Great question—let’s break this down step by step so you can see exactly what’s happening under the hood when you use @PreAuthorize and hasAuthority() in Spring Security.

First, you need to flip the switch for method-level security in your app by adding @EnableGlobalMethodSecurity(prePostEnabled = true) to your configuration class. This tells Spring to watch for and process @PreAuthorize annotations on your methods. Here’s the play-by-play when an annotated method gets called:

• Method Interception: Spring uses AOP (Aspect-Oriented Programming) to intercept the method call before it runs. Think of this as a security guard checking your credentials before letting you enter a room—AOP is the guard that stops the method execution temporarily to run the permission check.
• SpEL Expression Parsing: The value inside @PreAuthorize (like hasAuthority('manage_users')) is a Spring Expression Language (SpEL) expression. Spring Security passes this string to a SecurityExpressionHandler, which parses it into an executable, evaluatable expression.
• Expression Evaluation: The parsed expression runs using a SecurityExpressionRoot instance. This root object has direct access to the current user’s authentication details, the HTTP request context, and other security utilities—so it knows exactly who’s trying to call the method and what permissions they have.
• Access Decision: If the expression evaluates to true, the guard steps aside and lets the method execute normally. If it returns false, Spring Security throws an AccessDeniedException, which usually translates to a 403 Forbidden response in web applications.

The hasAuthority() function is a built-in SpEL helper from Spring Security, and its core logic lives in the SecurityExpressionRoot class. Here’s what happens when you call it:

• Grab the Current User’s Authentication: First, it pulls the Authentication object from the SecurityContextHolder—this is where Spring stores the current logged-in user’s details, including their list of GrantedAuthority objects (each representing a permission the user has).
• Match the Target Authority: The method takes the input authority string (e.g., 'manage_users') and compares it against every GrantedAuthority in the user’s set. It checks if any authority’s getAuthority() method returns a string that exactly matches the input.
• Return the Verdict: If a match is found, hasAuthority() returns true, giving the green light for the method to run. If no match exists, it returns false, triggering the access denied flow.

A quick heads-up: hasAuthority() is case-sensitive by default. So if your user’s authority is stored as 'MANAGE_USERS' but you check hasAuthority('manage_users'), it’ll fail. You can tweak this behavior by implementing a custom GrantedAuthority or adjusting how the expression evaluates matches if needed.

内容的提问来源于stack exchange，提问作者java dev