dynamic restful permission is OK

springboot-springSecurity3/pom.xml

+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.us</groupId>
+    <artifactId>springboot-security</artifactId>
+    <version>1.0-SNAPSHOT</version>
+
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>1.3.0.RELEASE</version>
+    </parent>
+
+    <properties>
+        <start-class>com.us.Application</start-class>
+        <maven.compiler.target>1.8</maven.compiler.target>
+        <maven.compiler.source>1.8</maven.compiler.source>
+
+        <mybatis.version>3.2.7</mybatis.version>
+        <mybatis-spring.version>1.2.2</mybatis-spring.version>
+    </properties>
+
+    <dependencies>
+        <!--springboot-->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-thymeleaf</artifactId>
+        </dependency>
+
+
+        <dependency>
+            <groupId>org.thymeleaf.extras</groupId>
+            <artifactId>thymeleaf-extras-springsecurity4</artifactId>
+        </dependency>
+        <!--db-->
+        <dependency>
+            <groupId>mysql</groupId>
+            <artifactId>mysql-connector-java</artifactId>
+            <version>6.0.5</version>
+        </dependency>
+        <dependency>
+            <groupId>com.mchange</groupId>
+            <artifactId>c3p0</artifactId>
+            <version>0.9.5.2</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>commons-logging</groupId>
+                    <artifactId>commons-logging</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
+        <!--mybatis-->
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-jdbc</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.mybatis</groupId>
+            <artifactId>mybatis</artifactId>
+            <version>${mybatis.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.mybatis</groupId>
+            <artifactId>mybatis-spring</artifactId>
+            <version>${mybatis-spring.version}</version>
+        </dependency>
+
+
+    </dependencies>
+
+</project>
\ No newline at end of file

springboot-springSecurity3/src/main/java/com/us/example/Application.java

+package com.us.example;
+
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.ConfigurableApplicationContext;
+import org.springframework.context.annotation.ComponentScan;
+
+import static org.springframework.boot.SpringApplication.run;
+
+/**
+ * Created by yangyibo on 17/1/17.
+ */
+
+@ComponentScan(basePackages ="com.us.example")
+@SpringBootApplication
+public class Application {
+    public static void main(String[] args) {
+        ConfigurableApplicationContext run = run(Application.class, args);
+    }
+
+}

springboot-springSecurity3/src/main/java/com/us/example/config/DBconfig.java

+package com.us.example.config;
+
+import java.beans.PropertyVetoException;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.env.Environment;
+import com.mchange.v2.c3p0.ComboPooledDataSource;
+/**
+ * Created by yangyibo on 17/1/18.
+ */
+@Configuration
+public class DBconfig {
+    @Autowired
+    private Environment env;
+
+    @Bean(name="dataSource")
+    public ComboPooledDataSource dataSource() throws PropertyVetoException {
+        ComboPooledDataSource dataSource = new ComboPooledDataSource();
+        dataSource.setDriverClass(env.getProperty("ms.db.driverClassName"));
+        dataSource.setJdbcUrl(env.getProperty("ms.db.url"));
+        dataSource.setUser(env.getProperty("ms.db.username"));
+        dataSource.setPassword(env.getProperty("ms.db.password"));
+        dataSource.setMaxPoolSize(20);
+        dataSource.setMinPoolSize(5);
+        dataSource.setInitialPoolSize(10);
+        dataSource.setMaxIdleTime(300);
+        dataSource.setAcquireIncrement(5);
+        dataSource.setIdleConnectionTestPeriod(60);
+
+        return dataSource;
+    }
+}

springboot-springSecurity3/src/main/java/com/us/example/config/MyBatisConfig.java

+package com.us.example.config;
+
+import org.mybatis.spring.SqlSessionFactoryBean;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.ComponentScan;
+import org.springframework.context.annotation.Configuration;
+
+import javax.sql.DataSource;
+
+@Configuration
+@ComponentScan
+public class MyBatisConfig {
+
+    @Autowired
+    private DataSource dataSource;
+
+    @Bean(name = "sqlSessionFactory")
+    public SqlSessionFactoryBean sqlSessionFactory(ApplicationContext applicationContext) throws Exception {
+        SqlSessionFactoryBean sessionFactory = new SqlSessionFactoryBean();
+        sessionFactory.setDataSource(dataSource);
+        // sessionFactory.setPlugins(new Interceptor[]{new PageInterceptor()});
+        sessionFactory.setMapperLocations(applicationContext.getResources("classpath*:mapper/*.xml"));
+        return sessionFactory;
+    }
+
+}

springboot-springSecurity3/src/main/java/com/us/example/config/MyBatisScannerConfig.java

+package com.us.example.config;
+
+import org.mybatis.spring.mapper.MapperScannerConfigurer;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class MyBatisScannerConfig {
+    @Bean
+    public MapperScannerConfigurer MapperScannerConfigurer() {
+        MapperScannerConfigurer mapperScannerConfigurer = new MapperScannerConfigurer();
+        mapperScannerConfigurer.setBasePackage("com.us.example.dao");
+        mapperScannerConfigurer.setSqlSessionFactoryBeanName("sqlSessionFactory");
+        return mapperScannerConfigurer;
+    }
+}

springboot-springSecurity3/src/main/java/com/us/example/config/TransactionConfig.java

+package com.us.example.config;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.ComponentScan;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.jdbc.datasource.DataSourceTransactionManager;
+import org.springframework.transaction.PlatformTransactionManager;
+import org.springframework.transaction.annotation.TransactionManagementConfigurer;
+
+import javax.sql.DataSource;
+
+@Configuration
+@ComponentScan
+public class TransactionConfig implements TransactionManagementConfigurer{
+    @Autowired
+    private DataSource dataSource;
+
+    @Bean(name = "transactionManager")
+    @Override
+    public PlatformTransactionManager annotationDrivenTransactionManager() {
+        return new DataSourceTransactionManager(dataSource);
+    }
+
+}
\ No newline at end of file

springboot-springSecurity3/src/main/java/com/us/example/config/WebMvcConfig.java

+package com.us.example.config;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
+/**
+ * Created by yangyibo on 17/1/18.
+ */
+@Configuration
+
+public class WebMvcConfig extends WebMvcConfigurerAdapter{
+
+    @Override
+    public void addViewControllers(ViewControllerRegistry registry) {
+        registry.addViewController("/login").setViewName("login");
+    }
+}

springboot-springSecurity3/src/main/java/com/us/example/config/WebSecurityConfig.java

+package com.us.example.config;
+
+import com.us.example.service.CustomUserService;
+import com.us.example.service.MyFilterSecurityInterceptor;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
+
+/**
+ * Created by yangyibo on 17/1/18.
+ */
+
+
+@Configuration
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+    @Autowired
+    private MyFilterSecurityInterceptor myFilterSecurityInterceptor;
+
+
+    @Bean
+    UserDetailsService customUserService() { //注册UserDetailsService 的bean
+        return new CustomUserService();
+    }
+
+    @Override
+    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+        auth.userDetailsService(customUserService()); //user Details Service验证
+
+    }
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.authorizeRequests()
+                .anyRequest().authenticated() //任何请求,登录后可以访问
+                .and()
+                .formLogin()
+                .loginPage("/login")
+                .failureUrl("/login?error")
+                .permitAll() //登录页面用户任意访问
+                .and()
+                .logout().permitAll(); //注销行为任意访问
+        http.addFilterBefore(myFilterSecurityInterceptor, FilterSecurityInterceptor.class)
+                .csrf().disable();
+
+
+    }
+}
+

springboot-springSecurity3/src/main/java/com/us/example/controller/HomeController.java

+package com.us.example.controller;
+
+import com.us.example.domain.Msg;
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+/**
+ * Created by yangyibo on 17/1/18.
+ */
+@Controller
+public class HomeController {
+
+    @RequestMapping("/")
+    public String index(Model model){
+        Msg msg =  new Msg("测试标题","测试内容","欢迎来到HOME页面,您拥有 ROLE_HOME 权限");
+        model.addAttribute("msg", msg);
+        return "home";
+    }
+
+
+    @RequestMapping("/admin")
+    @ResponseBody
+    public String hello(){
+        return "hello admin";
+    }
+
+    @RequestMapping("/login")
+    public String login(){
+        return "login";
+    }
+
+    @RequestMapping(value = "/user", method = RequestMethod.GET)
+    @ResponseBody
+    public String getList(){
+        return "hello getList";
+    }
+
+
+    @RequestMapping(value = "/user", method = RequestMethod.POST)
+    @ResponseBody
+    public String save(){
+        return "hello save";
+    }
+
+
+    @RequestMapping(value = "/user", method = RequestMethod.PUT)
+    @ResponseBody
+    public String update(){
+        return "hello update";
+    }
+}

springboot-springSecurity3/src/main/java/com/us/example/dao/PermissionDao.java

+package com.us.example.dao;
+
+import com.us.example.domain.Permission;
+
+import java.util.List;
+
+/**
+ * Created by yangyibo on 17/1/20.
+ */
+public interface PermissionDao {
+    public List<Permission> findAll();
+    public List<Permission> findByAdminUserId(int userId);
+}

springboot-springSecurity3/src/main/java/com/us/example/dao/UserDao.java

+package com.us.example.dao;
+
+import com.us.example.domain.SysUser;
+
+
+public interface UserDao {
+    public SysUser findByUserName(String username);
+}

springboot-springSecurity3/src/main/java/com/us/example/domain/Msg.java

+package com.us.example.domain;
+
+/**
+ * Created by yangyibo on 17/1/17.
+ */
+
+    public class Msg {
+        private String title;
+        private String content;
+        private String etraInfo;
+
+        public Msg(String title, String content, String etraInfo) {
+            super();
+            this.title = title;
+            this.content = content;
+            this.etraInfo = etraInfo;
+        }
+        public String getTitle() {
+            return title;
+        }
+        public void setTitle(String title) {
+            this.title = title;
+        }
+        public String getContent() {
+            return content;
+        }
+        public void setContent(String content) {
+            this.content = content;
+        }
+        public String getEtraInfo() {
+            return etraInfo;
+        }
+        public void setEtraInfo(String etraInfo) {
+            this.etraInfo = etraInfo;
+        }
+
+    }

springboot-springSecurity3/src/main/java/com/us/example/domain/Permission.java

+package com.us.example.domain;
+
+/**
+ * Created by yangyibo on 17/1/20.
+ */
+public class Permission {
+
+    private int id;
+    //权限名称
+    private String name;
+
+    //权限描述
+    private String descritpion;
+
+    //授权链接
+    private String url;
+
+    //父节点id
+    private int pid;
+
+    //请求方法
+    private String method;
+
+    public int getId() {
+        return id;
+    }
+
+    public void setId(int id) {
+        this.id = id;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public String getDescritpion() {
+        return descritpion;
+    }
+
+    public void setDescritpion(String descritpion) {
+        this.descritpion = descritpion;
+    }
+
+    public String getUrl() {
+        return url;
+    }
+
+    public void setUrl(String url) {
+        this.url = url;
+    }
+
+    public int getPid() {
+        return pid;
+    }
+
+    public void setPid(int pid) {
+        this.pid = pid;
+    }
+
+    public String getMethod() {
+        return method;
+    }
+
+    public void setMethod(String method) {
+        this.method = method;
+    }
+
+}

springboot-springSecurity3/src/main/java/com/us/example/domain/SysRole.java

+package com.us.example.domain;
+
+/**
+ * Created by yangyibo on 17/1/17.
+ */
+
+public class SysRole {
+
+    private Integer id;
+    private String name;
+    public Integer getId() {
+        return id;
+    }
+    public void setId(Integer id) {
+        this.id = id;
+    }
+    public String getName() {
+        return name;
+    }
+    public void setName(String name) {
+        this.name = name;
+    }
+
+
+
+}

springboot-springSecurity3/src/main/java/com/us/example/domain/SysUser.java

+package com.us.example.domain;
+
+import java.util.List;
+
+/**
+ * Created by yangyibo on 17/1/17.
+ */
+
+public class SysUser {
+    private Integer id;
+    private String username;
+    private String password;
+
+    private List<SysRole> roles;
+
+    public Integer getId() {
+        return id;
+    }
+
+    public void setId(Integer id) {
+        this.id = id;
+    }
+
+    public String getUsername() {
+        return username;
+    }
+
+    public void setUsername(String username) {
+        this.username = username;
+    }
+
+    public String getPassword() {
+        return password;
+    }
+
+    public void setPassword(String password) {
+        this.password = password;
+    }
+
+    public List<SysRole> getRoles() {
+        return roles;
+    }
+
+    public void setRoles(List<SysRole> roles) {
+        this.roles = roles;
+    }
+
+}

springboot-springSecurity3/src/main/java/com/us/example/service/CustomUserService.java

+package com.us.example.service;
+
+import com.us.example.dao.PermissionDao;
+import com.us.example.dao.UserDao;
+import com.us.example.domain.Permission;
+import com.us.example.domain.SysRole;
+import com.us.example.domain.SysUser;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.stereotype.Service;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * Created by yangyibo on 17/1/18.
+ */
+@Service
+public class CustomUserService implements UserDetailsService { //自定义UserDetailsService 接口
+
+    @Autowired
+    UserDao userDao;
+    @Autowired
+    PermissionDao permissionDao;
+
+    public UserDetails loadUserByUsername(String username) {
+        SysUser user = userDao.findByUserName(username);
+        if (user != null) {
+            List<Permission> permissions = permissionDao.findByAdminUserId(user.getId());
+            List<GrantedAuthority> grantedAuthorities = new ArrayList<>();
+            for (Permission permission : permissions) {
+                if (permission != null && permission.getName() != null) {
+
+                    GrantedAuthority grantedAuthority = new MyGrantedAuthority(permission.getUrl(), permission.getMethod());
+                    grantedAuthorities.add(grantedAuthority);
+                }
+            }
+            return new User(user.getUsername(), user.getPassword(), grantedAuthorities);
+        } else {
+            throw new UsernameNotFoundException("admin: " + username + " do not exist!");
+        }
+    }
+
+}

springboot-springSecurity3/src/main/java/com/us/example/service/MyAccessDecisionManager.java

+package com.us.example.service;
+
+import org.springframework.security.access.AccessDecisionManager;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authentication.InsufficientAuthenticationException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.stereotype.Service;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.Collection;
+import java.util.Iterator;
+
+/**
+ * Created by yangyibo on 17/1/19.
+ */
+@Service
+public class MyAccessDecisionManager implements AccessDecisionManager {
+
+    //decide 方法是判定是否拥有权限的决策方法
+    @Override
+    public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
+
+        HttpServletRequest request = ((FilterInvocation) object).getHttpRequest();
+        String url, method;
+        AntPathRequestMatcher matcher;
+        for (GrantedAuthority ga : authentication.getAuthorities()) {
+            if (ga instanceof MyGrantedAuthority) {
+                MyGrantedAuthority urlGrantedAuthority = (MyGrantedAuthority) ga;
+                url = urlGrantedAuthority.getPermissionUrl();
+                method = urlGrantedAuthority.getMethod();
+                matcher = new AntPathRequestMatcher(url);
+                if (matcher.matches(request)) {
+                    //当权限表权限的method为ALL时表示拥有此路径的所有请求方式权利。
+                    if (method.equals(request.getMethod()) || "ALL".equals(method)) {
+                        return;
+                    }
+                }
+            } else if (ga.getAuthority().equals("ROLE_ANONYMOUS")) {//未登录只允许访问 login 页面
+                matcher = new AntPathRequestMatcher("/login");
+                if (matcher.matches(request)) {
+                    return;
+                }
+            }
+        }
+        throw new AccessDeniedException("no right");
+    }
+
+
+
+    @Override
+    public boolean supports(ConfigAttribute attribute) {
+        return true;
+    }
+
+    @Override
+    public boolean supports(Class<?> clazz) {
+        return true;
+    }
+}

springboot-springSecurity3/src/main/java/com/us/example/service/MyFilterSecurityInterceptor.java

+package com.us.example.service;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.SecurityMetadataSource;
+import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
+import org.springframework.security.access.intercept.InterceptorStatusToken;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
+import org.springframework.stereotype.Service;
+
+import java.io.IOException;
+
+/**
+ * Created by yangyibo on 17/1/19.
+ */
+@Service
+public class MyFilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
+
+
+    @Autowired
+    private FilterInvocationSecurityMetadataSource securityMetadataSource;
+
+    @Autowired
+    public void setMyAccessDecisionManager(MyAccessDecisionManager myAccessDecisionManager) {
+        super.setAccessDecisionManager(myAccessDecisionManager);
+    }
+
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+
+        FilterInvocation fi = new FilterInvocation(request, response, chain);
+        invoke(fi);
+    }
+
+
+    public void invoke(FilterInvocation fi) throws IOException, ServletException {
+//fi里面有一个被拦截的url
+//里面调用MyInvocationSecurityMetadataSource的getAttributes(Object object)这个方法获取fi对应的所有权限
+//再调用MyAccessDecisionManager的decide方法来校验用户的权限是否足够
+        InterceptorStatusToken token = super.beforeInvocation(fi);
+        try {
+//执行下一个拦截器
+            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
+        } finally {
+            super.afterInvocation(token, null);
+        }
+    }
+
+
+    @Override
+    public void destroy() {
+
+    }
+
+    @Override
+    public Class<?> getSecureObjectClass() {
+        return FilterInvocation.class;
+
+    }
+
+    @Override
+    public SecurityMetadataSource obtainSecurityMetadataSource() {
+        return this.securityMetadataSource;
+    }
+}

springboot-springSecurity3/src/main/java/com/us/example/service/MyGrantedAuthority.java

+package com.us.example.service;
+
+import org.springframework.security.core.GrantedAuthority;
+
+/**
+ * Created by yangyibo on 17/2/15.
+ */
+public class MyGrantedAuthority implements GrantedAuthority {
+
+    private String url;
+    private String method;
+
+    public String getPermissionUrl() {
+        return url;
+    }
+
+    public void setPermissionUrl(String permissionUrl) {
+        this.url = permissionUrl;
+    }
+
+    public String getMethod() {
+        return method;
+    }
+
+    public void setMethod(String method) {
+        this.method = method;
+    }
+
+    public MyGrantedAuthority(String url, String method) {
+        this.url = url;
+        this.method = method;
+    }
+
+    @Override
+    public String getAuthority() {
+        return this.url + ";" + this.method;
+    }
+}
\ No newline at end of file

springboot-springSecurity3/src/main/java/com/us/example/service/MyInvocationSecurityMetadataSourceService.java

+package com.us.example.service;
+
+import com.us.example.dao.PermissionDao;
+import com.us.example.domain.Permission;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.access.SecurityConfig;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.stereotype.Service;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.*;
+
+/**
+ * Created by yangyibo on 17/1/19.
+ */
+@Service
+public class MyInvocationSecurityMetadataSourceService  implements
+        FilterInvocationSecurityMetadataSource {
+
+    //此方法是为了判定用户请求的url 是否在权限表中，如果在权限表中，则返回给 decide 方法，用来判定用户是否有此权限。如果不在权限表中则放行。
+    //因为我不想每一次来了请求，都先要匹配一下权限表中的信息是不是包含此url，
+    // 我准备直接拦截，不管请求的url 是什么都直接拦截，然后在MyAccessDecisionManager的decide 方法中做拦截还是放行的决策。
+    //所以此方法的返回值不能返回 null 此处我就随便返回一下。
+    @Override
+    public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
+        Collection<ConfigAttribute> co=new ArrayList<>();
+        co.add(new SecurityConfig("null"));
+        return co;
+    }
+
+    @Override
+    public Collection<ConfigAttribute> getAllConfigAttributes() {
+        return null;
+    }
+
+    @Override
+    public boolean supports(Class<?> clazz) {
+        return true;
+    }
+}

springboot-springSecurity3/src/main/resources/application.properties

+ms.db.driverClassName=com.mysql.jdbc.Driver
+ms.db.url=jdbc:mysql://localhost:3306/cache?characterEncoding=utf-8&useSSL=false
+ms.db.username=root
+ms.db.password=admin
+ms.db.maxActive=500
+
+
+logging.level.org.springframework.security= INFO
+spring.thymeleaf.cache=false

springboot-springSecurity3/src/main/resources/mapper/PermissionDaoMapper.xml

+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
+<mapper namespace="com.us.example.dao.PermissionDao">
+<select id="findAll"  resultType="com.us.example.domain.Permission">
+
+   SELECT * from Sys_permission ;
+</select>
+
+ <select id="findByAdminUserId" parameterType="int" resultType="com.us.example.domain.Permission">
+      select p.*
+		from Sys_User u
+        LEFT JOIN sys_role_user sru on u.id= sru.Sys_User_id
+        LEFT JOIN Sys_Role r on sru.Sys_Role_id=r.id
+        LEFT JOIN Sys_permission_role spr on spr.role_id=r.id
+        LEFT JOIN Sys_permission p on p.id =spr.permission_id
+        where u.id=#{userId}
+ </select>
+ </mapper>
\ No newline at end of file

springboot-springSecurity3/src/main/resources/mapper/UserDaoMapper.xml

+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
+<mapper namespace="com.us.example.dao.UserDao">
+    <resultMap id="userMap" type="com.us.example.domain.SysUser">
+        <id property="id" column="ID"/>
+        <result property="username" column="username"/>
+        <result property="password" column="PASSWORD"/>
+        <collection property="roles" ofType="com.us.example.domain.SysRole">
+            <result column="name" property="name"/>
+        </collection>
+
+    </resultMap>
+    <select id="findByUserName" parameterType="String" resultMap="userMap">
+		select u.*
+		,r.name
+		from Sys_User u
+        LEFT JOIN sys_role_user sru on u.id= sru.Sys_User_id
+        LEFT JOIN Sys_Role r on sru.Sys_Role_id=r.id
+        where username= #{username}
+	</select>
+</mapper>
\ No newline at end of file

springboot-springSecurity3/src/main/resources/templates/home.html

+<!DOCTYPE html>
+<html xmlns:th="http://www.thymeleaf.org" 
+	  xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
+<head>
+<meta content="text/html;charset=UTF-8"/>
+<title sec:authentication="name"></title>
+<link rel="stylesheet" th:href="@{css/bootstrap.min.css}" />
+<style type="text/css">
+body {
+  padding-top: 50px;
+}
+.starter-template {
+  padding: 40px 15px;
+  text-align: center;
+}
+</style>
+</head>
+<body>
+	 <nav class="navbar navbar-inverse navbar-fixed-top">
+      <div class="container">
+        <div class="navbar-header">
+          <a class="navbar-brand" href="#">Spring Security演示</a>
+        </div>
+        <div id="navbar" class="collapse navbar-collapse">
+          <ul class="nav navbar-nav">
+           <li><a th:href="@{/}"> 首页 </a></li>
+              <li><a th:href="@{/admin}"> admin </a></li>
+          </ul>
+        </div><!--/.nav-collapse -->
+      </div>
+    </nav>
+    
+    
+     <div class="container">
+
+      <div class="starter-template">
+      	<h1 th:text="${msg.title}"></h1>
+		
+		<p class="bg-primary" th:text="${msg.content}"></p>
+		
+		<div sec:authorize="hasRole('ROLE_HOME')"> <!-- 用户类型为ROLE_ADMIN 显示 -->
+		 	<p class="bg-info" th:text="${msg.etraInfo}"></p>
+		</div>
+          <div sec:authorize="hasRole('ROLE_ADMIN')"> <!-- 用户类型为ROLE_ADMIN 显示 -->
+              <p class="bg-info">恭喜您,您有 ROLE_ADMIN 权限 </p>
+          </div>
+
+          <form th:action="@{/logout}" method="post">
+            <input type="submit" class="btn btn-primary" value="注销"/>
+        </form>
+      </div>
+
+    </div>
+    
+	
+</body>
+</html>

springboot-springSecurity3/src/main/resources/templates/login.html

+<!DOCTYPE html>
+<html xmlns:th="http://www.thymeleaf.org">
+<head>
+<meta content="text/html;charset=UTF-8"/>
+<title>登录页面</title>
+<link rel="stylesheet" th:href="@{css/bootstrap.min.css}"/>
+<style type="text/css">
+	body {
+  padding-top: 50px;
+}
+.starter-template {
+  padding: 40px 15px;
+  text-align: center;
+}
+</style>
+</head>
+<body>
+	
+	 <nav class="navbar navbar-inverse navbar-fixed-top">
+      <div class="container">
+        <div class="navbar-header">
+          <a class="navbar-brand" href="#">Spring Security演示</a>
+        </div>
+        <div id="navbar" class="collapse navbar-collapse">
+          <ul class="nav navbar-nav">
+           <li><a th:href="@{/}"> 首页 </a></li>
+           
+          </ul>
+        </div><!--/.nav-collapse -->
+      </div>
+    </nav>
+     <div class="container">
+
+      <div class="starter-template">
+       <p th:if="${param.logout}" class="bg-warning">已成功注销</p><!-- 1 -->
+			<p th:if="${param.error}" class="bg-danger">有错误，请重试</p> <!-- 2 -->
+			<h2>使用账号密码登录</h2>
+			<form name="form" th:action="@{/login}" action="/login" method="POST"> <!-- 3 -->
+				<div class="form-group">
+					<label for="username">账号</label>
+					<input type="text" class="form-control" name="username" value="" placeholder="账号" />
+				</div>
+				<div class="form-group">
+					<label for="password">密码</label>
+					<input type="password" class="form-control" name="password" placeholder="密码" />
+				</div>
+				<input type="submit" id="login" value="Login" class="btn btn-primary" />
+			</form>
+      </div>
+
+    </div>
+		
+</body>
+</html>
\ No newline at end of file