Error listenerStart 是security.xml中有错误的原因。
security.xml
各种过滤器实战,常用九个如下
一 链之 RememberMeProcessingFilter
1。使用 ,选上remember me后,一旦页面关闭或者服务器重启,还可以记得用户的登陆状态。
<input type="checkbox" id="remember" name="j_remember_me"> Remember me
2.设置 security.xml
<!-- 记住用户登录信息 -->
<bean id="rememberMeFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="rememberMeServices" ref="rememberMeServices" />
</bean>
<bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices">
<property name="userDetailsService" ref="userDetailsService" />
<property name="parameter" value="j_remember_me" /> <!--与多选框名字相同-->
<property name="key" value="remember_Me" />
<property name="tokenValiditySeconds" value="31536000" /> <!--记住多长时间 ,这里是一年-->
登陆,登出中 <property name="rememberMeServices" ref="rememberMeServices" />
</bean>
<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref bean="rememberMeAuthenticationProvider" />
</list>
</property>
</bean>
<bean id="rememberMeAuthenticationProvider"
class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
<property name="key" value="remember_Me" />
</bean>
二 链之 RememberMeProcessingFilter 安全拦截器
<!-- 基于URL的安全拦截器 -->
<bean id="securityInterceptor"
class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="accessDecisionManager" />
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/admin/**=ROLE_ADMIN <!-- 对admin目录只有Role_admin的角色可以访问-->
/user/**=ROLE_USER
</value>
</property>
</bean>
三。 链之 authenticationProcessingFilter 登陆验证
1.login.jsp
<%
String error = request.getParameter("login_error");
if(error!=null) {
out.println("<p><font color=/"red/">");
out.println(error);
out.println("</font></p>");
}
%>
<form action="j_login.do" method="POST">
Username: <input type="text" name="j_username" />
Password: <input type="password" name="j_password">
<input name="submit" type="submit" value="Login">
</form>
<!-- 验证用户身份 -->
<bean id="authenticationProcessingFilter"
class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationFailureUrl" value="/login.jsp?login_error=Login%20failed." /> <!-- 失败后跳转页-->
<property name="defaultTargetUrl" value="/helloWorld.jsp" /> <!-- 成功后跳转页-->
<property name="filterProcessesUrl" value="/j_login.do" /> <!-- 重点,与action一致-->
</bean>
四。 链之 logoutFilter
<a href="j_logout.do">logout</a></p>
<bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter">
<!-- URL redirected to after logout登出后的指向页面 -->
<constructor-arg value="/helloWorld.jsp" />
<constructor-arg>
<list>
<ref bean="rememberMeServices" /> <!-- 登出后就不再记住用户的登陆了-->
<bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler" />
</list>
</constructor-arg>
<property name="filterProcessesUrl" value="/j_logout.do" /><!-- 重点,要一致-->
</bean>
五 链之 exceptionFilter,如果用户未能被认证,AuthenticationException就会被抛出;
即使用户成功地通过了身份验证,他们仍可能不被授予访问某些受保护页面所必需的权限。这样,AcessDeniedException就会被抛出。
<!-- 处理登录异常或权限异常的Filter -->
<bean id="exceptionFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
<!-- 出现AuthenticationException时的登录入口 -->
<property name="authenticationEntryPoint">
<bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<property name="loginFormUrl" value="/login.jsp" />
<property name="forceHttps" value="false" /><!--为true,login.jsp页面会通过Https安全地进行显示-->
</bean>
</property>
<!-- 出现AccessDeniedException时的Handler -->
<property name="accessDeniedHandler">
<bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl" />
<!-- 可选属性: property name="errorPage" value="/denied.html" -->
</property>
</bean>
六 链之 HttpSessionContextIntegrationFilter , 不知道有什么用处哪????
<!-- 从Session中获得用户信息并放入SecurityContextHolder -->
<bean id="httpSessionContextIntegrationFilter"
class="org.acegisecurity.context.HttpSessionContextIntegrationFilter" />
————————————————————————————————————
<!-- 过滤器链-->
<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=channelProcessingFilter
ConcurrentSessionFilter .................
httpSessionContextIntegrationFilter,
logoutFilter,
authenticationProcessingFilter,
rememberMeFilter,
AnonymousProcessingFilter,.................
exceptionFilter
,securityInterceptor
</value>
</property>
</bean>
<!-- 认证管理器--> <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> <property name="providers"> <list> <ref bean="daoAuthenticationProvider" /> </list> </property> </bean> <!-- 基于DAO验证的AuthenticationProvider --> <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> <property name="userDetailsService" ref="userDetailsService" /> </bean> <!-- 使用内存DAO,实际应用时可用JdbcDao代替 --> <bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> <property name="userMap"> <value> admin=password,enabled,ROLE_ADMIN,ROLE_USER test=test,enabled,ROLE_USER guest=guest,disabled,ROLE_USER </value> </property> </bean>
<!-- 决策管理器-->
<bean id="accessDecisionManager"
class="org.acegisecurity.vote.AffirmativeBased">
<property name="decisionVoters">
<list>
<bean class="org.acegisecurity.vote.RoleVoter" />
</list>
</property>
<property name="allowIfAllAbstainDecisions" value="false" />
</bean>
附件:spring的光盘/source/10Acegi/Spring_Acegi
补记:七 链之channelProcessingfilter 通道,
login.jsp=REQUIRES_SECURE_CHANNEL 有安全映射的,表明login.jsp应该通过HTTPS进行发送.
即跳到https://127.0.0.1:8443/ssh/login.jsp ,但是为什么显示出错???????是要上网吗?
<bean id="channelProcessingFilter"
class="org.acegisecurity.securechannel.ChannelProcessingFilter">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/login.jsp=REQUIRES_SECURE_CHANNEL
/**=REQUIRES_INSECURE_CHANNEL
</value>
</property>
<property name="channelDecisionManager"
ref="channelDecisionManager">
</property>
</bean>
<bean id="channelDecisionManager"
class="org.acegisecurity.securechannel.ChannelDecisionManagerImpl">
<property name="channelProcessors">
<list>
<bean
class="org.acegisecurity.securechannel.SecureChannelProcessor" />
<bean
class="org.acegisecurity.securechannel.InsecureChannelProcessor" />
</list>
</property>
</bean>