As far as I can tell only any of lists are available in @Secured annotations or ExpressionUrlAuthorizationConfigurer objects. Trying to add multiple annotations or hasAuthority() calls either fails to compile or only the latest one is used.
How can I define that a particular request (set of requests matching a pattern), or method requires all of a list of roles/authorities?
The best solution appears to be
@PreAuthorize("hasRole('one') and hasRole('two') and ...")
There's no nice way to use constants, like with @Secured.