SpringSecurity 自定义用户 角色 资源权限控制

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> 
<http access-denied-page="/403" auto-config="false"><!-- 当访问被拒绝时，会转到403.jsp -->
<intercept-url pattern="/login" filters="none" />
<form-login login-page="/login"
authentication-failure-url="/login?error=true"
default-target-url="/index"/>
<logout logout-success-url="/login" />
<!-- 增加一个filter，这点与Acegi是不一样的，不能修改默认的filter了，这个filter位于FILTER_SECURITY_INTERCEPTOR之前 -->
<custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="myFilter" />
</http>

<!-- 认证管理器，实现用户认证的入口，主要实现UserDetailsService接口即可 -->
<authentication-manager alias="authenticationManager">
<authentication-provider
user-service-ref="myUserDetailService">
<!--    如果用户的密码采用加密的话，可以加点“盐”
<password-encoder hash="md5" />
-->
</authentication-provider>
</authentication-manager>

<!-- 一个自定义的filter，必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性,我们的所有控制将在这三个类中实现，解释详见具体配置 -->
<beans:bean id="myFilter" class="com.joyen.learning.security.MyFilterSecurityInterceptor">
<beans:property name="authenticationManager"
ref="authenticationManager" />
<beans:property name="accessDecisionManager"
ref="myAccessDecisionManagerBean" />
<beans:property name="securityMetadataSource"
ref="securityMetadataSource" />
</beans:bean>

<beans:bean id="myUserDetailService"
class="com.joyen.learning.security.MyUserDetailService">
<beans:property name="dataSource" ref="dataSource"></beans:property>
<beans:property name="usersByUsernameQuery" value="select username,password,email,enabled from user where username = ?"></beans:property>
<beans:property name="authoritiesByUsernameQuery" value="SELECT u.username,r.name
FROM user u,roleuser ru, role r
WHERE u.id = ru.userid
AND ru.roleid = r.id
AND u.username = ?"></beans:property>
</beans:bean>

<!-- 访问决策器，决定某个用户具有的角色，是否有足够的权限去访问某个资源 -->
<beans:bean id="myAccessDecisionManagerBean"
class="com.joyen.learning.security.MyAccessDecisionManager">
</beans:bean>

<!-- 资源源数据定义，即定义某一资源可以被哪些角色访问 -->
<beans:bean id="securityMetadataSource"
class="com.joyen.learning.security.MyInvocationSecurityMetadataSource">
<beans:constructor-arg ref="dataSource"></beans:constructor-arg>
<beans:constructor-arg type="java.lang.String" value="select rce.url, r.name from role r inner join roleresource rrce on r.id = rrce.roleid inner join resource rce on rrce.resourceid = rce.id"></beans:constructor-arg>
</beans:bean>
</beans:beans>