权限系统直接数据库控制，不需要具体些方法

bi-service/src/main/java/com/diagbot/config/security/UrlAccessDecisionManager.java

@@ -0,0 +1,71 @@
+package com.diagbot.config.security;
+
+import org.springframework.security.access.AccessDecisionManager;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authentication.InsufficientAuthenticationException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.stereotype.Service;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.Collection;
+
+
+/**
+ * @Description: 自定义权限拦截
+ * @author: gaodm
+ * @time: 2018/8/23 13:46
+ */
+@Service
+public class UrlAccessDecisionManager implements AccessDecisionManager {
+    @Override
+    public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
+        HttpServletRequest request = ((FilterInvocation) object).getHttpRequest();
+        String url, method;
+        if ("anonymousUser".equals(authentication.getPrincipal())
+                && (matchers("/swagger/**", request)
+                || matchers("/v2/**", request)
+                || matchers("/webjars/**", request)
+                || matchers("/druid/**", request)
+                || matchers("/actuator/**", request)
+                || matchers("/hystrix/**", request)
+                || matchers("/", request))) {
+            return;
+        } else {
+            for (GrantedAuthority ga : authentication.getAuthorities()) {
+                String[] authority = ga.getAuthority().split(";");
+                url = authority[0];
+                method = authority[1];
+                if (matchers(url, request)) {
+                    if (method.equals(request.getMethod()) || "ALL".equals(method)) {
+                        return;
+                    }
+                }
+            }
+        }
+        throw new AccessDeniedException("no right");
+    }
+
+
+    @Override
+    public boolean supports(ConfigAttribute attribute) {
+        return true;
+    }
+
+    @Override
+    public boolean supports(Class<?> clazz) {
+        return true;
+    }
+
+
+    private boolean matchers(String url, HttpServletRequest request) {
+        AntPathRequestMatcher matcher = new AntPathRequestMatcher(url);
+        if (matcher.matches(request)) {
+            return true;
+        }
+        return false;
+    }
+}

bi-service/src/main/java/com/diagbot/config/security/UrlConfigAttribute.java

@@ -0,0 +1,29 @@
+package com.diagbot.config.security;
+
+import org.springframework.security.access.ConfigAttribute;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * @Description: 自定义权限拦截
+ * @author: gaodm
+ * @time: 2018/8/23 13:47
+ */
+public class UrlConfigAttribute implements ConfigAttribute {
+
+    private final HttpServletRequest httpServletRequest;
+
+    public UrlConfigAttribute(HttpServletRequest httpServletRequest) {
+        this.httpServletRequest = httpServletRequest;
+    }
+
+
+    @Override
+    public String getAttribute() {
+        return null;
+    }
+
+    public HttpServletRequest getHttpServletRequest() {
+        return httpServletRequest;
+    }
+}

bi-service/src/main/java/com/diagbot/config/security/UrlFilterSecurityInterceptor.java

@@ -0,0 +1,79 @@
+package com.diagbot.config.security;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.SecurityMetadataSource;
+import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
+import org.springframework.security.access.intercept.InterceptorStatusToken;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
+import org.springframework.stereotype.Service;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import java.io.IOException;
+
+/**
+ * @Description: 自定义权限拦截
+ * @author: gaodm
+ * @time: 2018/8/23 13:47
+ */
+@Service
+public class UrlFilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
+
+
+    @Autowired
+    private FilterInvocationSecurityMetadataSource securityMetadataSource;
+
+    @Autowired
+    public void setUrlAccessDecisionManager(UrlAccessDecisionManager urlAccessDecisionManager) {
+        super.setAccessDecisionManager(urlAccessDecisionManager);
+    }
+
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+
+        FilterInvocation fi = new FilterInvocation(request, response, chain);
+        invoke(fi);
+    }
+
+
+    public void invoke(FilterInvocation fi) throws IOException, ServletException {
+        //fi里面有一个被拦截的url
+        //里面调用UrlMetadataSource的getAttributes(Object object)这个方法获取fi对应的所有权限
+        //再调用UrlAccessDecisionManager的decide方法来校验用户的权限是否足够
+        InterceptorStatusToken token = super.beforeInvocation(fi);
+        try {
+            //执行下一个拦截器
+            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
+        } finally {
+            super.afterInvocation(token, null);
+        }
+    }
+
+
+    @Override
+    public void destroy() {
+
+    }
+
+    @Override
+    public Class<?> getSecureObjectClass() {
+        return FilterInvocation.class;
+
+    }
+
+    @Override
+    public SecurityMetadataSource obtainSecurityMetadataSource() {
+        return this.securityMetadataSource;
+    }
+}

bi-service/src/main/java/com/diagbot/config/security/UrlMetadataSourceService.java

@@ -0,0 +1,40 @@
+package com.diagbot.config.security;
+
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
+import org.springframework.stereotype.Service;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * @Description: 自定义权限拦截
+ * @author: gaodm
+ * @time: 2018/8/23 13:47
+ */
+@Service
+public class UrlMetadataSourceService implements
+        FilterInvocationSecurityMetadataSource {
+
+    @Override
+    public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
+        final HttpServletRequest request = ((FilterInvocation) object).getRequest();
+        Set<ConfigAttribute> allAttributes = new HashSet<>();
+        ConfigAttribute configAttribute = new UrlConfigAttribute(request);
+        allAttributes.add(configAttribute);
+        return allAttributes;
+    }
+
+    @Override
+    public Collection<ConfigAttribute> getAllConfigAttributes() {
+        return null;
+    }
+
+    @Override
+    public boolean supports(Class<?> clazz) {
+        return true;
+    }
+}

bi-service/src/main/java/com/diagbot/web/SysLogController.java

@@ -12,7 +12,6 @@ import com.diagbot.facade.SysLogFacade;
 import com.diagbot.vo.SysLogVo;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -39,7 +38,6 @@ public class SysLogController {
     private SysLogFacade sysLogFacade;
 
     @ApiOperation(value = "添加日志", notes = "添加日志")
-    @PreAuthorize("hasRole('USER')")
     @PostMapping("/add")
     @SysLogger("postLog")
     public RespDTO add(@RequestBody SysLogVo sysLogVo){
@@ -53,7 +51,6 @@ public class SysLogController {
     }
 
     @ApiOperation(value = "删除日志", notes = "删除日志")
-    @PreAuthorize("hasRole('USER')")
     @DeleteMapping("/delete/{id}")
     @SysLogger("deleteLog")
     public RespDTO delete(@PathVariable(value = "id") Integer id){
@@ -61,7 +58,6 @@ public class SysLogController {
     }
 
     @ApiOperation(value = "修改日志", notes = "修改日志")
-    @PreAuthorize("hasRole('USER')")
     @PostMapping("/update")
     @SysLogger("updateLog")
     public RespDTO update(@RequestBody SysLog student){
@@ -69,7 +65,6 @@ public class SysLogController {
     }
 
     @ApiOperation(value = "获取日志列表", notes = "获取日志列表")
-    @PreAuthorize("hasRole('USER')")
     @GetMapping("/list")
     @SysLogger("listLog")
     public RespDTO list(){
@@ -78,7 +73,6 @@ public class SysLogController {
     }
 
     @ApiOperation(value = "获取日志翻页信息", notes = "获取日志翻页信息")
-    @PreAuthorize("hasRole('USER')")
     @GetMapping("/page")
     @SysLogger("pageLog")
     public RespDTO page() {

diagbotman-service/src/main/java/com/diagbot/config/security/UrlAccessDecisionManager.java

@@ -0,0 +1,71 @@
+package com.diagbot.config.security;
+
+import org.springframework.security.access.AccessDecisionManager;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authentication.InsufficientAuthenticationException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.stereotype.Service;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.Collection;
+
+
+/**
+ * @Description: 自定义权限拦截
+ * @author: gaodm
+ * @time: 2018/8/23 13:46
+ */
+@Service
+public class UrlAccessDecisionManager implements AccessDecisionManager {
+    @Override
+    public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
+        HttpServletRequest request = ((FilterInvocation) object).getHttpRequest();
+        String url, method;
+        if ("anonymousUser".equals(authentication.getPrincipal())
+                && (matchers("/swagger/**", request)
+                || matchers("/v2/**", request)
+                || matchers("/webjars/**", request)
+                || matchers("/druid/**", request)
+                || matchers("/actuator/**", request)
+                || matchers("/hystrix/**", request)
+                || matchers("/", request))) {
+            return;
+        } else {
+            for (GrantedAuthority ga : authentication.getAuthorities()) {
+                String[] authority = ga.getAuthority().split(";");
+                url = authority[0];
+                method = authority[1];
+                if (matchers(url, request)) {
+                    if (method.equals(request.getMethod()) || "ALL".equals(method)) {
+                        return;
+                    }
+                }
+            }
+        }
+        throw new AccessDeniedException("no right");
+    }
+
+
+    @Override
+    public boolean supports(ConfigAttribute attribute) {
+        return true;
+    }
+
+    @Override
+    public boolean supports(Class<?> clazz) {
+        return true;
+    }
+
+
+    private boolean matchers(String url, HttpServletRequest request) {
+        AntPathRequestMatcher matcher = new AntPathRequestMatcher(url);
+        if (matcher.matches(request)) {
+            return true;
+        }
+        return false;
+    }
+}

diagbotman-service/src/main/java/com/diagbot/config/security/UrlConfigAttribute.java

@@ -0,0 +1,29 @@
+package com.diagbot.config.security;
+
+import org.springframework.security.access.ConfigAttribute;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * @Description: 自定义权限拦截
+ * @author: gaodm
+ * @time: 2018/8/23 13:47
+ */
+public class UrlConfigAttribute implements ConfigAttribute {
+
+    private final HttpServletRequest httpServletRequest;
+
+    public UrlConfigAttribute(HttpServletRequest httpServletRequest) {
+        this.httpServletRequest = httpServletRequest;
+    }
+
+
+    @Override
+    public String getAttribute() {
+        return null;
+    }
+
+    public HttpServletRequest getHttpServletRequest() {
+        return httpServletRequest;
+    }
+}

diagbotman-service/src/main/java/com/diagbot/config/security/UrlFilterSecurityInterceptor.java

@@ -0,0 +1,79 @@
+package com.diagbot.config.security;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.SecurityMetadataSource;
+import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
+import org.springframework.security.access.intercept.InterceptorStatusToken;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
+import org.springframework.stereotype.Service;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import java.io.IOException;
+
+/**
+ * @Description: 自定义权限拦截
+ * @author: gaodm
+ * @time: 2018/8/23 13:47
+ */
+@Service
+public class UrlFilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
+
+
+    @Autowired
+    private FilterInvocationSecurityMetadataSource securityMetadataSource;
+
+    @Autowired
+    public void setUrlAccessDecisionManager(UrlAccessDecisionManager urlAccessDecisionManager) {
+        super.setAccessDecisionManager(urlAccessDecisionManager);
+    }
+
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+
+        FilterInvocation fi = new FilterInvocation(request, response, chain);
+        invoke(fi);
+    }
+
+
+    public void invoke(FilterInvocation fi) throws IOException, ServletException {
+        //fi里面有一个被拦截的url
+        //里面调用UrlMetadataSource的getAttributes(Object object)这个方法获取fi对应的所有权限
+        //再调用UrlAccessDecisionManager的decide方法来校验用户的权限是否足够
+        InterceptorStatusToken token = super.beforeInvocation(fi);
+        try {
+            //执行下一个拦截器
+            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
+        } finally {
+            super.afterInvocation(token, null);
+        }
+    }
+
+
+    @Override
+    public void destroy() {
+
+    }
+
+    @Override
+    public Class<?> getSecureObjectClass() {
+        return FilterInvocation.class;
+
+    }
+
+    @Override
+    public SecurityMetadataSource obtainSecurityMetadataSource() {
+        return this.securityMetadataSource;
+    }
+}

diagbotman-service/src/main/java/com/diagbot/config/security/UrlMetadataSourceService.java

@@ -0,0 +1,40 @@
+package com.diagbot.config.security;
+
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
+import org.springframework.stereotype.Service;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * @Description: 自定义权限拦截
+ * @author: gaodm
+ * @time: 2018/8/23 13:47
+ */
+@Service
+public class UrlMetadataSourceService implements
+        FilterInvocationSecurityMetadataSource {
+
+    @Override
+    public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
+        final HttpServletRequest request = ((FilterInvocation) object).getRequest();
+        Set<ConfigAttribute> allAttributes = new HashSet<>();
+        ConfigAttribute configAttribute = new UrlConfigAttribute(request);
+        allAttributes.add(configAttribute);
+        return allAttributes;
+    }
+
+    @Override
+    public Collection<ConfigAttribute> getAllConfigAttributes() {
+        return null;
+    }
+
+    @Override
+    public boolean supports(Class<?> clazz) {
+        return true;
+    }
+}

diagbotman-service/src/main/java/com/diagbot/web/SysLogController.java

@@ -12,7 +12,6 @@ import com.diagbot.facade.SysLogFacade;
 import com.diagbot.vo.SysLogVo;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -39,7 +38,6 @@ public class SysLogController {
     private SysLogFacade sysLogFacade;
 
     @ApiOperation(value = "添加日志", notes = "添加日志")
-    @PreAuthorize("hasRole('USER')")
     @PostMapping("/add")
     @SysLogger("postLog")
     public RespDTO add(@RequestBody SysLogVo sysLogVo){
@@ -53,7 +51,6 @@ public class SysLogController {
     }
 
     @ApiOperation(value = "删除日志", notes = "删除日志")
-    @PreAuthorize("hasRole('USER')")
     @DeleteMapping("/delete/{id}")
     @SysLogger("deleteLog")
     public RespDTO delete(@PathVariable(value = "id") Integer id){
@@ -61,7 +58,6 @@ public class SysLogController {
     }
 
     @ApiOperation(value = "修改日志", notes = "修改日志")
-    @PreAuthorize("hasRole('USER')")
     @PostMapping("/update")
     @SysLogger("updateLog")
     public RespDTO update(@RequestBody SysLog student){
@@ -69,7 +65,6 @@ public class SysLogController {
     }
 
     @ApiOperation(value = "获取日志列表", notes = "获取日志列表")
-    @PreAuthorize("hasRole('USER')")
     @GetMapping("/list")
     @SysLogger("listLog")
     public RespDTO list(){
@@ -78,7 +73,6 @@ public class SysLogController {
     }
 
     @ApiOperation(value = "获取日志翻页信息", notes = "获取日志翻页信息")
-    @PreAuthorize("hasRole('USER')")
     @GetMapping("/page")
     @SysLogger("pageLog")
     public RespDTO page() {

feedback-service/src/main/java/com/diagbot/config/security/UrlAccessDecisionManager.java

@@ -0,0 +1,71 @@
+package com.diagbot.config.security;
+
+import org.springframework.security.access.AccessDecisionManager;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authentication.InsufficientAuthenticationException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.stereotype.Service;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.Collection;
+
+
+/**
+ * @Description: 自定义权限拦截
+ * @author: gaodm
+ * @time: 2018/8/23 13:46
+ */
+@Service
+public class UrlAccessDecisionManager implements AccessDecisionManager {
+    @Override
+    public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
+        HttpServletRequest request = ((FilterInvocation) object).getHttpRequest();
+        String url, method;
+        if ("anonymousUser".equals(authentication.getPrincipal())
+                && (matchers("/swagger/**", request)
+                || matchers("/v2/**", request)
+                || matchers("/webjars/**", request)
+                || matchers("/druid/**", request)
+                || matchers("/actuator/**", request)
+                || matchers("/hystrix/**", request)
+                || matchers("/", request))) {
+            return;
+        } else {
+            for (GrantedAuthority ga : authentication.getAuthorities()) {
+                String[] authority = ga.getAuthority().split(";");
+                url = authority[0];
+                method = authority[1];
+                if (matchers(url, request)) {
+                    if (method.equals(request.getMethod()) || "ALL".equals(method)) {
+                        return;
+                    }
+                }
+            }
+        }
+        throw new AccessDeniedException("no right");
+    }
+
+
+    @Override
+    public boolean supports(ConfigAttribute attribute) {
+        return true;
+    }
+
+    @Override
+    public boolean supports(Class<?> clazz) {
+        return true;
+    }
+
+
+    private boolean matchers(String url, HttpServletRequest request) {
+        AntPathRequestMatcher matcher = new AntPathRequestMatcher(url);
+        if (matcher.matches(request)) {
+            return true;
+        }
+        return false;
+    }
+}

feedback-service/src/main/java/com/diagbot/config/security/UrlConfigAttribute.java

@@ -0,0 +1,29 @@
+package com.diagbot.config.security;
+
+import org.springframework.security.access.ConfigAttribute;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * @Description: 自定义权限拦截
+ * @author: gaodm
+ * @time: 2018/8/23 13:47
+ */
+public class UrlConfigAttribute implements ConfigAttribute {
+
+    private final HttpServletRequest httpServletRequest;
+
+    public UrlConfigAttribute(HttpServletRequest httpServletRequest) {
+        this.httpServletRequest = httpServletRequest;
+    }
+
+
+    @Override
+    public String getAttribute() {
+        return null;
+    }
+
+    public HttpServletRequest getHttpServletRequest() {
+        return httpServletRequest;
+    }
+}

feedback-service/src/main/java/com/diagbot/config/security/UrlFilterSecurityInterceptor.java

@@ -0,0 +1,79 @@
+package com.diagbot.config.security;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.SecurityMetadataSource;
+import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
+import org.springframework.security.access.intercept.InterceptorStatusToken;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
+import org.springframework.stereotype.Service;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import java.io.IOException;
+
+/**
+ * @Description: 自定义权限拦截
+ * @author: gaodm
+ * @time: 2018/8/23 13:47
+ */
+@Service
+public class UrlFilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
+
+
+    @Autowired
+    private FilterInvocationSecurityMetadataSource securityMetadataSource;
+
+    @Autowired
+    public void setUrlAccessDecisionManager(UrlAccessDecisionManager urlAccessDecisionManager) {
+        super.setAccessDecisionManager(urlAccessDecisionManager);
+    }
+
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+
+        FilterInvocation fi = new FilterInvocation(request, response, chain);
+        invoke(fi);
+    }
+
+
+    public void invoke(FilterInvocation fi) throws IOException, ServletException {
+        //fi里面有一个被拦截的url
+        //里面调用UrlMetadataSource的getAttributes(Object object)这个方法获取fi对应的所有权限
+        //再调用UrlAccessDecisionManager的decide方法来校验用户的权限是否足够
+        InterceptorStatusToken token = super.beforeInvocation(fi);
+        try {
+            //执行下一个拦截器
+            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
+        } finally {
+            super.afterInvocation(token, null);
+        }
+    }
+
+
+    @Override
+    public void destroy() {
+
+    }
+
+    @Override
+    public Class<?> getSecureObjectClass() {
+        return FilterInvocation.class;
+
+    }
+
+    @Override
+    public SecurityMetadataSource obtainSecurityMetadataSource() {
+        return this.securityMetadataSource;
+    }
+}

feedback-service/src/main/java/com/diagbot/config/security/UrlMetadataSourceService.java

@@ -0,0 +1,40 @@
+package com.diagbot.config.security;
+
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
+import org.springframework.stereotype.Service;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * @Description: 自定义权限拦截
+ * @author: gaodm
+ * @time: 2018/8/23 13:47
+ */
+@Service
+public class UrlMetadataSourceService implements
+        FilterInvocationSecurityMetadataSource {
+
+    @Override
+    public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
+        final HttpServletRequest request = ((FilterInvocation) object).getRequest();
+        Set<ConfigAttribute> allAttributes = new HashSet<>();
+        ConfigAttribute configAttribute = new UrlConfigAttribute(request);
+        allAttributes.add(configAttribute);
+        return allAttributes;
+    }
+
+    @Override
+    public Collection<ConfigAttribute> getAllConfigAttributes() {
+        return null;
+    }
+
+    @Override
+    public boolean supports(Class<?> clazz) {
+        return true;
+    }
+}

feedback-service/src/main/java/com/diagbot/web/SysLogController.java

@@ -12,7 +12,6 @@ import com.diagbot.facade.SysLogFacade;
 import com.diagbot.vo.SysLogVo;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -39,7 +38,6 @@ public class SysLogController {
     private SysLogFacade sysLogFacade;
 
     @ApiOperation(value = "添加日志", notes = "添加日志")
-    @PreAuthorize("hasRole('USER')")
     @PostMapping("/add")
     @SysLogger("postLog")
     public RespDTO add(@RequestBody SysLogVo sysLogVo){
@@ -53,7 +51,6 @@ public class SysLogController {
     }
 
     @ApiOperation(value = "删除日志", notes = "删除日志")
-    @PreAuthorize("hasRole('USER')")
     @DeleteMapping("/delete/{id}")
     @SysLogger("deleteLog")
     public RespDTO delete(@PathVariable(value = "id") Integer id){
@@ -61,7 +58,6 @@ public class SysLogController {
     }
 
     @ApiOperation(value = "修改日志", notes = "修改日志")
-    @PreAuthorize("hasRole('USER')")
     @PostMapping("/update")
     @SysLogger("updateLog")
     public RespDTO update(@RequestBody SysLog student){
@@ -69,7 +65,6 @@ public class SysLogController {
     }
 
     @ApiOperation(value = "获取日志列表", notes = "获取日志列表")
-    @PreAuthorize("hasRole('USER')")
     @GetMapping("/list")
     @SysLogger("listLog")
     public RespDTO list(){
@@ -78,7 +73,6 @@ public class SysLogController {
     }
 
     @ApiOperation(value = "获取日志翻页信息", notes = "获取日志翻页信息")
-    @PreAuthorize("hasRole('USER')")
     @GetMapping("/page")
     @SysLogger("pageLog")
     public RespDTO page() {

knowledge-service/src/main/java/com/diagbot/config/security/UrlAccessDecisionManager.java

@@ -0,0 +1,71 @@
+package com.diagbot.config.security;
+
+import org.springframework.security.access.AccessDecisionManager;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authentication.InsufficientAuthenticationException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.stereotype.Service;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.Collection;
+
+
+/**
+ * @Description: 自定义权限拦截
+ * @author: gaodm
+ * @time: 2018/8/23 13:46
+ */
+@Service
+public class UrlAccessDecisionManager implements AccessDecisionManager {
+    @Override
+    public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
+        HttpServletRequest request = ((FilterInvocation) object).getHttpRequest();
+        String url, method;
+        if ("anonymousUser".equals(authentication.getPrincipal())
+                && (matchers("/swagger/**", request)
+                || matchers("/v2/**", request)
+                || matchers("/webjars/**", request)
+                || matchers("/druid/**", request)
+                || matchers("/actuator/**", request)
+                || matchers("/hystrix/**", request)
+                || matchers("/", request))) {
+            return;
+        } else {
+            for (GrantedAuthority ga : authentication.getAuthorities()) {
+                String[] authority = ga.getAuthority().split(";");
+                url = authority[0];
+                method = authority[1];
+                if (matchers(url, request)) {
+                    if (method.equals(request.getMethod()) || "ALL".equals(method)) {
+                        return;
+                    }
+                }
+            }
+        }
+        throw new AccessDeniedException("no right");
+    }
+
+
+    @Override
+    public boolean supports(ConfigAttribute attribute) {
+        return true;
+    }
+
+    @Override
+    public boolean supports(Class<?> clazz) {
+        return true;
+    }
+
+
+    private boolean matchers(String url, HttpServletRequest request) {
+        AntPathRequestMatcher matcher = new AntPathRequestMatcher(url);
+        if (matcher.matches(request)) {
+            return true;
+        }
+        return false;
+    }
+}

knowledge-service/src/main/java/com/diagbot/config/security/UrlConfigAttribute.java

@@ -0,0 +1,29 @@
+package com.diagbot.config.security;
+
+import org.springframework.security.access.ConfigAttribute;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * @Description: 自定义权限拦截
+ * @author: gaodm
+ * @time: 2018/8/23 13:47
+ */
+public class UrlConfigAttribute implements ConfigAttribute {
+
+    private final HttpServletRequest httpServletRequest;
+
+    public UrlConfigAttribute(HttpServletRequest httpServletRequest) {
+        this.httpServletRequest = httpServletRequest;
+    }
+
+
+    @Override
+    public String getAttribute() {
+        return null;
+    }
+
+    public HttpServletRequest getHttpServletRequest() {
+        return httpServletRequest;
+    }
+}

knowledge-service/src/main/java/com/diagbot/config/security/UrlFilterSecurityInterceptor.java

@@ -0,0 +1,79 @@
+package com.diagbot.config.security;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.SecurityMetadataSource;
+import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
+import org.springframework.security.access.intercept.InterceptorStatusToken;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
+import org.springframework.stereotype.Service;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import java.io.IOException;
+
+/**
+ * @Description: 自定义权限拦截
+ * @author: gaodm
+ * @time: 2018/8/23 13:47
+ */
+@Service
+public class UrlFilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
+
+
+    @Autowired
+    private FilterInvocationSecurityMetadataSource securityMetadataSource;
+
+    @Autowired
+    public void setUrlAccessDecisionManager(UrlAccessDecisionManager urlAccessDecisionManager) {
+        super.setAccessDecisionManager(urlAccessDecisionManager);
+    }
+
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+
+        FilterInvocation fi = new FilterInvocation(request, response, chain);
+        invoke(fi);
+    }
+
+
+    public void invoke(FilterInvocation fi) throws IOException, ServletException {
+        //fi里面有一个被拦截的url
+        //里面调用UrlMetadataSource的getAttributes(Object object)这个方法获取fi对应的所有权限
+        //再调用UrlAccessDecisionManager的decide方法来校验用户的权限是否足够
+        InterceptorStatusToken token = super.beforeInvocation(fi);
+        try {
+            //执行下一个拦截器
+            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
+        } finally {
+            super.afterInvocation(token, null);
+        }
+    }
+
+
+    @Override
+    public void destroy() {
+
+    }
+
+    @Override
+    public Class<?> getSecureObjectClass() {
+        return FilterInvocation.class;
+
+    }
+
+    @Override
+    public SecurityMetadataSource obtainSecurityMetadataSource() {
+        return this.securityMetadataSource;
+    }
+}

knowledge-service/src/main/java/com/diagbot/config/security/UrlMetadataSourceService.java

@@ -0,0 +1,40 @@
+package com.diagbot.config.security;
+
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
+import org.springframework.stereotype.Service;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * @Description: 自定义权限拦截
+ * @author: gaodm
+ * @time: 2018/8/23 13:47
+ */
+@Service
+public class UrlMetadataSourceService implements
+        FilterInvocationSecurityMetadataSource {
+
+    @Override
+    public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
+        final HttpServletRequest request = ((FilterInvocation) object).getRequest();
+        Set<ConfigAttribute> allAttributes = new HashSet<>();
+        ConfigAttribute configAttribute = new UrlConfigAttribute(request);
+        allAttributes.add(configAttribute);
+        return allAttributes;
+    }
+
+    @Override
+    public Collection<ConfigAttribute> getAllConfigAttributes() {
+        return null;
+    }
+
+    @Override
+    public boolean supports(Class<?> clazz) {
+        return true;
+    }
+}

knowledge-service/src/main/java/com/diagbot/web/SysLogController.java

@@ -12,7 +12,6 @@ import com.diagbot.facade.SysLogFacade;
 import com.diagbot.vo.SysLogVo;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -39,7 +38,6 @@ public class SysLogController {
     private SysLogFacade sysLogFacade;
 
     @ApiOperation(value = "添加日志", notes = "添加日志")
-    @PreAuthorize("hasRole('USER')")
     @PostMapping("/add")
     @SysLogger("postLog")
     public RespDTO add(@RequestBody SysLogVo sysLogVo){
@@ -53,7 +51,6 @@ public class SysLogController {
     }
 
     @ApiOperation(value = "删除日志", notes = "删除日志")
-    @PreAuthorize("hasRole('USER')")
     @DeleteMapping("/delete/{id}")
     @SysLogger("deleteLog")
     public RespDTO delete(@PathVariable(value = "id") Integer id){
@@ -61,7 +58,6 @@ public class SysLogController {
     }
 
     @ApiOperation(value = "修改日志", notes = "修改日志")
-    @PreAuthorize("hasRole('USER')")
     @PostMapping("/update")
     @SysLogger("updateLog")
     public RespDTO update(@RequestBody SysLog student){
@@ -69,7 +65,6 @@ public class SysLogController {
     }
 
     @ApiOperation(value = "获取日志列表", notes = "获取日志列表")
-    @PreAuthorize("hasRole('USER')")
     @GetMapping("/list")
     @SysLogger("listLog")
     public RespDTO list(){
@@ -78,7 +73,6 @@ public class SysLogController {
     }
 
     @ApiOperation(value = "获取日志翻页信息", notes = "获取日志翻页信息")
-    @PreAuthorize("hasRole('USER')")
     @GetMapping("/page")
     @SysLogger("pageLog")
     public RespDTO page() {

log-service/src/main/java/com/diagbot/config/security/UrlAccessDecisionManager.java

@@ -0,0 +1,71 @@
+package com.diagbot.config.security;
+
+import org.springframework.security.access.AccessDecisionManager;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.authentication.InsufficientAuthenticationException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.stereotype.Service;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.Collection;
+
+
+/**
+ * @Description: 自定义权限拦截
+ * @author: gaodm
+ * @time: 2018/8/23 13:46
+ */
+@Service
+public class UrlAccessDecisionManager implements AccessDecisionManager {
+    @Override
+    public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
+        HttpServletRequest request = ((FilterInvocation) object).getHttpRequest();
+        String url, method;
+        if ("anonymousUser".equals(authentication.getPrincipal())
+                && (matchers("/swagger/**", request)
+                || matchers("/v2/**", request)
+                || matchers("/webjars/**", request)
+                || matchers("/druid/**", request)
+                || matchers("/actuator/**", request)
+                || matchers("/hystrix/**", request)
+                || matchers("/", request))) {
+            return;
+        } else {
+            for (GrantedAuthority ga : authentication.getAuthorities()) {
+                String[] authority = ga.getAuthority().split(";");
+                url = authority[0];
+                method = authority[1];
+                if (matchers(url, request)) {
+                    if (method.equals(request.getMethod()) || "ALL".equals(method)) {
+                        return;
+                    }
+                }
+            }
+        }
+        throw new AccessDeniedException("no right");
+    }
+
+
+    @Override
+    public boolean supports(ConfigAttribute attribute) {
+        return true;
+    }
+
+    @Override
+    public boolean supports(Class<?> clazz) {
+        return true;
+    }
+
+
+    private boolean matchers(String url, HttpServletRequest request) {
+        AntPathRequestMatcher matcher = new AntPathRequestMatcher(url);
+        if (matcher.matches(request)) {
+            return true;
+        }
+        return false;
+    }
+}

log-service/src/main/java/com/diagbot/config/security/UrlConfigAttribute.java

@@ -0,0 +1,29 @@
+package com.diagbot.config.security;
+
+import org.springframework.security.access.ConfigAttribute;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * @Description: 自定义权限拦截
+ * @author: gaodm
+ * @time: 2018/8/23 13:47
+ */
+public class UrlConfigAttribute implements ConfigAttribute {
+
+    private final HttpServletRequest httpServletRequest;
+
+    public UrlConfigAttribute(HttpServletRequest httpServletRequest) {
+        this.httpServletRequest = httpServletRequest;
+    }
+
+
+    @Override
+    public String getAttribute() {
+        return null;
+    }
+
+    public HttpServletRequest getHttpServletRequest() {
+        return httpServletRequest;
+    }
+}

log-service/src/main/java/com/diagbot/config/security/UrlFilterSecurityInterceptor.java

@@ -0,0 +1,79 @@
+package com.diagbot.config.security;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.SecurityMetadataSource;
+import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
+import org.springframework.security.access.intercept.InterceptorStatusToken;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
+import org.springframework.stereotype.Service;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import java.io.IOException;
+
+/**
+ * @Description: 自定义权限拦截
+ * @author: gaodm
+ * @time: 2018/8/23 13:47
+ */
+@Service
+public class UrlFilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
+
+
+    @Autowired
+    private FilterInvocationSecurityMetadataSource securityMetadataSource;
+
+    @Autowired
+    public void setUrlAccessDecisionManager(UrlAccessDecisionManager urlAccessDecisionManager) {
+        super.setAccessDecisionManager(urlAccessDecisionManager);
+    }
+
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+
+        FilterInvocation fi = new FilterInvocation(request, response, chain);
+        invoke(fi);
+    }
+
+
+    public void invoke(FilterInvocation fi) throws IOException, ServletException {
+        //fi里面有一个被拦截的url
+        //里面调用UrlMetadataSource的getAttributes(Object object)这个方法获取fi对应的所有权限
+        //再调用UrlAccessDecisionManager的decide方法来校验用户的权限是否足够
+        InterceptorStatusToken token = super.beforeInvocation(fi);
+        try {
+            //执行下一个拦截器
+            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
+        } finally {
+            super.afterInvocation(token, null);
+        }
+    }
+
+
+    @Override
+    public void destroy() {
+
+    }
+
+    @Override
+    public Class<?> getSecureObjectClass() {
+        return FilterInvocation.class;
+
+    }
+
+    @Override
+    public SecurityMetadataSource obtainSecurityMetadataSource() {
+        return this.securityMetadataSource;
+    }
+}

log-service/src/main/java/com/diagbot/config/security/UrlMetadataSourceService.java

@@ -0,0 +1,40 @@
+package com.diagbot.config.security;
+
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
+import org.springframework.stereotype.Service;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * @Description: 自定义权限拦截
+ * @author: gaodm
+ * @time: 2018/8/23 13:47
+ */
+@Service
+public class UrlMetadataSourceService implements
+        FilterInvocationSecurityMetadataSource {
+
+    @Override
+    public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
+        final HttpServletRequest request = ((FilterInvocation) object).getRequest();
+        Set<ConfigAttribute> allAttributes = new HashSet<>();
+        ConfigAttribute configAttribute = new UrlConfigAttribute(request);
+        allAttributes.add(configAttribute);
+        return allAttributes;
+    }
+
+    @Override
+    public Collection<ConfigAttribute> getAllConfigAttributes() {
+        return null;
+    }
+
+    @Override
+    public boolean supports(Class<?> clazz) {
+        return true;
+    }
+}

log-service/src/main/java/com/diagbot/web/SysLogController.java

@@ -12,7 +12,6 @@ import com.diagbot.facade.SysLogFacade;
 import com.diagbot.vo.SysLogVo;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -39,7 +38,6 @@ public class SysLogController {
     private SysLogFacade sysLogFacade;
 
     @ApiOperation(value = "添加日志", notes = "添加日志")
-    @PreAuthorize("hasRole('USER')")
     @PostMapping("/add")
     @SysLogger("postLog")
     public RespDTO add(@RequestBody SysLogVo sysLogVo){
@@ -53,7 +51,6 @@ public class SysLogController {
     }
 
     @ApiOperation(value = "删除日志", notes = "删除日志")
-    @PreAuthorize("hasRole('USER')")
     @DeleteMapping("/delete/{id}")
     @SysLogger("deleteLog")
     public RespDTO delete(@PathVariable(value = "id") Integer id){
@@ -61,7 +58,6 @@ public class SysLogController {
     }
 
     @ApiOperation(value = "修改日志", notes = "修改日志")
-    @PreAuthorize("hasRole('USER')")
     @PostMapping("/update")
     @SysLogger("updateLog")
     public RespDTO update(@RequestBody SysLog student){
@@ -69,7 +65,6 @@ public class SysLogController {
     }
 
     @ApiOperation(value = "获取日志列表", notes = "获取日志列表")
-    @PreAuthorize("hasRole('USER')")
     @GetMapping("/list")
     @SysLogger("listLog")
     public RespDTO list(){
@@ -78,7 +73,6 @@ public class SysLogController {
     }
 
     @ApiOperation(value = "获取日志翻页信息", notes = "获取日志翻页信息")
-    @PreAuthorize("hasRole('USER')")
     @GetMapping("/page")
     @SysLogger("pageLog")
     public RespDTO page() {