springspring-securityspring-4

How to require multiple roles/authorities


As far as I can tell only any of lists are available in @Secured annotations or ExpressionUrlAuthorizationConfigurer objects. Trying to add multiple annotations or hasAuthority() calls either fails to compile or only the latest one is used.

How can I define that a particular request (set of requests matching a pattern), or method requires all of a list of roles/authorities?


Solution

  • The best solution appears to be

    @PreAuthorize("hasRole('one') and hasRole('two') and ...")
    

    There's no nice way to use constants, like with @Secured.