Security中一些可選的表示式

permitAll    永遠返回true
denyAll    永遠返回false
anonymous    當前使用者是anonymous時返回true
rememberMe    當前使用者是rememberMe使用者時返回true
authenticated    當前使用者不是anonymous時返回true
fullAuthenticated    當前使用者既不是anonymous也不是rememberMe使用者時返回true
hasRole（role）    使用者擁有指定的角色許可權時返回true
hasAnyRole（[role1，role2]）    使用者擁有任意一個指定的角色許可權時返回true
hasAuthority（authority）    使用者擁有指定的許可權時返回true
hasAnyAuthority（[authority1,authority2]）    使用者擁有任意一個指定的許可權時返回true
hasIpAddress（
 
'192.168.1.0'）    請求傳送的Ip匹配時返回true

看到上述的表示式，應該能發現一些問題，在Security中，似乎並沒有嚴格區分角色和許可權，

如果沒有角色和許可權的區別，只需要hasRole()函式就夠了, hasAuthority()是做什麼用的？

答：區別就是，hasRole()的許可權名稱需要用 "ROLE_" 開頭，而hasAuthority()不需要，而且，這就是全部的區別。

在通常的系統設計中，我們區分角色和許可權，但是，判斷 “使用者是不是管理員”，和判斷 “是否擁有管理員許可權”，在程式碼邏輯上，其實是完全一致的，角色是一種許可權的象徵，可以看做是許可權的一種。因此，不區分角色和許可權，本身就是合理的做法。

如果撇開別的問題不談，只考慮許可權的問題，我們可以將角色視為許可權的一種，但是，角色是使用者的固有屬性，在使用者管理上還是非常有必要的，在Security4中，處理“角色”(如RoleVoter、hasRole表示式等)的程式碼總是會新增ROLE_字首，它更加方便開發者從兩個不同的維度去設計許可權。

Spring Security3 到 Spring Security4 的遷移文件：

http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html#m3to4-role-prefixing

S.O. (Stack Overflow)網站對這個問題的描述：

https://stackoverflow.com/questions/19525380/difference-between-role-and-grantedauthority-in-spring-security

Think of a GrantedAuthority as being a "permission" or a "right". Those "permissions" are (normally) expressed as strings (with the getAuthority() method). Those strings let you identify the permissions and let your voters decide if they grant access to something.

You can grant different GrantedAuthoritys (permissions) to users by putting them into the security context. You normally do that by implementing your own UserDetailsService that returns a UserDetails implementation that returns the needed GrantedAuthorities.

Roles (as they are used in many examples) are just "permissions" with a naming convention that says that a role is a GrantedAuthority that starts with the prefix ROLE_. There's nothing more. A role is just a GrantedAuthority - a "permission" - a "right". You see a lot of places in spring security where the role with its ROLE_ prefix is handled specially as e.g. in the RoleVoter, where the ROLE_ prefix is used as a default. This allows you to provide the role names withtout the ROLE_ prefix. Prior to Spring security 4, this special handling of "roles" has not been followed very consistently and authorities and roles were often treated the same (as you e.g. can see in the implementation of the hasAuthority() method in SecurityExpressionRoot - which simply calls hasRole()). With Spring Security 4, the treatment of roles is more consistent and code that deals with "roles" (like the RoleVoter, the hasRole expression etc.) always adds the ROLE_ prefix for you. So hasAuthority('ROLE_ADMIN') means the the same as hasRole('ADMIN') because the ROLE_ prefix gets added automatically. See the spring security 3 to 4 migration guide for futher information.