<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
"http://www.springframework.org/dtd/spring-beans.dtd">
<beans>
<!-- ======================== FILTER CHAIN ======================= -->
<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
<!--
每次request前 HttpSessionContextIntegrationFilter从Session中获取Authentication对象,在request完后,
又把Authentication对象保存到Session中供下次request使用,此filter必须其他Acegi filter前使用,使之能跨越多个请求。
-->
<!-- Authentication URL 强制用户先登录 -->
/j_security_check.login=concurrentSessionFilter,httpSessionContextIntegrationFilter,authenticationProcessingFilter
<!-- Security constraints -->
/*.htm=concurrentSessionFilter,httpSessionContextIntegrationFilter,requestWrapperFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
/*.jsp=concurrentSessionFilter,httpSessionContextIntegrationFilter,requestWrapperFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
/*/*.htm=concurrentSessionFilter,httpSessionContextIntegrationFilter,requestWrapperFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
/rw/*.htm=concurrentSessionFilter,httpSessionContextIntegrationFilter,requestWrapperFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
/rw/*/*.htm=concurrentSessionFilter,httpSessionContextIntegrationFilter,requestWrapperFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
/*/*.jsp=concurrentSessionFilter,httpSessionContextIntegrationFilter,requestWrapperFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
/*/*/*.htm=concurrentSessionFilter,httpSessionContextIntegrationFilter,requestWrapperFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
/*/*/*/*.htm=concurrentSessionFilter,httpSessionContextIntegrationFilter,requestWrapperFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
</value>
</property>
</bean>
<!-- ======================== AUTHENTICATION ======================= -->
<!-- Note the order that entries are placed against the objectDefinitionSource is critical.
The FilterSecurityInterceptor will work from the top of the list down to the FIRST pattern that matches the request URL.
Accordingly, you should place MOST SPECIFIC (ie a/b/c/d.*) expressions first, with LEAST SPECIFIC (ie a/.*)
expressions last -->
<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager"><ref local="authenticationManager"/></property>
<!-- accessDecisionManager(访问决策管理器)负责决定用户是否有恰当的权限访问受保护的资源
首先通过authenticationManager判断用户是否通过认证(即是否已经登录)
然后根据objectDefinitionSource的配置信息调用accessDecisionManager对用户权限进行投票 -->
<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
<!-- objectDefinitionSource为URL的权限配置信息。用于指定不同的URL资源对应的权限
属性objectDefinitionSource告诉安全拦截器被拦截的各种请求所需要的授权是什么 -->
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
<!-- 对url进行角色控制 todo -->
/logout.htm=ROLE_ANONYMOUS,menu_vie
/login.htm=ROLE_ANONYMOUS,menu_vie
/login!submit.htm=ROLE_ANONYMOUS,menu_vie
/login.jsp=ROLE_ANONYMOUS,menu_vie
<!-- /news/callCreateNews.htm=menu_vie,news_add-->
/*.htm=menu_vie
/*.jsp=menu_vie
/*/*.htm=menu_vie
/rw/*/*.htm=menu_vie
/*/*.jsp=menu_vie
/*/*/*.htm=menu_vie
/*/*/*/*.htm=menu_vie
</value>
</property>
</bean>
<!-- 认证管理器负责确定用户身份,acegi提供了ProviderManager,作为AuthenticationManager的
一个适用于大多数情形的实现 -->
<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
<property name="providers"> <!-- providers属性为ProviderManager提供一个认证提供者的列表 -->
<list>
<ref local="daoAuthenticationProvider"/>
<!-- 使用Dao来获取用户名和密码,并使用它们来验证用户身份取得了用户名和密码之后,
DaoAuthenticationProvider通过比较从数据库中获取的用户名和密码以及来自认证管理器的通过Authentication
对象中传入的主体和凭证完成身份验证。如果用户名和密码与主体和凭证匹配,则用户通过身份验证,同时返回给认证
管理器一个已完全填充的Authentication对象。否则会抛出一个AuthenticationException,表明身份验证失败 -->
<ref local="anonymousAuthenticationProvider"/>
</list>
</property>
<property name="sessionController" ref="concurrentSessionController" />
</bean>
<!-- Automatically receives AuthenticationEvent messages from DaoAuthenticationProvider -->
<!-- 自动接收来自DaoAuthenticationProvider的AuthenticationEvent信息 -->
<bean id="loggerListener" class="org.acegisecurity.event.authentication.LoggerListener"/>
<!-- DaoAuthenticationProvider主要功能是从数据库取出用户名和密码,判断登录信息是否正确,如果是,
则取出用户权限等用户信息,并且存放到cache中,以便以后再次使用 -->
<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
<property name="userDetailsService">
<ref local="userDetailsService"/>
</property>
<property name="userCache"><!-- userCache用于定义用户信息cache功能的提供者 -->
<ref local="userCache"/>
</property>
</bean>
<bean id="userDetailsService" class="com.jfk.web.acegi.UserDetailService">
<property name="userManager"><ref bean="userManager"/></property>
<property name="userCache"><ref bean="userCache"/></property>
<property name="permiUserManager"><ref bean="permiUserManager"/></property>
<property name="usergroupUserManager"><ref bean="usergroupUserManager"/></property>
<property name="permitUserGroupManager"><ref bean="permitUserGroupManager"/></property>
<property name="permissionManger"><ref bean="permissionManager"/></property>
</bean>
<bean id="userCache" class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
<property name="cache"><!-- 定义ehcache工厂bean ehcache作为cache实现。由于认证管理器
在每次对http请求进行认证之前都会查找用户信息,通过使用cache就可以避免每次都重复访问数据库 -->
<bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<property name="cacheManager">
<bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
</property>
<property name="cacheName"><value>userCache</value></property>
</bean>
</property>
</bean>
<!-- AnonymousAuthenticationProvider用于认证匿名用户。 -->
<bean id="anonymousAuthenticationProvider" class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
<property name="key">
<value>anonymous</value>
</property>
</bean>
<!-- RoleVoter当受保护资源有一个名字由ROLE_开始的配置属性时参与投票,RoleVoter决定投票结果的方式
是简单地将受保护资源的所有配置属性(以ROLE_作为前缀) 与认证用户的所有授权进行比较。
如果RoleVoter发现其中有一个是匹配的,则它投ACCESS_GRANTED票。否则,它将投ACCESS_DENIED票 -->
<bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter">
<property name="rolePrefix"><!-- 可以自己设置角色的默认前缀,value值不设置的话默认为ROLE_ -->
<value/>
</property>
</bean>
<bean id="accessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased">
<!-- 访问决策管理器AffirmativeBased表示当至少有一个投票者投允许访问票时允许访问 -->
<property name="allowIfAllAbstainDecisions">
<!-- 当value值设为true时表示:所有投票者全为弃权时授权访问,与投票者全部投赞成票是一样的
当value值为false时表示:所有投票者全为弃权时禁止访问 -->
<value>false</value>
</property>
<property name="decisionVoters">
<list>
<ref local="roleVoter"/>
</list>
</property>
</bean>
<!-- ===================== HTTP REQUEST SECURITY ==================== -->
<bean id="concurrentSessionFilter" class="org.acegisecurity.concurrent.ConcurrentSessionFilter">
<property name="sessionRegistry" ref="sessionRegistry" />
<property name="expiredUrl">
<value>/expired.jsp</value><!-- 在session过期的时候就指向这个页面 -->
</property>
</bean>
<!-- httpSessionContextIntegrationFilter根据session中存放的信息组装ContextHolder。
ContextHolder主要用于存放SecureContext,包括用户的权限信息 -->
<bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
<property name="context">
<value>org.acegisecurity.context.SecurityContextImpl</value>
</property>
</bean>
<bean id="requestWrapperFilter" class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter"/>
<!-- AuthenticationProcessingFilter处理认证请求(通常是一个登录页面的表单请求) -->
<bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
<property name="authenticationManager"><ref local="authenticationManager"/></property>
<property name="authenticationFailureUrl"><value>/loginError.jsp</value></property>
<property name="defaultTargetUrl"><value>/</value></property>
<property name="filterProcessesUrl"><value>/j_security_check.login</value></property>
<property name="exceptionMappings">
<value>
org.acegisecurity.AuthenticationException=/loginError.jsp
</value>
</property>
</bean>
<!-- :anonymousProcessingFilter的作用是判断ContextHolder中是否有Authentication对象,
如果没有就创建一个Authentication对象,其中包含的用户名是anonymous,用户权限是ROLE_ANONYMOUS。
这使得没有登录的匿名用户能够自动的获得匿名的用户名和权限 -->
<bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
<property name="key">
<value>anonymous</value>
</property>
<property name="userAttribute">
<value>anonymous,ROLE_ANONYMOUS</value>
</property>
</bean>
<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint"><ref local="authenticationProcessingFilterEntryPoint"/></property>
</bean>
<bean id="authenticationProcessingFilterEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<!-- loginFromUrl配置了一个登录表单的URL。当需要用户登录时,
AuthenticationProcessingFilterEntryPoint会将用户重定向到该URL -->
<property name="loginFormUrl"><value>/login.jsp</value></property>
<property name="forceHttps"><value>false</value></property>
</bean>
<!-- 防止同一帐户同时在不同地方登陆 -->
<bean id="concurrentSessionController" class="org.acegisecurity.concurrent.ConcurrentSessionControllerImpl">
<property name="maximumSessions">
<value>1</value>
</property>
<property name="sessionRegistry">
<ref local="sessionRegistry" />
</property>
<property name="exceptionIfMaximumExceeded" value="false" />
</bean>
<bean id="sessionRegistry" class="org.acegisecurity.concurrent.SessionRegistryImpl" />
</beans>
扫一扫
160
11-06
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
