Spring Security用户定义的url拦截器

Question

我已经在我的webapp中实现了spring security。

下面是我的安全confile文件：

<beans:beans xmlns="http://www.springframework.org/schema/security" 
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
    http://www.springframework.org/schema/security 
    http://www.springframework.org/schema/security/spring-security-3.2.xsd"> 

    <!-- enable use-expressions --> 
    <http auto-config="true" use-expressions="true"> 
     <intercept-url pattern="/admin**" access="Admin" /> 

     <!-- access denied page --> 
    <access-denied-handler error-page="/403" /> 
     <form-login 
      login-page="/login" 
      default-target-url="/welcome" 
      authentication-failure-url="/login?error" 
      username-parameter="mobileno" 
      password-parameter="staffpwd" /> 
     <logout logout-success-url="/login?logout" /> 
     <csrf/> 
    </http> 

    <authentication-manager> 
     <authentication-provider> 
      <jdbc-user-service data-source-ref="dataSource" 
      users-by-username-query= 
      "select username,password, enabled from users where username=?" 
      authorities-by-username-query= 
      "select username, role from user_roles where username =? " /> 
     </authentication-provider> 
    </authentication-manager> 

</beans:beans> 

在拦截网址现在/管理URL只允许管理员角色的用户。现在，我必须添加一条新规则，如果某人未经过验证或被阻止，则该用户不得访问该网址。基于数据库表格计算的业务逻辑更少。那么我该如何配置这些用户定义的拦截器。

它是我第一次做弹簧安全，请告诉我怎么做到这一点。

感谢

Answer 1

<http auto-config="true" use-expressions="true"> 
    <!-- static resource --> 
    <intercept-url pattern="/403" access="permitAll" /> 
    <intercept-url pattern="/login" access="permitAll" /> 

    <!-- only user with Admin role can access --> 
    <intercept-url pattern="/admin**" access="hasRole('Admin')" /> 

    <!-- other urls should be authenticated --> 
    <intercept-url pattern="/**" access="isFullyAuthenticated()" /> 

    <!-- access denied page --> 
    <access-denied-handler error-page="/403" /> 
    <form-login 
     login-page="/login" 
     default-target-url="/welcome" 
     authentication-failure-url="/login?error" 
     username-parameter="mobileno" 
     password-parameter="staffpwd" /> 
    <logout logout-success-url="/login?logout" /> 
    <csrf/> 
</http> 

现在我要添加新的规则，如果有人未经过验证，或者如果阻塞则该用户不能访问url.There少基于数据库表更多的商业逻辑计算

如果您需要执行更复杂的业务，你应该实现自己的UserDetailsService或AuthenticationProvider