applicationContext-security.xml 配置文件
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<sec:http>
<sec:intercept-url pattern="/login.*" filters="none" />
<sec:intercept-url pattern="/**" access="ROLE_BASIC" />
<sec:session-management session-fixation-protection="none">
<sec:concurrency-control error-if-maximum-exceeded="false" max-sessions="1" />
</sec:session-management>
<sec:form-login login-page="/login.shtml" default-target-url="/index.shtml" always-use-default-target="true" />
<sec:access-denied-handler error-page="/common/accessDenied.jsp" />
<sec:logout logout-url="/logout" />
<sec:http-basic />
<sec:custom-filter ref="mySecurityFilter" after="FILTER_SECURITY_INTERCEPTOR" />
</sec:http>
<bean id="mySecurityFilter" class="com.treasurebox.framework.security.MyFilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="myAccessDecisionManager" />
<property name="securityMetadataSource" ref="mySecurityMetadataSource" />
</bean>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider user-service-ref="myUserDetailsService">
<sec:password-encoder ref="mySecurityPasswordEncoder">
<sec:salt-source user-property="salt" />
</sec:password-encoder>
</sec:authentication-provider>
</sec:authentication-manager>
<bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basenames">
<list>
<value>messages_spring_security</value>
</list>
</property>
</bean>
<!--JCaptcha验证码服务 -->
<bean id="captchaService" class="com.octo.captcha.service.image.DefaultManageableImageCaptchaService">
<property name="captchaEngine">
<bean class="com.treasurebox.framework.security.GMailEngine" />
</property>
<property name="minGuarantedStorageDelayInSeconds" value="600" />
</bean>
</beans>
<?xml version="1.0" encoding="UTF-8"?>
<bean:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:bean="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<http>
<headers>
<frame-options policy="SAMEORIGIN" />
</headers>
<intercept-url pattern="/login.*" access="permitAll" />
<intercept-url pattern="/**"
access="hasRole('ROLE_BASIC')" />
<session-management
session-fixation-protection="none">
<concurrency-control
error-if-maximum-exceeded="false" max-sessions="1" />
</session-management>
<form-login login-page="/login.shtml"
default-target-url="/index.shtml" username-parameter="j_username"
password-parameter="j_password"
login-processing-url="/j_spring_security_check" />
<access-denied-handler
error-page="/common/accessDenied.jsp" />
<logout logout-url="/logout" />
<http-basic />
<custom-filter ref="mySecurityFilter"
after="FILTER_SECURITY_INTERCEPTOR" />
<csrf disabled="true" />
</http>
<bean:bean id="mySecurityFilter"
class="com.treasurebox.framework.security.MyFilterSecurityInterceptor">
<bean:property name="authenticationManager"
ref="authenticationManager" />
<bean:property name="accessDecisionManager"
ref="myAccessDecisionManager" />
<bean:property name="securityMetadataSource"
ref="mySecurityMetadataSource" />
</bean:bean>
<authentication-manager
alias="authenticationManager">
<authentication-provider
user-service-ref="myUserDetailsService">
<password-encoder ref="mySecurityPasswordEncoder">
<salt-source user-property="salt" />
</password-encoder>
</authentication-provider>
</authentication-manager>
<bean:bean id="messageSource"
class="org.springframework.context.support.ResourceBundleMessageSource">
<bean:property name="basenames">
<bean:list>
<bean:value>messages_spring_security</bean:value>
</bean:list>
</bean:property>
</bean:bean>
<!--JCaptcha验证码服务 -->
<bean:bean id="captchaService"
class="com.octo.captcha.service.image.DefaultManageableImageCaptchaService">
<bean:property name="captchaEngine">
<bean:bean
class="com.treasurebox.framework.security.GMailEngine" />
</bean:property>
<bean:property name="minGuarantedStorageDelayInSeconds"
value="600" />
</bean:bean>
</bean:beans>
对比差异
1、xsd升级
2、filters="none"换成access=“permitAll”
3、增加
<headers>
<frame-options policy="SAMEORIGIN" />
</headers>
解决iframe嵌套问题
4、access=“ROLE_BASIC” 换成access=“hasRole(‘ROLE_BASIC’)”
5、form-login增加username-parameter="j_username"和password-parameter=“j_password”
6、private UrlMatcher urlMatcher = new AntUrlPathMatcher();换成
RequestMatcher requestMatcher = new AntPathRequestMatcher(resURL);
if (requestMatcher
.matches(((FilterInvocation) obj).getHttpRequest())) {
return resourceMap.get(resURL);
}
7、GrantedAuthority auth1 = new SimpleGrantedAuthority(role.getName());
spring-4.0.0 jar包
链接: https://pan.baidu.com/s/18odt2qG9Iq2aVQyjf80iBQ 提取码: fege