ログインとパーミッションのロール制御のためのSpringセキュリティ

CREATE TABLE `user` (
 `username` varchar(255) NOT NULL,
 `password` char(255) NOT NULL,
 `roles` enum('MEMBER','MEMBER,LEADER','SUPER_ADMIN') NOT NULL DEFAULT 'MEMBER',
 PRIMARY KEY (`username`),
 KEY `username` (`username`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

<%@ page contentType="text/html;charset=UTF-8" language="java" isELIgnored="false" %>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@ taglib prefix="sf" uri="http://www.springframework.org/tags/form"%>
<html>
<head>
 <title>login</title>
</head>
<body>
<div >
 
 <sf:form action="${pageContext.request.contextPath}/log" method="POST" commandName="user"> <! -- spring form tag for model binding and automatically add hidden CSRF token tag -- >
  <h1 >login</h1>
  <c:if test="${error==true}"><p style="color: red">Wrong account or password</p></c:if> <! -- Failed login will show this -->
  <c:if test="${logout==true}"><p >Logged out of login</p></c:if> <! -- Logging out of the login will show this -- >
  <sf:input path="username" name="user.username" placeholder="Enter account" /><br />
  <sf:password path="password" name="user.password" placeholder="Enter password" /><br />
  <input id="remember-me" name="remember-me" type="checkbox"/> <! -- checkbox for remember-me function -->
  <label for="remember-me">Remember me in a week</label>
  <input type="submit" class="sumbit" value="submit" >
 </sf:form>
</div>
</body>
</html> 

<%@ page contentType="text/html;charset=UTF-8" language="java" isELIgnored="false"%>
<%@taglib prefix="security" uri="http://www.springframework.org/security/tags" %>
<%@ taglib prefix="sf" uri="http://www.springframework.org/tags/form"%>
<html>
<head>
 <title> Welcome,<security:authentication property="principal.username" var="username"/>${username}</ title> <! -- The successful login will show the name, here var saves the user name to the username variable, the following can be obtained by EL -- >
</head>
<body>
<security:authorize access="isAuthenticated()"><h3>Login successful! ${username}</h3></security:authorize> <! -- login success will show the name -->

<security:authorize access="hasRole('MEMBER')"> <! -- The MENBER role will then display the contents of the security:authorize tag -- >
 <p>You are MENBER</p>
</security:authorize>

<security:authorize access="hasRole('LEADER')">
 <p>You are LEADER</p>
</security:authorize>


<sf:form id="logoutForm" action="${pageContext.request.contextPath}/logout" method="post"> <! -- Logout button, note that here is post, get is will logout failure -- >
 <a href="#" onclick="document.getElementById('logoutForm').submit();">logout</a>
</sf:form>
</body>
</html>

@Order(2)
public class WebSecurityAppInit extends AbstractSecurityWebApplicationInitializer{
}

@Configuration
@EnableWebSecurity
@ComponentScan("com.chuanzhi.workspace.service.impl.*")
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{　　　　　　　　　　

 @Autowired
 private UserDetailService userDetailService; //if userDetailService is not scanned then add the @ComponentScan

 @Override
 protected void configure(HttpSecurity http) throws Exception {
  http.authorizeRequests()
     .antMatchers("/me").hasAnyRole("MEMBER","SUPER_ADMIN")//personal home page only allows users with the MENBER,SUPER_ADMIN role to access
     .anyRequest().authenticated()
     .and()
    .formLogin()
     .loginPage("/").permitAll() //here the default path is the login page, allowing everyone to log in
     .loginProcessingUrl("/log") //login submission processing url
     .failureForwardUrl("/?error=true") //login failed to forward, here back to the landing page, the parameter error can tell the landing status
     .defaultSuccessUrl("/me") //login success url, here go to the personal home page
     .and()
    .logout().logoutUrl("/logout").permitAll().logoutSuccessUrl("/?logout=true") //in order, the first is the logout url, security will intercept this url so we do not need to implement the logout, the second is the logout url, logout to inform the login status
     .and()
    .rememberMe()
     .tokenValiditySeconds(604800) //rememberMe function, cookie expiration date is one week
     .rememberMeParameter("remember-me") //Whether to activate the remember me function when logging in the parameter name, in the landing page there is a display
     .rememberMeCookieName("workspace"); //name of the cookie, you can view the cookie name through your browser after login
 }

 @Override
 public void configure(WebSecurity web) throws Exception {
  super.configure(web);
 }

 @Override
 protected void configure(AuthenticationManagerBuilder auth) throws Exception {
  auth.userDetailsService(userDetailService); //configure custom userDetailService
 }
}

@Service(value = "userDetailService")
public class UserDetailService implements UserDetailsService {

 @Autowired
 private UserRepository repository;　　　　　　　　　　

 public UserDetailService(UserRepository userRepository){
  this.repository = userRepository; // user repository, not described here
 }

 public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {

  User user = repository.findUserByUsername(username);
  if (user==null)
   throw new UsernameNotFoundException("The account information could not be found! "); //throw exception, will jump to the login failure page according to the configuration

  List<GrantedAuthority> list = new ArrayList<GrantedAuthority>(); //GrantedAuthority is the permission class provided by security

  getRoles(user,list); //get the roles and put them inside the list

  org.springframework.security.core.userdetails.User auth_user = new
    User(user.getUsername(),user.getPassword(),list); //return the User including the permission role to security
  return auth_user;
 }

 /**
  * Get the role to which the user belongs
  * @param user
  * @param list
  * public void getRoles(User user,List<GrantedAuthority> list){
  for (String role:user.getRoles().split(",")) {