Some security annotations that are allowed to use SpEL include:
@PreAuthorize
@PreFilter
@PostAuthorize
@PostFilter
These provide expression-based access control. In Spring Security, @PreAuthorize is one of the most powerful annotations that allows you to use SpEL. But the old @Secured annotation cannot use it, for example you cannot write @Secured("hasRole('ROLEADMIN')"), but you can do @PreAuthorize("hasRole('ROLEADMIN')").