Spring安全动态授权和认证

我在Web上创建了这个xml spring安全配置，以便创建动态角色身份验证：

<bean id="filter" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager">
     <bean class="org.springframework.security.access.vote.AffirmativeBased">
        <property name="decisionVoters" >
        <bean class="org.springframework.security.access.vote.RoleVoter">
            <property name="rolePrefix" value="ROLE_"/>
        </bean>
        </property>
     </bean>
</property>
<property name="securityMetadataSource" ref="dbFilterInvocationSecurityMetadataSource"/>
</bean>

我试图用注释替换它，为此我创建了这个bean：

@Bean
public FilterSecurityInterceptor filterSecurityInterceptor(AuthenticationManager auth) {

    List<AccessDecisionVoter<?>> decisionVoters = new ArrayList<>();
    RoleVoter decisionVoter = new RoleVoter();
    decisionVoter.setRolePrefix("");
    decisionVoters.add(decisionVoter);
    FilterSecurityInterceptor filterSecurityInterceptor = new FilterSecurityInterceptor();
    filterSecurityInterceptor.setAuthenticationManager(auth);
    filterSecurityInterceptor.setAccessDecisionManager(
            new AffirmativeBased(decisionVoters));
    filterSecurityInterceptor.setSecurityMetadataSource(dbFilterInvocationSecurityMetadataSource);
    return filterSecurityInterceptor;
}

这是我的DbFilterInvocationSecurityMetadataSource类：

@Component
public class DbFilterInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource, InitializingBean{
private static final Logger logger = LoggerFactory.getLogger(DbFilterInvocationSecurityMetadataSource.class.getName());

@Autowired
private UUsersService userService;

@Autowired
UrlCache urlCache;

private HashMap<String, List<String>> urlRoles;

@Override
public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
    FilterInvocation fi=(FilterInvocation)object;
    String url=fi.getRequestUrl();
    logger.debug("Request Url====>"+url);

    List<String> roles_=urlRoles.get(url);
    logger.debug("Ruoli associati all'url :"+roles_);
    if(roles_==null){
        return null;
    }
    logger.debug("------------------");
    String[] stockArr = new String[roles_.size()];
    stockArr = roles_.toArray(stockArr);
    return SecurityConfig.createList(stockArr);
}

@Override
public Collection<ConfigAttribute> getAllConfigAttributes() {
    return null;
}

@Override
public boolean supports(Class<?> clazz) {
    return true;
}

@Override
public void afterPropertiesSet() throws Exception {
    userService.getUrlRoles();
    this.urlRoles=urlCache.getUrlRoles();
    logger.debug("Oggetto ruoli/urls :"+urlRoles);
}

}

现在，所有网址都是从过滤器和与之关联的角色中拦截的，但是我无法理解如何将已登录用户的角色与从请求的网址检索到的角色相关联 . 在我的loadByUsername方法实现中，我以这种方式恢复与loggedUser关联的角色：

public PMAuthenticationUserDetails loadPMUserByUsername(String username) throws UsernameNotFoundException {
    PMAuthenticationUserDetails userDTO = null;
    try{
        // get anagrafica
        UUsers user = usersDao.findUserByUsername(username);

        if(user != null){
            // get role
            List<UAuthorities> authorities = userAuthorityDao.findAuthoritiesByUserId(user.getId());

            //get urls
            List<UResource> urls = authorityResourceDao.findUrlsByAuthorities(authorities);

            logger.info("L'utente con username: " + username + " esiste e ha n° " + authorities.size() + " ruoli associati.");

            /** per spring */
            Collection<GrantedAuthority> authoritiesDTO = new ArrayList<GrantedAuthority>();

            /** lista codici ruoli (Stringhe prive del prefisso spring "ROLE_" */
            List<String> codeAuthorities = new ArrayList<String>();

            logger.info("Elenco ruoli: ");

            for (UAuthorities item : authorities) {
                logger.info(AuthenticationType.PREFIX_ROLE + item.getAuthority());
                /**
                 * Quindi creiamo un oggetto di SimpleGrantedAuthority per passare quel ruolo in esso.
                 */
                authoritiesDTO.add(new SimpleGrantedAuthority(AuthenticationType.PREFIX_ROLE + item.getAuthority()));
                /**
                 * Aggiungo alla lista il codice del ruolo.
                 */
                codeAuthorities.add(item.getAuthority());
            }

            /**
             * Dopo valorizziamo l' oggetto user personalizzato che avrà il nome utente, le credenziali, ed 
             * eventuali altri campi come e-mail ecc.
             */
            userDTO = new PMAuthenticationUserDetails(user.getUsername(), user.getPassword(), user.isEnabled(), true, true, true, authoritiesDTO);
            // set custom property
            userDTO.setUserId(String.valueOf(user.getId()));
            userDTO.setFirstname(user.getFirstname());
            userDTO.setLastname(user.getLastname());
            userDTO.setEmail(user.getEmail());
            userDTO.setAvatar(user.getAvatar());
            userDTO.setRoles(codeAuthorities);
        }else
            logger.error("L'utente con username: " + username + " >>> NON E' STATO TROVATO IN TABELLA.");

        return userDTO;
    }catch(Exception e ){
        logger.error("loadPMUserByUsername >>> " + e, e);
        return userDTO;
    }
}

我的配置需要更多内容吗？

`