Spring3.x升级Spring4.0

applicationContext-security.xml 配置文件

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:sec="http://www.springframework.org/schema/security"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

	<sec:http>
		<sec:intercept-url pattern="/login.*" filters="none" />
		<sec:intercept-url pattern="/**" access="ROLE_BASIC" />
		<sec:session-management session-fixation-protection="none">
			<sec:concurrency-control error-if-maximum-exceeded="false" max-sessions="1" />
		</sec:session-management>
		<sec:form-login login-page="/login.shtml" default-target-url="/index.shtml" always-use-default-target="true" />
		<sec:access-denied-handler error-page="/common/accessDenied.jsp" />
		<sec:logout logout-url="/logout" />
		<sec:http-basic />
		<sec:custom-filter ref="mySecurityFilter" after="FILTER_SECURITY_INTERCEPTOR" />
	</sec:http>

	<bean id="mySecurityFilter" class="com.treasurebox.framework.security.MyFilterSecurityInterceptor">
		<property name="authenticationManager" ref="authenticationManager" />
		<property name="accessDecisionManager" ref="myAccessDecisionManager" />
		<property name="securityMetadataSource" ref="mySecurityMetadataSource" />
	</bean>

	<sec:authentication-manager alias="authenticationManager">
		<sec:authentication-provider user-service-ref="myUserDetailsService">
			<sec:password-encoder ref="mySecurityPasswordEncoder">
				<sec:salt-source user-property="salt" />
			</sec:password-encoder>
		</sec:authentication-provider>
	</sec:authentication-manager>

	<bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
		<property name="basenames">
			<list>
				<value>messages_spring_security</value>
			</list>
		</property>
	</bean>

	<!--JCaptcha验证码服务 -->
	<bean id="captchaService" class="com.octo.captcha.service.image.DefaultManageableImageCaptchaService">
		<property name="captchaEngine">
			<bean class="com.treasurebox.framework.security.GMailEngine" />
		</property>
		<property name="minGuarantedStorageDelayInSeconds" value="600" />
	</bean>
</beans>

<?xml version="1.0" encoding="UTF-8"?>
<bean:beans
	xmlns="http://www.springframework.org/schema/security"
	xmlns:bean="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">

	<http>
		<headers>
			<frame-options policy="SAMEORIGIN" />
		</headers>
		<intercept-url pattern="/login.*" access="permitAll" />
		<intercept-url pattern="/**"
			access="hasRole('ROLE_BASIC')" />
		<session-management
			session-fixation-protection="none">
			<concurrency-control
				error-if-maximum-exceeded="false" max-sessions="1" />
		</session-management>
		<form-login login-page="/login.shtml"
			default-target-url="/index.shtml" username-parameter="j_username"
			password-parameter="j_password"
			login-processing-url="/j_spring_security_check" />
		<access-denied-handler
			error-page="/common/accessDenied.jsp" />
		<logout logout-url="/logout" />
		<http-basic />
		<custom-filter ref="mySecurityFilter"
			after="FILTER_SECURITY_INTERCEPTOR" />
		<csrf disabled="true" />
	</http>

	<bean:bean id="mySecurityFilter"
		class="com.treasurebox.framework.security.MyFilterSecurityInterceptor">
		<bean:property name="authenticationManager"
			ref="authenticationManager" />
		<bean:property name="accessDecisionManager"
			ref="myAccessDecisionManager" />
		<bean:property name="securityMetadataSource"
			ref="mySecurityMetadataSource" />
	</bean:bean>

	<authentication-manager
		alias="authenticationManager">
		<authentication-provider
			user-service-ref="myUserDetailsService">
			<password-encoder ref="mySecurityPasswordEncoder">
				<salt-source user-property="salt" />
			</password-encoder>
		</authentication-provider>
	</authentication-manager>

	<bean:bean id="messageSource"
		class="org.springframework.context.support.ResourceBundleMessageSource">
		<bean:property name="basenames">
			<bean:list>
				<bean:value>messages_spring_security</bean:value>
			</bean:list>
		</bean:property>
	</bean:bean>

	<!--JCaptcha验证码服务 -->
	<bean:bean id="captchaService"
		class="com.octo.captcha.service.image.DefaultManageableImageCaptchaService">
		<bean:property name="captchaEngine">
			<bean:bean
				class="com.treasurebox.framework.security.GMailEngine" />
		</bean:property>
		<bean:property name="minGuarantedStorageDelayInSeconds"
			value="600" />
	</bean:bean>
</bean:beans>

对比差异

1、xsd升级
2、filters="none"换成access=“permitAll”
3、增加

<headers>
<frame-options policy="SAMEORIGIN" /> 
</headers> 

解决iframe嵌套问题
4、access=“ROLE_BASIC” 换成access=“hasRole(‘ROLE_BASIC’)”
5、form-login增加username-parameter="j_username"和password-parameter=“j_password”
6、private UrlMatcher urlMatcher = new AntUrlPathMatcher();换成

RequestMatcher requestMatcher = new AntPathRequestMatcher(resURL);
			if (requestMatcher
					.matches(((FilterInvocation) obj).getHttpRequest())) {
				return resourceMap.get(resURL);
			}

7、GrantedAuthority auth1 = new SimpleGrantedAuthority(role.getName());

spring-4.0.0 jar包
链接: https://pan.baidu.com/s/18odt2qG9Iq2aVQyjf80iBQ 提取码: fege