How to require multiple roles/authorities

As far as I can tell only any of lists are available in @Secured annotations or ExpressionUrlAuthorizationConfigurer objects. Trying to add multiple annotations or hasAuthority() calls either fails to compile or only the latest one is used.

How can I define that a particular request (set of requests matching a pattern), or method requires all of a list of roles/authorities?

Solution

The best solution appears to be

@PreAuthorize("hasRole('one') and hasRole('two') and ...")

There's no nice way to use constants, like with @Secured.

Why are there 2 Security Filter Chains defined for my Spring Boot Application?
Spring's @RequestParam with Enum
Role-based authentication not working with Keycloak and Java Spring
java.lang.ClassCastException: class org.springframework.web.servlet.DispatcherServlet cannot be cast to class jakarta.servlet.Servlet
Java Spring API NoClassDefFoundError: javax/persistence/EntityManagerFactory
UnsatisfiedDependencyException: Error creating bean with name
Failed to auto-configure a DataSource: 'spring.datasource.url' is not specified
Spring ApplicationContext - Resource leak: 'context' is never closed
Why can't I set HeapDumpOnOutOfMemoryError on GraalVM native image?
Cannot understand why this method is unresolved
How to avoid joining table when querying by a foreign key?
How to enable Spring Boot Live Dev Tools on IntelliJ 2021.2 to rebuild classes after modifications and deploy changes to server?
Spring multiple beans: Are there other precedence annotations besides `@Primary`?
Spring Batch FlatFileItemWriter - How to use stepExecution.jobId to generate file name
Pass filenames dynamically to FlatFileItemWriter through StepBuilderFactory stream() when using ClassifierCompositeItemProcessor in SpringBatch
Why does the main Spring Boot application always trigger PMD's HideUtilityClassConstructorCheck?
Why I can not look for entities between joined tables?
Test Unit Spring boot: Unable to register mock bean
Spring Security 6 - how to handle InvalidBearerTokenExeption
Incorrect Syntax near ',' in SQL query execution in Spring JPA but executes successfully in database
Spring @Sql Annotations, possible to run once before all tests?
Springboot mySQL Failed to determine a suitable driver class
Add JSF Message From Spring Bean
Spring Boot - no log file written (logging.file is not respected)
Handling Internal Server Error When OAuth Issuer Is Not Available in WebFluxSecurity
Return file from Spring @Controller having OutputStream
With deprecation of the `SecurityContextRepository.loadContext(HttpRequestResponseHolder)` method, how do we add `Set-Cookie` to the response?
How to correctly read Flux<DataBuffer> and convert it to a single inputStream
Implementing Custom Expression Handling with Spring Security 6
Can I set a TTL for @Cacheable