@Configuration

@EnableWebSecurity

public class AppSecurityConfig extends WebSecurityConfigurerAdapter {

       @Autowired

       public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

             auth.inMemoryAuthentication().withUser("bill").

                    password("123456").roles("ADMIN");

       }

       @Override

       protected void configure(HttpSecurity http) throws Exception {

              http.authorizeRequests().antMatchers("/protected/**").

                    access("hasRole('ROLE_ADMIN')")

                          .antMatchers("/confidential/**").

                    access("hasRole('ROLE_SUPERADMIN')").and().formLogin();

       }

}

@Controller

@RequestMapping("/owners/{ownerId}/pets/{petId}/edit")

@SessionAttributes("pet")

@Transactional

@PreAuthorize("hasRole('ROLE_ADMIN')")

public void removeContact(Integer id) {

    contactDAO.removeContact(id);

}