SPRING IN ACTION 第4版笔记-第九章Securing web applications-010-拦截请求

一、

What if you wanted to restrict access to certain roles only on Tuesday?

Using the access() method, you can also use SpEL as a means for declaring access requirements. For example, here’s how you could use a SpEL expression to require ROLE_SPITTER access for the /spitter/me URL pattern:

.antMatchers("/spitter/me").access("hasRole('ROLE_SPITTER')")

This security constraint placed on /spitter/me is equivalent to the one we started
with, except that now it uses SpEL to express the security rules. The hasRole() expres-
sion evaluates to true if the current user has been granted the given authority.





With Spring Security’s SpEL expressions at your disposal, you can do more than just
limit access based on a user’s granted authorities. For example, if you wanted to lock
down the /spitter/me URL s to not only require ROLE_SPITTER , but to also only be
allowed from a given IP address, you might call the access() method like this:

.antMatchers("/spitter/me")
.access("hasRole('ROLE_SPITTER') and hasIpAddress('192.168.1.2')")