4、Spring Security 安全权限管理手册

SpringSecurity3.0安全权限管理手册参考文献：1、中的springsecurity权限管理手册。2、springsecurity3.0权限管理手册3、spring的相关资料。本文档内容仅仅作为公司权限管理资料用，对于企业来说，权限管理将是系统中的非常重要的一个模块，权限的设计也是参考相关资料进行整理和补充。系统将通过数据库进行管理用户权限。权限管理搭建要的问题：1、区分Authentication（验证）与Authorization（授权）验证这个用户是谁？用户身份可靠吗？授权某用户A是否可以访问资源R某用户A是否可以执行M操作某用户A是否可以对资源R执行M操作2、SS中的验证特点支持多种验证方式支持多种加密格式支持组件的扩展和替换可以本地化输出信息3、SS中的授权特点支持多种仲裁方式支持组件的扩展和替换支持对页面访问、方法访问、对象访问的授权。4、SS核心安全实现Web安全通过配置ServletFilter激活SS中的过滤器链实现Session一致性验证实现免登陆验证（Remember-Me验证）提供一系列标签库进行页面元素的安全控制方法安全通过AOP模式实现安全代理Web安全与方法安全均可以使用表达式语言定义访问规则5、配置SS配置Web.xml,应用安全过滤器配置Spring，验证与授权部分在web页面中获取用户身份在web页面中应用安全标签库实现方法级安全6、配置web.xml7、Spring配置文件中设置命名空间8、通过数据库验证用户身份9、完善web页面验证规则10、自定义验证配置11、本地化消息输出(国际化)根据公司项目的开发要求和集合springsecurity3.0功能，公司将通过数据库进行对用户身份验证和授权，系统将建立5个基础表进行对权利的管理。第一部分数据库设计1、表设计表1：用户表(pubusers)序号字段类型含义备注1UserIdVchar(32)用户idPK2user_accountVchar(30)登陆用户名(登陆号)3UsernameVchar(40)用户姓名4userPasswordVchar(100)用户密码5EnabledInt是否被禁用0禁用1正常6isSysInt是否是超级用户0非1是7userDEScVchar(100)描述说明：pubusers表中的登录名和密码用来控制用户的登录。表2：权限表(pubauthorities)序号字段类型含义备注1authorityIdVchar(32)权限idPK2AuthoritynameVchar(40)权限名称3AuthorityDEScVchar(100)权限描述4EnabledInt是否被禁用0禁用1正常5isSysInt是否是超级权限0非1是说明：pub_authorities表中描述的是系统拥有哪些权限，如果要详细分类，可亦将一个url定义一个权限，那样就能对所有资源进行管理。表3：角色表(pubroles)序号字段类型含义备注1roleIdVchar(32)角色idPK2rolenameVchar(100)角色名称3roleDEScVchar(100)角色描述4EnabledInt是否被禁用0禁用1正常5isSysInt是否是超级权限0非1是说明：pub_roles表中描述的是系统按用户分类或按照功能模块分类，将系统进

行整合归类管理。表4：资源表(pubresources)序号字段类型含义备注1resourceIdVchar(32)资源idPK2resource_nameVchar(lOO)资源名称3resourcetypeVchar(40)资源类型url、method4priorityint资源优先权即排序5resourcestringVchar(200)资源链接6resourceDEScVchar(100)资源描述7EnabledInt是否被禁用0禁用1正常8isSysInt是否是超级权限0非1是说明:pubroles表中描述的是系统需要保?护的资源及(url或方法)。以上四个表是权限管理的基础表(用户表、权限表、角色表、资源表)。表5：用户角色连接表(pubusersroles)序号字段类型含义备注1IdIndetityId主键PK2userIdVchar(32)用户id3roleidVchar(32)角色id说明：用来定管理用户和角色的关系。表6：角色权限连接表(pubrolesauthorities)序号字段类型含义备注1IdIndetityId主键PK2roleIdVchar(32)角色id3authorityIdVchar(32)权限id说明：用来定管理角色和权限的关系。表7：权限资源连接表(pubauthoritiesresources)序号字段类型含义备注1IdIndetityId主键PK2authorityIdVchar(32)权限id3resourceIdVchar(32)资源id说明：用来定管理角色和权限的关系。2、建表语句如下(数据库釆用MSSQL2000)：createtablepub_users(user_idvarchar(32),user_accountvarchar(30),user_namevarchar(40),user_passwordvarchar(100),user_descvarchar(100),enabledint,issysint);altertablepub_usersaddconstraintpk_pub_usersprimarykey(user_id);createtablepub_authorities(authority_idvarchar(32),authority_namevarchar(40),authority_descvarchar(100),enabledint,issysint);altertablepub_authoritiesaddconstraintpk_pub_authoritiesprimarykey(authority_id);createtablepub_roles(role_idvarchar(32),role_namevarchar(40),role_descvarchar(100),enabledint,issysint);altertablepub_rolesaddconstraintpk_pub_rolesprimarykey(role_id);createtablepub_resources(resource_idvarchar(32),resource_namevarchar(100),resource_descvarchar(100),resource_typevarchar(40),resource_stringvarchar(200),priorityint,enabledint,issysint);altertablepub_resourcesaddconstraintpk_pub_resourcesprimarykey(resource_id);createtablepub_users_roles(idnumeric(12,0)IDENTITYNOTNULL,user_idvarchar(32),role_idvarchar(32),enabledint);altertablepub_users_rolesaddconstraintpk_pub_users_rolesprimarykey(id);altertablepub_users_rolesaddconstraintfk_users_roles_usersforeignkey(user_id)referencespub_users(user_id);altertablepub_users_rolesaddconstraintfk_users_roles_rolesforeignkey(role_id)referencespub_roles(role_id);createtablepub_roles_authorities(idnumeric(12,0)IDENTITYNOTNULL,role_idvarchar(32),authority_idvarchar(32),enabledint);altertablepub_roles_authoritiesaddconstraintpk_pub_roles_authoritiesprimarykey(id);altertablepub_roles_authoritiesaddconstraintfk_pub_roles_authorities_authoritiesforeignkey(authority_id)referencespub_authorities(authority_id);altertablepub_roles_authoritiesaddconstraintfk_pub_roles_authorities_rolesforeignkey(role_id)referencespub_roles(role_id);createtablepub_authorities_resources(idnumeric(12,0)IDENTITYNOTNULL,authority_idvarchar(32),resource_idvarchar(32),enabledint);altertablepub_authorities_resourcesaddconstraintpk_pub_authorities_resourcesprimarykey(id);altertablepub_authorities_resourcesaddconstraintfk_pub_authorities_resources_authoritiesforeignkey(authority_id)referencespub_authorities(authority_id);altertablepub_authorities_resourcesaddconstraintfk_pub_authorities_resources_resourcesforeignkey(resource_id)referencespub_resources(resource_id);3、E-R图如下:

Jpiib_authnritiesiutharity_i1authority_nsmfii^th-arily_d.<：GC«rio.bla>ipubusETSrolespub_roles_au.thnrpubanthnritiesresourcesutflr_3dGitablwdaiLtK:>rity_^bL昱dAutRar1七『_】drqeoutJpiib_authnritiesiutharity_i1authority_nsmfii^th-arily_d.<：GC«rio.bla>ipubusETSrolespub_roles_au.thnrpubanthnritiesresourcesutflr_3dGitablwdaiLtK:>rity_^bL昱dAutRar1七『_】drqeoutaG_idqjiqBLad.pub^rol■usarztiiTic：,2EgibLad■usaren&lilelUSSl_f>i££lVpubUSETSUEbTACCDUIltras:^rrefl_racourcflnuTiores■:Hji-ca■laeg■:4切p。res■:Hji-castringpri■:>rity亡:rtXbl亡dissyzpubTesoiircps第二部分WEB数据库整合提示：相关代码请参考项目模块1、将数据库表结构和Hibernate建立映射，本系统釆用annotation进行对数据库进行零配置处理（请参考hibernate映射），如图。-甘_、rstfr：anie-借0--jJcom.rstcu.±r:±jtie3JBrriijdill&eIII-田屈十；击currirTiun■…田seem-ity+护址田.lataisA田fentit7E"JT|FubAn^horities.javaTOC\o"1-5"\h\z!i:i:"r-...-^田…!FubAnthoritiezRezowceE.java!i!ii*1—.^j®-JFubRewrnrreez.ja^a!j:!:I—.^；PubRol&e.ja^a:::j:'i—4-.IPubRijl&EAutkorLties.java::=::S|—.^"E".jLF口bl『sers.j十iIjFubU5ersEol已5.java2、建立权限的Dao层。FubAutkorLtiesTl：=lFubAutkorLtiesTl：=lu.iavaFubAuthjjri_ti已sResuui-ce5Dao.javaFutiTieeijurc@illam.jav：±FutiJLijlgsAuthoritiesllam.javaPubEdleeBao.」:羽注PublJserzH：=lu.」a^aPublJsersFlolesDao.j-口3r51Erame-•繆srcis-fflcom.rstcu.fr：inie+®III._-母£)■rTiOduly5pul-；吾se'-ixrity-JB讪+++++++FubAutkorLti总弓Ustj:lV=lPubAuthorl11esReeoiji-ceeDao.javaFublk弓iirceslia'?.javaFutifLijlesAuthoritiezllam.javaFutiJLijlgsBao.jaLraPublJserzH：=lu.」a^aPublJsersFlolesDao.j一亡廿rettr:iirieEJ-j_^src丨H-fflcoti.retca.fr:inie+田module5_田PuP+电common_审eecirrity-田皿+0::::;C十31iiii十国+0|||+0I!:!:+』!!:!:j—t+』3、建立权限的Service层4、配置web.xml<?xmlversion="1.0"encoding="UTF-8"?><web-appversion="2.5"xmlns="/xml/ns/javaee<web-appversion="2.5"xmlns:xsi="/2001/XMLSchema-instance"xsi:schemaLocation="/xml/ns/javaee/xml/ns/javaee/web-app_2_5.xsd"><display-name>rstframe</display-name><context-param><param-name>webAppRootKey</param-name><param-value>rstframe.root</param-value></context-param><context-param><param-name>log4jConfigLocation</param-name><param-value>classpath:perties</param-value></context-param><context-param><param-name>log4jRefreshInterval</param-name><param-value>60000</param-value></context-param><!--SpringApplicationContext配置文件的路径,可使用通配符,多个路径用,号分隔此参数用于后面的SpringContextLoader--><context-param><param-name>contextConfigLocation</param-name><param-value>classpath*:/applicationContext.xml,classpath*:/applicationContext-rstframe.xml</param-value></context-param><!--CharacterEncodingfilter--><filter><filter-name>encodingFilter</filter-name><filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class><init-param><param-name>encoding</param-name><param-value>UTF-8</param-value></init-param></filter><filter-mapping><filter-name>encodingFilter</filter-name><url-pattern>/*</url-pattern></filter-mapping><!--Springside'sHibernateOpenSessionInViewfilter--><filter><filter-name>hibernateOpenSessionInViewFilter</filter-name><filter-class>com.rstco.frame.modules.orm.hibernate.OpenSessionInViewFilter</filter-class><init-param><param-name>excludeSuffixs</param-name><param-value>js,css,jpg,gif</param-value></init-param></filter><filter-mapping><filter-name>hibernateOpenSessionInViewFilter</filter-name><url-pattern>/*</url-pattern></filter-mapping><!--SpringSecurityfilter--><filter><filter-name>springSecurityFilterChain</filter-name><filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class></filter><filter-mapping><filter-name>springSecurityFilterChain</filter-name><url-pattern>/*</url-pattern></filter-mapping><!--Struts2filter,actionPackages--><filter><filter-name>struts2Filter</filter-name><filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class></filter><filter-mapping><filter-name>struts2Filter</filter-name><url-pattern>/*</url-pattern></filter-mapping><!--Spring的ApplicationContext载入--><listener><listener-class>org.springframework.web.context.ContextLoaderListener</listener-class></listener><listener><listener-class>org.springframework.web.util.Log4jConfigListener</listener-class></listener><!--Spring刷新Introspector防止内存泄露--><listener><listener-class>org.springframework.web.util.IntrospectorCleanupListener</listener-class></listener><!--防止多人登陆,控制一个用户只能登录一次，不能在其他地方重新登录--><listener><listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class></listener><!—session超时定乂，单位为分钟—><session-config><session-timeout>20</session-timeout></session-config><welcome-file-list><welcome-file>index.jsp</welcome-file></welcome-file-list><!--error><error><exception-type>java.lang.Throwable</exception-type><location>/common/500jsp</location></error><error><error-code>500</error-code><location>/common/500jsp</location></error><error><error-code>404</error-code><location>/common/404jsp</location></error><error><error-code>403</error-code><location>/common/403jsp</location></error><jsp-config><taglib><taglib-uri>/WEB-INF/struts-menu-el.tld</taglib-uri><taglib-location>/WEB-INF/tlds/struts-menu-el.tld</taglib-location></taglib><taglib><taglib-uri>/WEB-INF/struts-menu.tld</taglib-uri><taglib-location>/WEB-INF/tlds/struts-menu.tld</taglib-location></taglib><taglib><taglib-uri>/WEB-INF/c.tld</taglib-uri><taglib-location>/WEB-INF/tlds/c.tld</taglib-location></taglib><taglib><taglib-uri>/WEB-INF/fmt.tld</taglib-uri><taglib-location>/WEB-INF/tlds/fmt.tld</taglib-location></taglib><taglib><taglib-uri>/WEB-INF/fn.tld</taglib-uri><taglib-location>/WEB-INF/tlds/fn.tld</taglib-location></taglib><!--loushangtld--><taglib><taglib-uri>/WEB-INF/web-date.tld</taglib-uri><taglib-location>/WEB-INF/tlds/web-date.tld</taglib-location></taglib><taglib><taglib-uri>/WEB-INF/web-flex.tld</taglib-uri><taglib-location>/WEB-INF/tlds/web-flex.tld</taglib-location></taglib><taglib><taglib-uri>/WEB-INF/web-graph.tld</taglib-uri><taglib-location>/WEB-INF/tlds/web-graph.tld</taglib-location></taglib><taglib><taglib-uri>/WEB-INF/web-grid.tld</taglib-uri><taglib-location>/WEB-INF/tlds/web-grid.tld</taglib-location></taglib><taglib><taglib-uri>/WEB-INF/web-html.tld</taglib-uri><taglib-location>/WEB-INF/tlds/web-html.tld</taglib-location></taglib><taglib><taglib-uri>/WEB-INF/web-list.tld</taglib-uri><taglib-location>/WEB-INF/tlds/web-list.tld</taglib-location></taglib><taglib><taglib-uri>/WEB-INF/web-loushang.tld</taglib-uri><taglib-location>/WEB-INF/tlds/web-loushanq.tld</taglib-location></taglib><taglib><taglib-uri>/WEB-INF/web-menu.tld</taglib-uri><taglib-location>/WEB-INF/tlds/web-menu.tld</taglib-location></taglib><taglib><taglib-uri>/WEB-INF/web-multitab.tld</taglib-uri><taglib-location>/WEB-INF/tlds/web-multitab.tld</taglib-location></taglib><taglib><taglib-uri>/WEB-INF/web-seltree.tld</taglib-uri><taglib-location>/WEB-INF/tlds/web-seltree.tld</taglib-location></taglib><taglib><taglib-uri>/WEB-INF/web-tab.tld</taglib-uri><taglib-location>/WEB-INF/tlds/web-tab.tld</taglib-location></taglib><taglib><taglib-uri>/WEB-INF/web-tree.tld</taglib-uri><taglib-location>/WEB-INF/tlds/web-tree.tld</taglib-location></taglib><taglib><taglib-uri>/WEB-INF/web-widgets.tld</taglib-uri><taglib-location>/WEB-INF/tlds/web-widgets.tld</taglib-location></taglib><taglib><taglib-uri>/WEB-INF/web-i18n.tld</taglib-uri><taglib-location>/WEB-INF/tlds/web-i18n.tld</taglib-location></taglib><!--loushangend--><taglib><taglib-uri>/WEB-INF/gystudio.tld</taglib-uri><taglib-location>/WEB-INF/tlds/gystudio.tld</taglib-location></taglib></jsp-config><mime-mapping><extension>rar</extension><mime-type>application/rar</mime-type></mime-mapping></web-app>5、配置springsecurity3.0中的xml文件文件名：applicationContext-security.xml<?xmlversion="1.0"encoding="UTF-8"?><beans:beansxmlns="/schema/security"xmlns:beans="/schema/beans"xmlns:xsi="/2001/XMLSchema-instance"xsi:schemaLocation="/schema/beans/schema/beans/spring-beans-3.0.xsd/schema/security/schema/security/spring-security-3.0.xsd"><beans:description>SpringSecurity安全配置</beans:description><!--http安全配置一_><httpauto-config="true"><intercept_urlpattern="/css/**"filters="none"/><intercept_urlpattern="/images/**"filters="none"/><intercept-urlpattern="/js/**"filters="none"/><intercept-urlpattern="/login.jsp"filters="none"/><!--<intercept-urlpattern="/index.jsp"access="ROLE_USER"/><intercept-urlpattern="/main.jsp"access="ROLE_ADAMIN"/>--><form-loginlogin="/login.jsp"default-target-url="/index.jspauthentication-failure-url="/login.jsp?error=1"/><!--尝试访问没有权限的页面时跳转的页面--><access-denied-handlererror="/common/403.jsp"/><logoutlogout-success-url="/login.jsp"/><session-management><concurrency-controlmax-sessions="1"error-if-maximum-exceeded="true"/></session-management><!--增加一个filter,这点与Acegi是不一样的，不能修改默认的filter了,这个filter位于FILTER_SECURITY_INTERCEPTOR之前一一><custom-filterref="myFilter"before="FILTER_SECURITY_INTERCEPTOR"/></http><!--一个自定义的filter，必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性，我们的所有控制将在这三个类中实现，解释详见具体配置--><beans:beanid="myFilter"class="erceptor.MyFilterSecurityInterceptor"><beans:propertyname="authenticationManager"ref="authenticationManager"/><beans:propertyname="accessDecisionManager"ref="myAccessDecisionManagerBean"/><beans:propertyname="securityMetadataSource"ref="mySecurityMetadataSource"/></beans:bean><!--验证配置,认证管理器，实现用户认证的入口，主要实现UserDetailsService接口即可--><authentication-manageralias="authenticationManager"><authentication-provideruser-service-ref="userDetailsService"><!--<s:password-encoderhash="sha"/>--></authentication-provider></authentication-manager><!--项目实现的用户查询服务,将用户信息查询出来--><beans:beanid="userDetailsService"class="com.rstco.frame.pub.security.support.MyUserDetailService"/><!--访问决策器，决定某个用户具有的角色，是否有足够的权限去访问某个资源--><beans:beanid="myAccessDecisionManagerBean"class="com.rstco.frame.pub.security.support.MyAccessDecisionManager"></beans:bean><!--资源源数据定义，将所有的资源和权限对应关系建立起来，即定义某一资源可以被哪些角色访问--><beans:beanid="mySecurityMetadataSource"class="com.rstco.frame.pub.security.support.MyInvocationSecurityMetadataSourceService"></beans:bean><!--定义国际化--><beans:beanid="messageSource"class="org.springframework.context.support.ReloadableResourceBundleMessageSource"><<beans:propertyname="basename"value="classpath:org/springframework/security/messages_zh_CN"/></beans:bean></beans:beans>这是项目的主体部分：-fcpi_s*tr：inie-於src这是项目的主体部分：-fcpi_s*tr：inie-於srcII・0-^5-,：lfri-匕£tcu.fi-!dnieiii.+卑mI：duleE_田put+I■■:f1fB-［廿COfTlfTl<TL另zecirrity亠.打i：i■:-田d.ata田-••出entLty-i^_rinterceptor十.」MyFilterSe匚ui-itylntere«ptor.j：iv：±(j-JJEhFVICt:-ssupportM/IilvocatlonSecurityfdetadataSmui-ceS已M/IilvocatlonSecurityfdetadataSmui-ceS已rvice.javaMyU£erD«taiIServine.jin.strutenuutilswst这四个类说明如下。—、用来获得用户验证信息〈MyUserDetailService)代码如下：packagecom.rstco.frame.pub.security.support;importjava.util.ArrayList;importjava.util.Collection;importjava.util.List;importorg.springframework.beans.factory.annotation.Autowired;importorg.springframework.dao.DataAccessException;importorg.springframework.security.core.GrantedAuthority;importorg.springframework.security.core.userdetails.User;importorg.springframework.security.core.userdetails.UserDetails;importorg.springframework.security.core.userdetails.UserDetailsService;importorg.springframework.security.core.userdetails.UsernameNotFoundException;importorg.springframework.stereotype.Service;importcom.rstco.frame.pub.security.dao.PubAuthoritiesResourcesDao;importcom.rstco.frame.pub.security.dao.PubUsersDao;importcom.rstco.frame.pub.security.entity.PubAuthorities;importcom.rstco.frame.pub.security.entity.PubAuthoritiesResources;//你就可以从数据库中读入用户的密码，角色信息，是否锁定，账号是否过期@ServicepublicclassMyUserDetailServiceimplementsUserDetailsService{@AutowiredprivatePubUsersDaopubUsersDao;@AutowiredprivatePubAuthoritiesResourcesDaopubAuthoritiesResourcesDao;publicUserDetailsloadUserByUsername(Stringusername)throwsUsernameNotFoundException,DataAccessException{Collection<GrantedAuthority>auths=newArrayList<GrantedAuthority>();//取得用户的权限List<PubAuthorities>auth=pubUsersDao.findAuthByUserName(username);Stringpassword=null;//取得用户的密码password=pubUsersDao.findUserByname(username).get(0).getUserPassword();List<PubAuthoritiesResources>aaa=pubAuthoritiesResourcesDao.getAll();Useruser=newUser(username,password,true,true,true,true,auths);returnuser;}}的对应资源数据二、最核心的地方，就是提供某个资源对应的权限定义，取得所有角色（auth）的对应资源数据(MyInvocationSecurityMetadataSourceService代码如下：packagecom.rstco.frame.pub.security.support;importjava.util.ArrayList;importjava.util.Collection;importjava.util.HashMap;importjava.util.Iterator;importjava.util.List;importjava.util.Map;importjavax.servlet.ServletContext;importorg.hibernate.Query;importorg.hibernate.Session;importorg.hibernate.SessionFactory;importorg.springframework.beans.factory.annotation.Autowired;importorg.springframework.context.ApplicationContext;importorg.springframework.context.support.ClassPathXmlApplicationContext;importorg.springframework.security.access.ConfigAttribute;importorg.springframework.security.access.SecurityConfig;importorg.springframework.security.web.FilterInvocation;ercept.FilterInvocationSecurityMetadataSource;importorg.springframework.security.web.util.AntUrlPathMatcher;importorg.springframework.security.web.util.UrlMatcher;importorg.springframework.stereotype.Service;importcom.rstco.frame.modules.orm.hibernate.HibernateDao;importcom.rstco.frame.pub.security.dao.PubAuthoritiesResourcesDao;importcom.rstco.frame.pub.security.entity.PubAuthorities;importcom.rstco.frame.pub.security.entity.PubResources;/***最核心的地方，就是提供某个资源对应的权限定义，即getAttributes方法返回的结果。注意，我例子中使用的是AntUrlPathMatcher这个pathmatcher来检查URL是否与资源定义匹配，*事实上你还要用正则的方式来匹配，或者自己实现一个matcher。*此类在初始化时，应该取到所有资源及其对应角色的定义**说明：对于方法的spring注入，只能在方法和成员变量里注入，如果一个类要进行实例化的时候，不能注入对象和操作对象，所以在构造函数里不能进行操作注入的数据。*/@ServicepublicclassMyInvocationSecurityMetadataSourceServiceimplementsFilterInvocationSecurityMetadataSource{@AutowiredprivatePubAuthoritiesResourcesDaopubAuthoritiesResourcesDao;privateUrlMatcherurlMatcher=newAntUrlPathMatcher();privatestaticMap<String,Collection<ConfigAttribute>>resourceMap=null;publicMyInvocationSecurityMetadataSourceService(){loadResourceDefine();}/*privatevoidloadResourceDefine(){HashMap<String,resourceMap=newHashMap<String,Collection<ConfigAttribute>>();newnewnewnewArrayList<ConfigAttribute>();ConfigAttributecaSecurityConfig("ROLE_ADMIN");atts.add(ca);resourceMap.put("/index.jsp",atts);resourceMap.put("/i.jsp",atts);}*/privatevoidloadResourceDefine(){ApplicationContextcontext=newClassPathXmlApplicationContext("applicationContext.xml");SessionFactorysessionFactory=(SessionFactory)context.getBean("sessionFactory");Sessionsession=sessionFactory.openSession();List<String>query=session.createSQLQuery("selectauthority_namefrompub_authorities").list();resourceMap=newHashMap<String,Collection<ConfigAttribute>>();Collection<ConfigAttribute>atts=newArrayList<ConfigAttribute>();//List<PubAuthorities>auths=session.createQuery(arg0);//pubAuthoritiesResourcesDao.findAuthAll();for(Stringauth:query){ConfigAttributeca=newSecurityConfig(auth);//"ROLE_ADMIN"//atts.add(ca);List<String>query1=session.createSQLQuery("selectresource_string"+"fromPub_Authorities_Resources,Pub_Resources,Pub_authorities"+"wherePub_Authorities_Resources.resource_id=Pub_Resources.resource_idand"+〃Pub_Authorities_Resources.resource_id=Pub_authorities.authority_idand"+"Authority_name='"+auth+"'").list();for(Stringres:query1){Stringurl=res;//判断资源文件和权限的对应关系，如果已经存在，要进行增加if(resourceMap.containsKey(url)){Collection<ConfigAttribute>value=resourceMap.get(url);value.add(ca);resourceMap.put(url,value);

//"log.jsp","role_user,role_admin"}else{atts.add(ca);resourceMap.put(url,atts);}resourceMap.put(url,atts);}}}//AccordingtoaURL,FindoutpermissionconfigurationofthisURL.publicCollection<ConfigAttribute>getAttributes(Objectobject)throwsIllegalArgumentException{//guessobjectisaURL.Stringurl=((FilterInvocation)object).getRequestUrl();Iterator<String>ite=resourceMap.keySet().iterator();while(ite.hasNext()){StringresURL=ite.next();if(urlMatcher.pathMatchesUrl(url,resURL)){returnresourceMap.get(resURL);}}returnnull;}publicbooleansupports(Class<?>clazz){returntrue;}publicCollection<ConfigAttribute>getAllConfigAttributes(){returnnull;}}三、最重要的是decide方法，如果不存在对该资源的定义，直接放行；否则,如果找到正确的角色，即认为拥有权限，并放行，否则thrownew就会进入上面提到的4O3.jsp页面。MyAccessDecisionManagerAccessDeniedException("noright");就会进入上面提到的4O3.jsp页面。MyAccessDecisionManager代码如下：packagecom.rstco.frame.pub.security.support;importjava.util.Collection;importjava.util.Iterator;importorg.springframework.security.access.AccessDecisionManager;importorg.springframework.security.access.AccessDeniedException;importorg.springframework.security.access.ConfigAttribute;importorg.springframework.security.access.SecurityConfig;importorg.springframework.security.authentication.InsufficientAuthenticationException;importorg.springframework.security.core.Authentication;importorg.springframework.security.core.GrantedAuthority;publicclassMyAccessDecisionManagerimplementsAccessDecisionManager{//Inthismethod,needtocompareauthenticationwithconfigAttributes.//1,AobjectisaURL,afilterwasfindpermissionconfigurationbythisURL,andpasstohere.//2,Checkauthenticationhasattributeinpermissionconfiguration(configAttributes)//3,Ifnotmatchcorrespondingauthentication,throwaAccessDeniedException.publicvoiddecide(Authenticationauthentication,Objectobject,Collection<ConfigAttribute>configAttributes)throwsAccessDeniedException,InsufficientAuthenticationException{if(configAttributes==null){return;}System.out.println(object.toString());//objectisaURL.Iterator<ConfigAttribute>ite=configAttributes.iterator();while(ite.hasNext()){ConfigAttributeca=ite.ne