<!-- 业务 Bean -->
<beans:bean id="helloService"
class="com.test.security.service.HelloServiceImpl" />
<!-- 自定义国际化 -->
<beans:bean id="messageSource"
class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
<beans:property name="basename" value="classpath:message_zh_CN" />
</beans:bean>
<!--
启用注解 <global-method-security secured-annotations="enabled"
jsr250-annotations="enabled" />
-->
<!-- 面向切面 -->
<global-method-security>
<!-- ROLE_USER 可以访问sayHello方法 -->
<protect-pointcut access="ROLE_USER,ROLE_ADMIN"
expression="execution(* com.test.security.service.*.sayHello(..))" />
<!--
第一个*:表示返回类型 第二个*:表示任意的类 完整的意义:ROLE_ADMIN 角色可以访问
com.test.security.service 包中 任意的类以say开头的方法,任意的参数类型,任意的返回类型
-->
<protect-pointcut access="ROLE_ADMIN"
expression="execution(* com.test.security.service.*.say*(..))" />
</global-method-security>
<!--登陆页面无需任何拦截 -->
<http pattern="/login.jsp*" security="none" />
<http auto-config="true" access-denied-page="/accessDenied.jsp">
<!-- 定义登陆页面 -->
<form-login login-page="/login.jsp" />
<logout logout-success-url="/login.jsp" />
<!--
<logout logout-url="/j_spring_security_logout" delete-cookies="JSESSIONID" logout-success-url="/login.jsp"/>
-->
<intercept-url pattern="/servlet/*" access="ROLE_ADMIN,ROLE_USER" />
<intercept-url pattern="/index.jsp" access="ROLE_ADMIN,ROLE_USER" />
<intercept-url pattern="/sessionTimeout.jsp" access="ROLE_ADMIN,ROLE_USER" />
<intercept-url pattern="/admin.jsp" access="ROLE_ADMIN" />
<intercept-url pattern="/**" access="ROLE_USER" />
<!-- session 管理 同一账户只能登陆一次 后登陆无效 -->
<session-management invalid-session-url="/sessionTimeout.jsp">
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="true" />
</session-management>
</http>
<authentication-manager>
<authentication-provider>
<!--<password-encoder hash="md5" /> -->
<user-service>
<user name="user" password="user" authorities="ROLE_USER" />
<user name="admin" password="admin" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
<beans:bean id="helloService"
class="com.test.security.service.HelloServiceImpl" />
<!-- 自定义国际化 -->
<beans:bean id="messageSource"
class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
<beans:property name="basename" value="classpath:message_zh_CN" />
</beans:bean>
<!--
启用注解 <global-method-security secured-annotations="enabled"
jsr250-annotations="enabled" />
-->
<!-- 面向切面 -->
<global-method-security>
<!-- ROLE_USER 可以访问sayHello方法 -->
<protect-pointcut access="ROLE_USER,ROLE_ADMIN"
expression="execution(* com.test.security.service.*.sayHello(..))" />
<!--
第一个*:表示返回类型 第二个*:表示任意的类 完整的意义:ROLE_ADMIN 角色可以访问
com.test.security.service 包中 任意的类以say开头的方法,任意的参数类型,任意的返回类型
-->
<protect-pointcut access="ROLE_ADMIN"
expression="execution(* com.test.security.service.*.say*(..))" />
</global-method-security>
<!--登陆页面无需任何拦截 -->
<http pattern="/login.jsp*" security="none" />
<http auto-config="true" access-denied-page="/accessDenied.jsp">
<!-- 定义登陆页面 -->
<form-login login-page="/login.jsp" />
<logout logout-success-url="/login.jsp" />
<!--
<logout logout-url="/j_spring_security_logout" delete-cookies="JSESSIONID" logout-success-url="/login.jsp"/>
-->
<intercept-url pattern="/servlet/*" access="ROLE_ADMIN,ROLE_USER" />
<intercept-url pattern="/index.jsp" access="ROLE_ADMIN,ROLE_USER" />
<intercept-url pattern="/sessionTimeout.jsp" access="ROLE_ADMIN,ROLE_USER" />
<intercept-url pattern="/admin.jsp" access="ROLE_ADMIN" />
<intercept-url pattern="/**" access="ROLE_USER" />
<!-- session 管理 同一账户只能登陆一次 后登陆无效 -->
<session-management invalid-session-url="/sessionTimeout.jsp">
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="true" />
</session-management>
</http>
<authentication-manager>
<authentication-provider>
<!--<password-encoder hash="md5" /> -->
<user-service>
<user name="user" password="user" authorities="ROLE_USER" />
<user name="admin" password="admin" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>