Spring security: forcing https using annotations?

Question

The spring security docs state (2.3.2):

If your application supports both HTTP and HTTPS, and you require that particular URLs can only be accessed over HTTPS, then this is directly supported using the requires-channel attribute on :

  <http>
    <intercept-url pattern="/secure/**" access="ROLE_USER" requires-channel="https"/>
    <intercept-url pattern="/**" access="ROLE_USER" requires-channel="any"/>
    ...
  </http>

But I'm using annotations on my controllers, not intercept-url elements.

• Can I enforce HTTPS selectively via annotations?
• Can I force HTTP for non-secure pages?

Answer 1

From the available docs, it appears that using only annotations it may not be possible to enforce channel security.