed, @PreFilter and @PreAuthorize, or a FilterInvocation in case of <intercept-url /> or any other object if required.

The @PreFilter and @PreAuthorize annotations are handled by PreInvocationAuthorizationAdviceVoter. It uses the MethodInvocation to get the annotations and their attributes values, so it has:

public boolean supports(Class<?> clazz) {
    return clazz.isAssignableFrom(MethodInvocation.class);
}

The WebExpressionVoter is web-invocation specific, because it matches the URL to the patterns from <intercept-url />, that's why it has:

public boolean supports(Class<?> clazz) {
    return clazz.isAssignableFrom(FilterInvocation.class);
}

The RoleVoter only uses the Authentication object contents, so it does not depend on the secured object, and that's why it has:

public boolean supports(Class<?> clazz) {
    return true;
}

Note, that You can have a separate AccessDecisionManager for URL level security and method level security. The first will use voters that support FilterInvocation, and the other the ones that support MethodInvocation. Also note that RoleVoter supports both so it can be used in both contexts.

关键在于，得加上

public boolean supports(Class<?> clazz) {
    return true;
}