applicationContext-security.xml配置详解
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<beans:bean id="customWebInvocationPrivilegeEvaluator" class="org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator">
<beans:constructor-arg name="securityInterceptor" ref="filterSecurityInterceptor" ></beans:constructor-arg>
</beans:bean>
<!-- 对一些静态资源放行-->
<http pattern="/images/**" security="none"/>
<http pattern="/files/**" security="none"/>
<http pattern="/css/**" security="none"/>
<http pattern="/downloadExcel/**" security="none" />
<http pattern="/EasyUI/**" security="none" />
<http pattern="/js/**" security="none"/>
<http pattern="/themes/**" security="none"/>
<http pattern="/login.jsp" security="none"/>
<http pattern="/companyLogin.jsp" security="none"/>
<http pattern="/forget_password.jsp" security="none"/>
<http pattern="/register.jsp" security="none"/>
<http pattern="/register/companyRegister!register" security="none"/>
<http pattern="/adv_1.png" security="none" />
<http pattern="/auth/theme!currentTheme" security="none" />
<http pattern="/jump.jsp" security="none"/>
<http pattern="/auth/user!addUser.action" security="none"/>
<http pattern="/auth/user!findByCode.action" security="none"/>
<http pattern="/auth/user!sendpassword.action" security="none"/>
<http pattern="/wechat/**" security="none"/>
<http pattern="/monitoringAnalysis/**" security="none"/>
<http pattern="/auth/user!activeCompanyUser.action" security="none"/>
<!-- 触发总览统计 -->
<http pattern="/**/test!startCount" security="none"/>
<!--系统内切换用户-->
<http pattern="/**/servlet/changeUser.servlet" security="none"/>
<!-- 加密 -->
<http pattern="/setting/encrypt!encrypt" security="none"/>
<!-- <beans:bean id="myAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/"/>
</beans:bean> -->
<!-- 拦截没有权限的请求然后跳转到指定自定义页面 login.jsp-->
<beans:bean id="smartLoginUrlAuthenticationEntryPoint"
class="com.demo.SmartLoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login.jsp"/>
</beans:bean>
<http once-per-request="true" use-expressions="false" entry-point-ref="smartLoginUrlAuthenticationEntryPoint" access-decision-manager-ref="customAccessDecisionManager" disable-url-rewriting="true">
<!--采用intercept-url配置,可以使用SpringSecurity内置的ADM,但是,如果在http上配置了自定义了ADM,此配置将失效-->
<form-login login-page="/login.jsp" authentication-failure-handler-ref="failureHandler" authentication-success-handler-ref="successHandler"/>
<logout delete-cookies="JSESSIONID" invalidate-session="true"/>
<!-- 自定义权限不足时跳转的页面 -->
<access-denied-handler ref="my403"/>
<!-- 通过配置custom-filter来增加过滤器,before="FILTER_SECURITY_INTERCEPTOR"表示在SpringSecurity默认的过滤器之前执行-->
<custom-filter ref="filterSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR" />
<session-management session-fixation-protection="none">
<concurrency-control expired-url="/logout.jsp" />
</session-management>
</http>
<!-- 登录成功业务处理 -->
<beans:bean id="successHandler" class="com.demo.security.LoginAuthenticationSuccessHandler">
<beans:property name="url" value="/home/home!index"/>
<beans:property name="username" value="j_username" />
</beans:bean>
<!-- 登录失败业务处理 -->
<beans:bean id="failureHandler" class="com.demo.security.LoginAuthenticationFailureHandler">
<beans:property name="url" value="/login.jsp?error=" />
<beans:property name="companyUrl" value="/companyLogin.jsp?error=" />
<beans:property name="username" value="j_username" />
</beans:bean>
<!-- 认证过滤器 -->
<beans:bean id="filterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="observeOncePerRequest" value="false"/>
<!-- 用户拥有的权限 -->
<beans:property name="authenticationManager"
ref="authenticationManager" />
<!-- 用户是否拥有所请求资源的权限 -->
<beans:property name="accessDecisionManager"
ref="customAccessDecisionManager" />
<!-- 资源与权限对应关系 -->
<beans:property name="securityMetadataSource"
ref="customSecurityMetadataSource" />
</beans:bean>
<beans:bean id="customSecurityMetadataSource" class="com.demo.security.CustomFilterInvocationSecurityMetadataSource"></beans:bean>
<!-- spring security提供的用户登录验证 ,alias的值对应上面的ref="authenticationManager" -->
<authentication-manager alias="authenticationManager">
<!--userDetailServiceImpl 获取登录的用户、用户权限 -->
<!-- 登录认证 -->
<authentication-provider user-service-ref="customUserDetailsService">
<password-encoder hash="md5" />
</authentication-provider>
</authentication-manager>
<!-- 获取登录的用户、用户权限 -->
<!-- <beans:bean id="customUserDetailsService"
class="com.demo.security.UserDetailServiceImpl">
</beans:bean> -->
<!-- 自定义登录认证实现类 -->
<beans:bean id="customUserDetailsService"
class="com.demo.interceptor.LoginCheckService">
</beans:bean>
<!-- 判断请求是否有权限 -->
<beans:bean id="customAccessDecisionManager"
class="com.demo.security.SevenCustomAccessDecisionManager"></beans:bean>
<!-- 登录成功后访问无权限的资源时的处理函数和跳转页面-->
<beans:bean id="my403"
class="com.dome.security.SevenAccessDeniedHandler">
<beans:property name="errorPage" value="/common/error/403.jsp"></beans:property>
</beans:bean>