Expression-based Access Control allows you to annotate specific methods with access rules. To enable, add the following element to your webmvc-config.xml file for your Roo webapp (not the security context file, it must be in the context file for the web app):
<security:global-method-security pre-post-annotations="enabled"/>
The explanation for why this needs to be in your webapp context is covered here.