Spring security is by passing authorization

I have been trying to apply method based authorization on my rest service and whenever I try to login with user role and access admin role method it doesn't stop me. I have tried to apply group based authorization in my application. My database structure is pretty simple:

+----+------------+
| id | group_name |
+----+------------+
|  1 | Test A     |
|  2 | Test B     |
|  3 | Test C     |
+----+------------+

User Table:

+---------+------------------+---------------+
| user_id | user_screen_name | user_password |
+---------+------------------+---------------+
|       6 | admin            | admin         |
|       7 | user             | user          |
+---------+------------------+---------------+

group_members:

+----+------------------+----------+
| id | user_screen_name | group_id |
+----+------------------+----------+
|  1 | admin            |        1 |
|  2 | admin            |        2 |
|  3 | user             |        3 |
+----+------------------+----------+

User Group Authority:

+----+----------+-----------+
| id | group_id | authority |
+----+----------+-----------+
|  1 |        1 | ADMIN     |
|  2 |        2 | ADMIN     |
|  3 |        3 | USER      |
+----+----------+-----------+

Application Config file:

@EnableWebMvc
@Configuration
@ComponentScan({ "com.ws.service.*" })
@Import({ UserDetailsSecurityConfig.class })
@javax.ws.rs.ApplicationPath("webresources")
public class AppConfig extends Application {

    @Bean
    public InternalResourceViewResolver viewResolver() {
        InternalResourceViewResolver viewResolver 
                          = new InternalResourceViewResolver();
        return viewResolver;
    }
        @Bean
        public UserFacadeREST getUser(){
            return new UserFacadeREST(); 
        }

}

Security Config Class:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true,prePostEnabled = true)
public class UserDetailsSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService( new CustomJDBCDaoImpl() );

    }
}

Methods from Rest Service:

 @GET
    @Secured({"ROLE_USER","USER"})
    @Path("getUser")
    @Produces({"application/xml", "application/json"})
    public User GetUser()  {

         UpUser result;
             result = new UpUser();

        return result;
    }


    @GET
    @Secured({"ROLE_ADMIN","ADMIN"})
    @Path("getMessageElement")
    @Produces({"application/xml", "application/json"})
    public MessageElement getMessageElement()  {

        MessageElement result = new MessageElement();
            result.setStrMessage(MessageElement.SUCCESS);
            result.setSuccessful(true);
        return result;
    }

Whenever I try to execute this service it works fine for me. And authenticate using my database user. But, both methods are available for "user" instead of one for "user" and other for "admin". Initially I was thinking I may have issues with the way I annotated that. So, I have applied both Roles instead of USER only. But, still no luck. Can anyone update me what I am doing wrong. I hope I have mentioned enough information.

Architecture Details:

• JavaEE 1.6 Rest Service


• Spring Security


• JPA


• Linux


• MySQL 5