spring-boot在集成spring-security后通过@EnableGlobalMethodSecurity开启相应注解注解

在controller的具体方法上可以通过添加注解@PreAuthorize来控制权限

PreAuthorize通常使用hasRole和hasAuthority来控制访问权限，但是hasRole会有一个比较坑的地方

源码如下：

    public final boolean hasAuthority(String authority) {
        return this.hasAnyAuthority(authority);
    }

    public final boolean hasAnyAuthority(String... authorities) {
        return this.hasAnyAuthorityName((String)null, authorities);
    }

    public final boolean hasRole(String role) {
        return this.hasAnyRole(role);
    }

    public final boolean hasAnyRole(String... roles) {
        return this.hasAnyAuthorityName(this.defaultRolePrefix, roles);
    }

    private boolean hasAnyAuthorityName(String prefix, String... roles) {
        Set<String> roleSet = this.getAuthoritySet();
        String[] var4 = roles;
        int var5 = roles.length;

        for(int var6 = 0; var6 < var5; ++var6) {
            String role = var4[var6];
            String defaultedRole = getRoleWithDefaultPrefix(prefix, role);
            if (roleSet.contains(defaultedRole)) {
                return true;
            }
        }

        return false;
    }
    private static String getRoleWithDefaultPrefix(String defaultRolePrefix, String role) {
        if (role == null) {
            return role;
        } else if (defaultRolePrefix != null && defaultRolePrefix.length() != 0) {
            return role.startsWith(defaultRolePrefix) ? role : defaultRolePrefix + role;
        } else {
            return role;
        }
    }

通过源码可知hasRole在进行权限判断时会被追加前缀ROLE_
如果使用此方法判断则需要再用户权限赋值和判断处均添加ROLE_，
所以如非必须推荐hasAuthority来进行判断

private String defaultRolePrefix = "ROLE_";