web.xml
<!--springSecurity配置 -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring/spring-security.xml</param-value>
</context-param>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
spring-security.xml
<!-- 放行: 配置不拦截的资源 -->
<security:http pattern="/*.html" security="none"/>
<security:http pattern="/css/**" security="none"/>
<security:http pattern="/img/**" security="none"/>
<security:http pattern="/plugins/**" security="none"/>
<security:http pattern="/js/**" security="none"/>
<security:http pattern="/seller/add.do" security="none"/>
<security:http auto-config="true" use-expressions="false">
<!-- 配置具体的拦截的规则 pattern="请求路径的规则" access="访问系统的人,必须有ROLE_USER 或 ROLE_ADMIN 的之一角色" -->
<security:intercept-url pattern="/**" access="ROLE_SELLER"/>
<!-- 定义跳转的具体的页面
ddefault-target-url="/index.jsp": 用户名和密码匹配, 跳转的页面(没有权限等,或者没有设置success的话, 所以两者只用设置一个)
authentication-success-forward-url: 用户名, 密码, 权限等都匹配, 跳转的页面-->
<security:form-login
login-page="/shoplogin.html"
default-target-url="/admin/index.html"
authentication-failure-url="/shoplogin.html"
always-use-default-target="true"
/> <!--always-use-default-target, 登录后默认到default-target-url指定的路径-->
<!-- 关闭跨服务器的请求, 默认是开启的, 这样可能有安全问题 -->
<security:csrf disabled="true"/>
<!--设置可以使用iframe框架页-->
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
<!-- 注销 -->
<security:logout logout-success-url="/shoplogin.html" />
</security:http>
<!--切换成数据库中的用户名和密码, 是采用的配置版的-->
<security:authentication-manager> <!--规定了认证操作的service, 去完成登录认证-->
<security:authentication-provider user-service-ref="userDetailsService">
<!-- 配置解密的方式 -->
<security:password-encoder ref="passwordEncoder"/>
</security:authentication-provider>
</security:authentication-manager>
<!--对userDetailsService接口进行注入-->
<bean id="userDetailsService" class="com.pinyougou.service.UserDetailsServiceImpl">
<!--spring中的ioc进行注入-->
<property name="sellerService" ref="sellerService"/>
</bean>
<!-- 配置加密类 -->
<bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<!--reference: 调用dubbo中的sellerService接口-->
<dubbo:application name="pinyougou_shop_web"/>
<dubbo:registry address="zookeeper://192.168.25.128:2181"/>
<dubbo:reference interface="com.pinyougou.sellergoods.service.SellerService" id="sellerService"/>