spring安全拒绝访问

如何创建gust_角色，该角色只能访问来宾页面，管理员和用户无法访问，我为用户使用数据库，是否需要将来宾放入数据库，或者有一些标准方法

  @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests().antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
                 .antMatchers("/user/**").access("hasRole('ROLE_USER')")
                 .antMatchers("/basket/**").access("hasRole('ROLE_USER')").
                 and().formLogin()
            .loginPage("/login").failureUrl("/login?error")
                .usernameParameter("username")
                .passwordParameter("password")
                .and().logout().logoutSuccessUrl("/login?logout")
                .and().csrf()
                .and().exceptionHandling().accessDeniedPage("/403");
    }

控制器

@Controller
    public class MainController {
        @RequestMapping(value = { "/", "/index" }, method = RequestMethod.GET)
        public ModelAndView defaultPage() {
            ModelAndView model = new ModelAndView();
            model.setViewName("index");
            return model;
        }

        @RequestMapping(value = "/admin", method = RequestMethod.GET)
        public ModelAndView adminPage() {
            ModelAndView model = new ModelAndView();
            model.addObject("title", "Spring Security + Hibernate Example");
            model.addObject("message", "This page is for ROLE_ADMIN only!");
            model.setViewName("adminmy");
            return model;

        }

        @RequestMapping(value = "/login", method = RequestMethod.GET)
        public ModelAndView login(@RequestParam(value = "error", required = false) String error,
                @RequestParam(value = "logout", required = false) String logout, HttpServletRequest request) {

            ModelAndView model = new ModelAndView();
            if (error != null) {
                model.addObject("error", getErrorMessage(request, "SPRING_SECURITY_LAST_EXCEPTION"));
            }

            if (logout != null) {
                model.addObject("msg", "You've been logged out successfully.");
            }
            model.setViewName("login");

            return model;

        }
        //guestview
        @RequestMapping("/top/")
        public String listCategory ( Model model) {
            return "top";
        }

        @RequestMapping("/user")
        public String user ( Model model) {
            return "userview";
        }




        // customize the error message
        private String getErrorMessage(HttpServletRequest request, String key) {

            Exception exception = (Exception) request.getSession().getAttribute(key);

            String error = "";
            if (exception instanceof BadCredentialsException) {
                error = "Invalid username and password!";
            } else if (exception instanceof LockedException) {
                error = exception.getMessage();
            } else {
                error = "Invalid username and password!";
            }

            return error;
        }

        // for 403 access denied page
        @RequestMapping(value = "/403", method = RequestMethod.GET)
        public ModelAndView accesssDenied() {

            ModelAndView model = new ModelAndView();

            // check if user is login
            Authentication auth = SecurityContextHolder.getContext().getAuthentication();
            if (!(auth instanceof AnonymousAuthenticationToken)) {
                UserDetails userDetail = (UserDetails) auth.getPrincipal();
                System.out.println(userDetail);

                model.addObject("username", userDetail.getUsername());
    }
            model.setViewName("403");
            return model;
    }
    }

---

管理员是否有权访问

“/user/**”

？我建议阅读