解決方案：

先直接說下解決方案，權限點設計成如下：

/api/books/{id:\d*}

問題描述：

獲取書本詳情的標準restful路由，一般是這樣的/api/books/12， 12即該book的id，如果需要擁有訪問該路由的權限，一般可以這樣設計/api/books/*。

但是如果類似有一個獲取書本封面的請求，比如：/api/books/getCover，那么如果給了/api/books/*這樣的權限的話，getCover這個也可以請求成功，就無法區分了。

源碼分析：

請求地址和權限點匹配判斷代碼：

if(antPathMatcher.match(permission.getRequestUrl(),requestUri)){
	...
}

匹配代碼的源碼如下：
那我們來分析下matchStrings 這個方法

private boolean matchStrings(String pattern, String str,
		@Nullable Map<String, String> uriTemplateVariables) {

	return getStringMatcher(pattern).matchStrings(str, uriTemplateVariables);
}

接下來看下getStringMatcher

protected AntPathStringMatcher getStringMatcher(String pattern) {
	AntPathStringMatcher matcher = null;
	Boolean cachePatterns = this.cachePatterns;
	if (cachePatterns == null || cachePatterns.booleanValue()) {
		matcher = this.stringMatcherCache.get(pattern);
	}
	if (matcher == null) {
		matcher = new AntPathStringMatcher(pattern, this.caseSensitive);
		if (cachePatterns == null && this.stringMatcherCache.size() >= CACHE_TURNOFF_THRESHOLD) {
			// Try to adapt to the runtime situation that we're encountering:
			// There are obviously too many different patterns coming in here...
			// So let's turn off the cache since the patterns are unlikely to be reoccurring.
			deactivatePatternCache();
			return matcher;
		}
		if (cachePatterns == null || cachePatterns.booleanValue()) {
			this.stringMatcherCache.put(pattern, matcher);
		}
	}
	return matcher;
}

接下來看AntPathStringMatcher的構造函數：

public AntPathStringMatcher(String pattern, boolean caseSensitive) {
	this.rawPattern = pattern;
	this.caseSensitive = caseSensitive;
	StringBuilder patternBuilder = new StringBuilder();
	Matcher matcher = GLOB_PATTERN.matcher(pattern);
	int end = 0;
	while (matcher.find()) {
		patternBuilder.append(quote(pattern, end, matcher.start()));
		String match = matcher.group();
		if ("?".equals(match)) {
			patternBuilder.append('.');
		}
		else if ("*".equals(match)) {
			patternBuilder.append(".*");
		}
		else if (match.startsWith("{") && match.endsWith("}")) {
			int colonIdx = match.indexOf(':');
			if (colonIdx == -1) {
				patternBuilder.append(DEFAULT_VARIABLE_PATTERN);
				this.variableNames.add(matcher.group(1));
			}
			else {
				String variablePattern = match.substring(colonIdx + 1, match.length() - 1);
				patternBuilder.append('(');
				patternBuilder.append(variablePattern);
				patternBuilder.append(')');
				String variableName = match.substring(1, colonIdx);
				this.variableNames.add(variableName);
			}
		}
		end = matcher.end();
	}
	// No glob pattern was found, this is an exact String match
	if (end == 0) {
		this.exactMatch = true;
		this.pattern = null;
	}
	else {
		this.exactMatch = false;
		patternBuilder.append(quote(pattern, end, pattern.length()));
		this.pattern = Pattern.compile(patternBuilder.toString(),
				Pattern.DOTALL | (this.caseSensitive ? 0 : Pattern.CASE_INSENSITIVE));
	}
}

看到這里基本上也就明白了，這里如果設定的*號，這匹配的是.*，那參考這里

else if (match.startsWith("{") && match.endsWith("}")) {

我們把獲取詳情的權限點設計成

/api/books/{id:\d*}

這樣就可以匹配/api/books/12或者/api/books/123之類的詳情，又不會包含/api/books/getCover這樣的接口。