I have an interface IGenericDAO, which has save, saveOrUpdate and delete methods, marked with @RolesAllowed("ROLE_ADMIN") 
I then have an interface ICustomerDAO which extends IGenericDAO.
There is a concrete implementation GenericDAO, which implements save, saveOrUpdate and delete, with no annotations.
There is a concrete implementation CustomerDAO which extends GenericDAO and adds some extra search helpers.
CustomerDAO does not override save, saveOrUpdate or delete, nor does ICustomerDAO.
I then get the following unusual behaviour....
IGenericDAO dao; // injected by spring (concrete GenericDAO)
ICustomerDAO csDAO; // injected by spring (concrete CustomerDAO)
dao.save(new BlahDomainObject("genericblah)); // rejected for ROLE_USER, as expected
csDAO.save(new BlahDomainObject("csBlah")); // Succeeds!!! for ROLE_USER, definitely not expected!
This is NOT expected. save() is annotated in the only place it can be, but has no affect when I use the extension interface
 I tried this with @Secured from spring as well, with the same results