<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd "> <bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy"> <security:filter-chain-map request-matcher="ant"> <security:filter-chain pattern="/resources/**" filters="none" /> <security:filter-chain pattern="/*.html" filters="none" /> <security:filter-chain pattern="/**" filters=" securityContextPersistenceFilter, concurrentSessionFilter, webAsyncManagerIntegrationFilter, csrfFilter, logoutFilter, usernamePasswordAuthenticationFilter, basicAuthenticationFilter, requestCacheAwareFilter, securityContextHolderAwareRequestFilter, rememberMeAuthenticationFilter, anonymousAuthenticationFilter, sessionManagementFilter, exceptionTranslationFilter, filterSecurityInterceptor " /> </security:filter-chain-map> </bean> <!-- SecurityContextPersistenceFilter --> <bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"> <constructor-arg ref="securityContextRepository" /> <property name="forceEagerSessionCreation" value="false" /> </bean> <bean id="securityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"> <property name="allowSessionCreation" value="true" /> <property name="disableUrlRewriting" value="true" /> </bean> <!-- CsrfFilter --> <bean id="csrfFilter" class="org.springframework.security.web.csrf.CsrfFilter"> <constructor-arg ref="httpSessionCsrfTokenRepository" /> <property name="accessDeniedHandler" ref="accessDeniedHandler" /> </bean> <bean id="httpSessionCsrfTokenRepository" class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository" /> <!-- UsernamePasswordAuthenticationFilter --> <bean id="usernamePasswordAuthenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> <property name="authenticationManager" ref="authenticationManager" /> <property name="usernameParameter" value="username" /> <property name="passwordParameter" value="password" /> <property name="rememberMeServices" ref="persistentTokenBasedRememberMeServices" /> <property name="sessionAuthenticationStrategy" ref="compositeSessionAuthenticationStrategy" /> <property name="authenticationSuccessHandler" ref="savedRequestAwareAuthenticationSuccessHandler" /> <property name="authenticationFailureHandler" ref="simpleUrlAuthenticationFailureHandler" /> <property name="requiresAuthenticationRequestMatcher" ref="authenticationFilterProcessUrlRequestMatcher" /> <property name="allowSessionCreation" value="true"/> </bean> <bean id="savedRequestAwareAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler" > <property name="requestCache" ref="httpSessionRequestCache" /> <property name="defaultTargetUrl" value="/welcome.jsp" /> </bean> <bean id="simpleUrlAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> <constructor-arg value="/login.jsp?error" /> <property name="allowSessionCreation" value="true" /> </bean> <bean id="authenticationFilterProcessUrlRequestMatcher" class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"> <constructor-arg value="/login" /> <constructor-arg value="POST" /> </bean> <!-- AnonymousAuthenticationFilter --> <bean id="anonymousAuthenticationFilter" class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter"> <constructor-arg value="BF93JFJ091N00Q7HF" /> </bean> <bean id="anonymousAuthenticationProvider" class="org.springframework.security.authentication.AnonymousAuthenticationProvider"> <constructor-arg type="java.lang.String" value="BF93JFJ091N00Q7HF"/> </bean> <!-- FilterSecurityInterceptor --> <bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager" /> <property name="accessDecisionManager" ref="affirmativeBased" /> <property name="securityMetadataSource" ref="securityMetadataSource" /> <!-- <property name="securityMetadataSource"> <security:filter-security-metadata-source use-expressions="true"> <security:intercept-url pattern="/*.html" access="permitAll" /> <security:intercept-url pattern="/login.jsp*" access="permitAll" /> <security:intercept-url pattern="/login*" access="permitAll" /> <security:intercept-url pattern="/security/**" access="hasRole('ROLE_ADMIN')" /> <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" /> </security:filter-security-metadata-source> </property> --> </bean> <bean id="securityMetadataSource" class="com.jaeson.springstudy.security.URLFilterInvocationSecurityMetadataSource"> <property name="resourceRepository" ref="resourceRepository" /> </bean> <bean id="resourceRepository" class="com.jaeson.springstudy.security.ResourceRepository"> <property name="dataSource" ref="dataSource" /> </bean> <bean id="affirmativeBased" class="org.springframework.security.access.vote.AffirmativeBased"> <constructor-arg type="java.util.List"> <list> <ref bean="expressionVoter" /> <ref bean="roleVoter" /> <ref bean="authenticatedVoter" /> </list> </constructor-arg> </bean> <bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter" /> <bean id="authenticatedVoter" class="org.springframework.security.access.vote.AuthenticatedVoter" /> <bean id="expressionVoter" class="org.springframework.security.web.access.expression.WebExpressionVoter"> <property name="expressionHandler" ref="expressionHandler" /> </bean> <bean id="expressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" /> <!-- AuthenticationManager --> <bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager"> <constructor-arg type="java.util.List"> <list> <ref bean="daoAuthenticationProvider" /> <ref bean="anonymousAuthenticationProvider" /> <ref bean="rememberMeAuthenticationProvider" /> </list> </constructor-arg> <property name="authenticationEventPublisher" ref="defaultAuthenticationEventPublisher" /> </bean> <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" /> <bean id="defaultAuthenticationEventPublisher" class="org.springframework.security.authentication.DefaultAuthenticationEventPublisher" /> <bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> <property name="userDetailsService" ref="userDetailsService"/> <property name="passwordEncoder" ref="passwordEncoder"/> </bean> <bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl"> <property name="dataSource" ref="dataSource" /> <property name="usersByUsernameQuery" value="SELECT username, password, enable FROM user WHERE username=?" /> <property name="authoritiesByUsernameQuery" value="SELECT u.username as username, r.rolename as rolename FROM user u JOIN user_group ug ON u.id=ug.user_id JOIN groups g ON ug.group_id=g.id JOIN group_role gr ON g.id=gr.group_id JOIN role r ON gr.role_id=r.id WHERE u.username=?" /> </bean> <!-- LogoutFilter --> <bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter"> <constructor-arg type="java.lang.String" value="/logout.html"/> <constructor-arg> <array> <ref bean="securityContextLogoutHandler" /> <ref bean="cookieClearingLogoutHandler" /> <ref bean="persistentTokenBasedRememberMeServices" /> </array> </constructor-arg> <property name="logoutRequestMatcher" ref="logoutFilterProcessUrlRequestMatcher" /> </bean> <bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"> <property name="invalidateHttpSession" value="true"/> <property name="clearAuthentication" value="true"/> </bean> <bean id="cookieClearingLogoutHandler" class="org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler"> <constructor-arg> <array> <value>JSESSIONID</value> </array> </constructor-arg> </bean> <bean id="logoutFilterProcessUrlRequestMatcher" class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"> <constructor-arg value="/logout"/> </bean> <!-- RememberMeAuthenticationFilter --> <bean id="rememberMeAuthenticationFilter" class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter"> <constructor-arg ref="authenticationManager"/> <constructor-arg ref="persistentTokenBasedRememberMeServices"/> </bean> <bean id="persistentTokenBasedRememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices"> <constructor-arg type="java.lang.String" value="BoSk70Yar38~veg91DoCKs=sLaIn!met" /> <constructor-arg type="org.springframework.security.core.userdetails.UserDetailsService" ref="userDetailsService" /> <constructor-arg type="org.springframework.security.web.authentication.rememberme.PersistentTokenRepository" ref="jdbcTokenRepository" /> <property name="cookieName" value="REMEMBER_ME" /> <property name="parameter" value="remember-me" /> </bean> <bean id="jdbcTokenRepository" class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl"> <property name="dataSource" ref="dataSource" /> </bean> <bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider"> <constructor-arg value="BoSk70Yar38~veg91DoCKs=sLaIn!met"/> </bean> <!-- ExceptionTranslationFilter --> <bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter"> <constructor-arg ref="loginUrlAuthenticationEntryPoint" /> <constructor-arg ref="httpSessionRequestCache" /> <property name="accessDeniedHandler" ref="accessDeniedHandler" /> </bean> <bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> <constructor-arg value="/login.jsp" /> </bean> <bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl"> <property name="errorPage" value="/accessDenied.html" /> </bean> <!-- ConcurrentSessionFilter --> <bean id="concurrentSessionFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"> <constructor-arg type="org.springframework.security.core.session.SessionRegistry" ref="sessionRegistry" /> <constructor-arg type="java.lang.String" value="/expire.html" /> <property name="logoutHandlers"> <array> <ref bean="securityContextLogoutHandler" /> <ref bean="cookieClearingLogoutHandler" /> <ref bean="persistentTokenBasedRememberMeServices" /> </array> </property> </bean> <!-- SessionManagementFilter --> <bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter"> <constructor-arg ref="securityContextRepository"/> <constructor-arg ref="compositeSessionAuthenticationStrategy"/> <property name="authenticationFailureHandler" ref="simpleUrlAuthenticationFailureHandler"/> </bean> <!-- SessionAuthenticationStrategy --> <bean id="compositeSessionAuthenticationStrategy" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy"> <constructor-arg> <list> <ref bean="csrfAuthenticationStrategy" /> <ref bean="sessionControlAuthenticationStrategy" /> <ref bean="sessionFixationProtectionStrategy" /> <ref bean="registerSessionAuthenticationStrategy" /> </list> </constructor-arg> </bean> <bean id="csrfAuthenticationStrategy" class="org.springframework.security.web.csrf.CsrfAuthenticationStrategy"> <constructor-arg ref="httpSessionCsrfTokenRepository"/> </bean> <bean id="sessionControlAuthenticationStrategy" class="com.jaeson.springstudy.security.MyConcurrentSessionControlAuthenticationStrategy"> <!-- class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy"> --> <constructor-arg ref="sessionRegistry" /> <property name="maximumSessions" value="1" /> <property name="exceptionIfMaximumExceeded" value="true" /> </bean> <bean id="sessionFixationProtectionStrategy" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy"> <property name="migrateSessionAttributes" value="true" /> </bean> <bean id="registerSessionAuthenticationStrategy" class="com.jaeson.springstudy.security.MyRegisterSessionAuthenticationStrategy"> <!-- class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy"> --> <constructor-arg ref="sessionRegistry" /> </bean> <!-- <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/> --> <bean id="sessionRegistry" class="com.jaeson.springstudy.security.MySessionRegistryImpl" /> <!-- SecurityContextHolderAwareRequestFilter --> <bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter"> <property name="authenticationManager" ref="authenticationManager" /> </bean> <!-- WebAsyncManagerIntegrationFilter --> <bean id="webAsyncManagerIntegrationFilter" class="org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter" /> <!-- BasicAuthenticationFilter --> <bean id="basicAuthenticationFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter"> <constructor-arg ref="authenticationManager" /> <constructor-arg ref="basicAuthenticationEntryPoint" /> </bean> <bean id="basicAuthenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint"> <property name="realmName" value="Spring Security Application" /> </bean> <!-- RequestCacheAwareFilter --> <bean id="requestCacheAwareFilter" class="org.springframework.security.web.savedrequest.RequestCacheAwareFilter"> <constructor-arg ref="httpSessionRequestCache" /> </bean> <bean id="httpSessionRequestCache" class="org.springframework.security.web.savedrequest.HttpSessionRequestCache"> <property name="createSessionAllowed" value="true" /> </bean> <!-- 页面标签权限功能依赖 --> <bean id="webInvocationFilter" class="org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator"> <constructor-arg ref="filterSecurityInterceptor" /> </bean> <!-- 方法权限控制 --> <bean id="methodSecurityInterceptor" class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager" /> <property name="accessDecisionManager" ref="methodAffirmativeBased" /> <property name="securityMetadataSource"> <security:method-security-metadata-source> <!-- 指定需要受保护的方法和需要的权限 --> <security:protect method="com.jaeson.springstudy.security.SessionRegistryExample.getOnline*" access="ROLE_USER, ROLE_ADMIN" /> <security:protect method="com.jaeson.springstudy.security.SessionRegistryExample.getActive*" access="ROLE_ADMIN" /> <security:protect method="com.jaeson.springstudy.security.SessionRegistryExample.test*" access="IS_AUTHENTICATED_FULLY" /> </security:method-security-metadata-source> </property> </bean> <bean id="methodAffirmativeBased" class="org.springframework.security.access.vote.AffirmativeBased"> <constructor-arg type="java.util.List"> <list> <ref bean="roleVoter" /> <ref bean="authenticatedVoter" /> </list> </constructor-arg> </bean> <!-- <bean id="methodExpressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler" /> --> <aop:config> <aop:pointcut id="securityMethodPointCut" expression="execution(* com.jaeson.springstudy.security.SessionRegistryExample.*(..))" /> <aop:advisor advice-ref="methodSecurityInterceptor" pointcut-ref="securityMethodPointCut"/> </aop:config> <!-- Spring Security中定义了四个支持使用表达式的注解,分别是@PreAuthorize、@PostAuthorize、@PreFilter和@PostFilter。 其中前两者可以用来在方法调用前或者调用后进行权限检查,后两者可以用来对集合类型的参数或者返回值进行过滤。 --> <!-- <security:global-method-security pre-post-annotations="enabled" /> --> <!-- JSR-250注解: @RolesAllowed --> <!-- <security:global-method-security jsr250-annotations="enabled"/> --> </beans>