Solution: First, you can embed a security:intercept-methods element in a bean definition to secure its methods. Alternatively, you can configure a global global-method-security element to secure multiple methods.

Solution: In a bean’s security:intercept-methods, you can specify multiple security:protect elements to specify access attributes for this bean’s methods.

Solution: If you would like to use a custom access decision manager, you can specify it in the access-decision-manager-ref.

Solution: The security:authentication tag exposes the current user’s Authentication object for you to render its properties.

Solution: You can store the authorities property, which contains the authorities granted to the user, in the JSP variable authorities, and render them one by one with a c:forEach tag.

Solution: If you would like to render view contents conditionally according to a user’s authorities, you can use the security:authorize tag.

Solution: If you want the enclosing content to be rendered only when the user has been granted certain authorities at the same time, you have to specify them in the ifAllGranted attribute.

Solution: Spring Security provides a module named ACL that allows each domain object to have its own access control list (ACL).

Solution: Each ACE contains permissions for a particular SID. An SID can be a principal (PrincipalSid) or an authority (GrantedAuthoritySid) to associate with permissions.

Solution: In Spring Security, there are two interfaces that define operations of an ACL service: AclService and MutableAclService. AclService defines operations for you to read ACLs.