I have a class with RolesAllowed annotation, but I would like one method to be accessible by any logged in user. The problem is that PermitAll annotation does not override the RolesAllowed one. I checked the implementation of SecurityInterceptor.accept() method and I don't see that you even check for PermitAll on method.