To enable spring security EL expressions, add the following to the <http> element in your application-security.xml file;
use-expressions="true"
A few gotcha’s when enabling this; each of your <intercept-url … role=”ROLE_USER” needs to be changed to role=”hasRole(‘ROLE_USER’)
Also – the following exception will be thrown unless you change ‘IS_AUTHENTICATED_ANONYMOUSLY’ to ‘permitAll’;
Failed to evaluate expression 'IS_AUTHENTICATED_ANONYMOUSLY'
In your JSP pages the following can be used for securing portions of pages;
<sec:authorize access="hasRole('ROLE_MANAGER')">
...
</sec:authorize>
A few other useful links;
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/springsecurity-single.html
http://ambisoft.pl/blog/