（一）springboot security 自定义 filter实现自定义权限

 代码下载地址 

git@github.com:only-care/springboot-security.git

一、权限验证拦截器，重写attemptAuthentication实现自定义拦截直接执行校验权限处理，封装为UsernamePasswordAuthenticationToken返回认证

import java.util.ArrayList;
import java.util.List;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

public class OpenIdAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
	//仅处理post
	private boolean postOnly = true;
	/***
	 * 用于拦截封装token具体验证交由anthenticationManager属性完成，可以在创建时自己设置
	 */
	@Override
	public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
			throws AuthenticationException {
		if (postOnly && !request.getMethod().equals("POST")) {
			throw new AuthenticationServiceException(
					"Authentication method not supported: " + request.getMethod());
		}
		String username = request.getParameter("username"); //默认
		String password = request.getParameter("password");
		username = username == null?"":username.trim();
		password = password == null?"":password;
		UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
				username, password);
		authRequest.setDetails(request);//放入token 的detials中
		//默认认证成功
		final List<GrantedAuthority> AUTHORITIES = new ArrayList<GrantedAuthority>();
		AUTHORITIES.add(new SimpleGrantedAuthority("ROLE_USER"));
		return new UsernamePasswordAuthenticationToken(authRequest.getPrincipal(), authRequest.getCredentials(), AUTHORITIES);
	}
}

　　二、将自定义的filter添加到httpSecurity配置完成，结果如下

@RestController
@EnableWebSecurity
@SpringBootApplication
public class StartApp  extends WebSecurityConfigurerAdapter{
    
    @RequestMapping("/")
    String index() {
        return "Hello World!";
    }

    public static void main(String[] args) {
        SpringApplication.run(StartApp.class, args);
    }
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();
        
        //添加自定义拦截器到httpSecurity
        OpenIdAuthenticationFilter openIdAuthenticationFilter = new OpenIdAuthenticationFilter();
        //此处可以添加认证处理对象
        openIdAuthenticationFilter.setAuthenticationManager(null);
        openIdAuthenticationFilter.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher("/login", "POST"));
        http.addFilter(openIdAuthenticationFilter);
    }
}