AbstractSecurityInterceptor contains the following throws clause:
throw new IllegalArgumentException(
"No public invocations are allowed via this AbstractSecurityInterceptor. "
+ "This indicates a configuration error because the "
+ "AbstractSecurityInterceptor.rejectPublicInvocations property is set to 'true'");
Unfortunately, this exception doesn't include any contextual information, making it hard to find out the exact problem. For example, for the MethodSecurityInterceptor subclass it would be useful if this exception included the class and method name that were attempted to be called.
In our specific situation, a single MethodSecurityInterceptor is re-used for multiple Spring beans and is set to reject public invocations (the interceptor gets added automatically to beans defined via some custom namespace). This means that for each bean that is defined through this custom namespace, authorizations must be explicitly added to the single MethodSecurityInterceptor configuration. If somebody forgets this, the exception mentioned above is thrown, but it is hard to find out exactly for which bean the authorizations are missing.