- <?xmlversion="1.0"encoding="UTF-8"?>
- <beans:beansxmlns="http://www.springframework.org/schema/security"
- xmlns:beans="http://www.springframework.org/schema/beans"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
- http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-3.0.xsd">
- <global-method-securitypre-post-annotations="enabled">
- </global-method-security>
- <!--entry-point-ref为用户第一次访问受保护的url时的处理程序.-->
- <httpuse-expressions="true"entry-point-ref="authenticationEntryPoint">
- <!--这里是拒绝用户访问的处理程序-->
- <access-denied-handlerref="accessDeniedHandler"/>
- <!--配置一些不需要认证过滤的地址-->
- <intercept-urlpattern="/roots/login.jsp"filters="none"/>
- <intercept-urlpattern="/css/**"filters="none"/>
- <intercept-urlpattern="/common/**"filters="none"/>
- <intercept-urlpattern="/images/**"filters="none"/>
- <intercept-urlpattern="/scripts/**"filters="none"/>
- <intercept-urlpattern="/DatePicker/**"filters="none"/>
- <intercept-urlpattern="/fckeditor/**"filters="none"/>
- <!--cooki认证的配置,具体看rememberMeServices的配置.-->
- <remember-meservices-ref="rememberMeServices"/>
- <!--
- 增加一个filter,这点与Acegi是不一样的,不能修改默认的filter了,这个filter位于FILTER_SECURITY_INTERCEPTOR之前
- -->
- <custom-filterposition="LOGOUT_FILTER"ref="logoutFilter"></custom-filter>
- <custom-filterbefore="FILTER_SECURITY_INTERCEPTOR"ref="myFilter"/>
- <custom-filterposition="FORM_LOGIN_FILTER"ref="myAuthFilter"/>
- <!--限制用户的最大登陆数,防止一个账号被多人使用-->
- <custom-filterposition="CONCURRENT_SESSION_FILTER"ref="concurrencyFilter"/>
- <session-management
- session-authentication-strategy-ref="sas"/>
- </http>
- <!--认证管理器,实现用户认证的入口,主要实现UserDetailsService接口即可如下,可以配置多个Provider-->
- <authentication-manageralias="authenticationManager">
- <authentication-providerref="daoAuthenticationProvider">
- <password-encoderhash="plaintext"></password-encoder>
- </authentication-provider>
- <authentication-providerref="rememberMeAuthenticationProvider">
- <password-encoderhash="plaintext"></password-encoder>
- </authentication-provider>
- </authentication-manager>
- <beans:beanid="daoAuthenticationProvider"
- class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
- <beans:propertyname="userDetailsService"ref="myUserDetailService"/>
- </beans:bean>
- <!--
- 一个自定义的filter,必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性,
- 我们的所有控制将在这三个类中实现,解释详见具体配置
- -->
- <beans:beanid="myFilter"class="com.security.MyFilterSecurityInterceptor">
- <beans:propertyname="authenticationManager"ref="authenticationManager"/>
- <beans:propertyname="accessDecisionManager"ref="myAccessDecisionManagerBean"/>
- <beans:propertyname="securityMetadataSource"ref="securityMetadataSource"/>
- </beans:bean>
- <!--
- 下面的3个类,已做自动扫描<beans:beanid="myUserDetailService"
- class="com.security.MyUserDetailService"/>
- 访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源<beans:bean
- id="myAccessDecisionManagerBean"
- class="com.security.MyAccessDecisionManager"></beans:bean>
- 资源源数据定义,即定义某一资源可以被哪些角色访问<beans:beanid="securityMetadataSource"
- class="com.security.MyInvocationSecurityMetadataSource">
- </beans:bean>
- -->
- <beans:beanid="logoutFilter"
- class="org.springframework.security.web.authentication.logout.LogoutFilter">
- <beans:constructor-argvalue="/roots/login.jsp"/>
- <beans:constructor-arg>
- <beans:list>
- <beans:reflocal="rememberMeServices"/>
- <beans:bean
- class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"></beans:bean>
- </beans:list>
- </beans:constructor-arg>
- <beans:propertyname="filterProcessesUrl"value="/ss_Loginout"></beans:property>
- </beans:bean>
- <beans:beanid="concurrencyFilter"
- class="org.springframework.security.web.session.ConcurrentSessionFilter">
- <beans:propertyname="sessionRegistry"ref="sessionRegistry"/>
- <beans:propertyname="expiredUrl"value="/error/expired.jsp"/>
- </beans:bean>
- <beans:beanid="sas"
- class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
- <beans:constructor-argname="sessionRegistry"
- ref="sessionRegistry"/>
- <beans:propertyname="maximumSessions"value="1"/>
- </beans:bean>
- <beans:beanid="myAuthFilter"
- class="com.security.fliter.MyUsernamePasswordAuthenticationFilter">
- <beans:propertyname="sessionAuthenticationStrategy"
- ref="sas"/>
- <beans:propertyname="authenticationManager"ref="authenticationManager"/>
- <beans:propertyname="rememberMeServices"ref="rememberMeServices"></beans:property>
- <beans:propertyname="authenticationFailureHandler"
- ref="failureHandler"/>
- <beans:propertyname="authenticationSuccessHandler"
- ref="successHandler"/>
- <beans:propertyname="filterProcessesUrl"value="/ss_Login"></beans:property>
- </beans:bean>
- <beans:beanid="successHandler"
- class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
- <beans:propertyname="defaultTargetUrl"value="/roots/index.jsp"/>
- </beans:bean>
- <beans:beanid="failureHandler"
- class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
- <beans:propertyname="defaultFailureUrl"value="/roots/login.jsp?error=true"/>
- </beans:bean>
- <beans:beanid="sessionRegistry"
- class="org.springframework.security.core.session.SessionRegistryImpl"/>
- <!--
- remembermefliter此fliter的配置没有使用留做参考<beans:bean
- id="rememberMeFilter"
- class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
- <beans:propertyname="rememberMeServices"ref="rememberMeServices"/>
- <beans:propertyname="authenticationManager"
- ref="authenticationManager"/></beans:bean>
- -->
- <beans:beanid="rememberMeServices"
- class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
- <beans:propertyname="userDetailsService"ref="myUserDetailService"/>
- <beans:propertyname="key"value="springsecurityCookies1"/>
- <beans:propertyname="alwaysRemember"value="true"></beans:property>
- <beans:propertyname="tokenValiditySeconds"value="86400"></beans:property>
- <beans:propertyname="parameter"value="_spring_security_remember_me"></beans:property>
- </beans:bean>
- <beans:beanid="rememberMeAuthenticationProvider"
- class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
- <beans:propertyname="key"value="springsecurityCookies1"/>
- </beans:bean>
- <!--
- 此fliter的配置没有使用留做参考<beans:beanid="exceptionTranslationFilter"
- class="org.springframework.security.web.access.ExceptionTranslationFilter">
- <beans:propertyname="authenticationEntryPoint"
- ref="authenticationEntryPoint"/><beans:property
- name="accessDeniedHandler"ref="accessDeniedHandler"/></beans:bean>
- -->
- <beans:beanid="authenticationEntryPoint"
- class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
- <beans:propertyname="loginFormUrl"value="/roots/login.jsp"/>
- </beans:bean>
- <beans:beanid="accessDeniedHandler"
- class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
- <beans:propertyname="errorPage"value="/roots/login.jsp?error=ad"/>
- </beans:bean>
- <!--下面配置,security对于方法的保护-->
- <beans:beanid="methodSecurityInterceptor"
- class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor">
- <beans:propertyname="validateConfigAttributes">
- <beans:value>false</beans:value>
- </beans:property>
- <beans:propertyname="authenticationManager">
- <beans:refbean="authenticationManager"/>
- </beans:property>
- <beans:propertyname="accessDecisionManager">
- <beans:refbean="myAccessDecisionManagerBean"/>
- </beans:property>
- <!--这里配置通过数据库配置来查找权限myMethodSecurityMetadataSource这个类继承AbstractMethodSecurityMetadataSource-->
- <beans:propertyname="securityMetadataSource"ref="myMethodSecurityMetadataSource"/>
- <!--
- 说明:下面的模式是配置了ISome类的doSupervisor的方法只需要ROLE_SUPERVISOR来访问<value>
- com.acegi.MethodInterceptionTest.method*=ROLE_ADMIN</value>
- </property>
- -->
- </beans:bean>
- <!--
- 在数据库里配置roleanddatebase...下面的autoProxyCreator还是要配置切入点的.
- myMethodSecurityMetadataSource已经配置在自动扫描中.
- -->
- <beans:beanid="sprintsecurityAutoIntercept"
- class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator"
- scope="singleton">
- <beans:propertyname="beanNames">
- <!--在这里配置要切的类的名称,可以为一个配置好的bean的id,多个id用逗号分隔-->
- <beans:value>*test</beans:value>
- </beans:property>
- <!--这里就写上切入点-->
- <beans:propertyname="interceptorNames">
- <beans:list>
- <beans:value>methodSecurityInterceptor</beans:value>
- </beans:list>
- </beans:property>
- <!--这个,如果你的类被代理了,比如在spring中使用,一定要设置这个属性为true-->
- <beans:propertyname="proxyTargetClass"value="true"/>
- </beans:bean>
- <!--这里接收security日志的配置
- <beanid="authenticationLoggerListener"
- class="org.springframework.security.authentication.event.LoggerListener"/>
- <beanid="authorizationLoggerListener"
- class="org.springframework.security.access.event.LoggerListener"/>
- -->
- </beans:beans>
spring security
最新推荐文章于 2024-09-19 21:52:00 发布