<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE beans (View Source for full doctype...)>
- <beans default-lazy-init="false" default-autowire="no" default-dependency-check="none">
<!--
FilterChainProxy会按顺序来调用这些filter,使这些filter能享用Spring ioc的功能, CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON定义了url比较前先转为小写, PATTERN_TYPE_APACHE_ANT定义了使用Apache ant的匹配模式
-->
- <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy" lazy-init="default" autowire="default" dependency-check="default">
- <property name="filterInvocationDefinitionSource">
<value>select authority,PROTECTED_RES from tf_authorities where AUTH_TYPE='SYSTEM'</value>
</property>
</bean>
<!--
该Filter 负责每次请求从HttpSession中获取Authentication对象,然后把Authentication存于 一个新的 ContextHolder对象(其实质上只是一个ThreadLocal对象)中,则让该次请求过程中的任何 Filter都可以通过 ContextHolder来共享Authentication,而不需要从HttpSession中取, 减少传HttpRequest参数的麻烦.在请求完后把Authentication对象保存到HttpSession中供下次请求使用, 最后把刚才生成的ContextHolder对象销毁.这样就达到了让Authentication对象跨越多个请求的目的. 注意此filter须在调用其他Acegi filter前使用:
-->
<bean id="httpSessionContextIntegrationFilter"class="org.acegisecurity.context.HttpSessionContextIntegrationFilter" lazy-init="default" autowire="default" dependency-check="default" />
<!--
该Filter负责处理退出登录后所需要的清理工作.它会把session销毁,把ContextHolder清空, 把rememberMeService从cookies中清除掉,然后重定向到指定的退出登陆页面.
-->
- <bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter" lazy-init="default" autowire="default" dependency-check="default">
<!--
该Filter 负责处理登陆身份验证.当接受到与filterProcessesUrl所定义相同的请求时, 它会首先通过AuthenticationManager来验证用户身份.如果验证成功,则重定向到defaultTargetUrl所定义的成功登陆页面. 如果验证失败,则再从 rememberMeServices中获取用户身份, 若再获取失败,则重定向到auhenticationFailureUrl所定义的登陆失败页面 <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
-->
- <bean id="authenticationProcessingFilter"class="com.doone.acegi.pmi.security.ValidationCodeFilter" lazy-init="default"autowire="default" dependency-check="default">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationFailureUrl" value="/index.jsp?login_error=1" />
<property name="defaultTargetUrl" value="/console/index.jsp" />
<property name="filterProcessesUrl" value="/j_acegi_security_check" />
</bean>
<!--
该Filter 负责通过Decorate Model(装饰模式),装饰的HttpServletRequest对象. 其Wapper是ServletRequest包装类 HttpServletRequestWrapper的子类 (SavedRequestAwareWrapper或者 SecurityContextHolderAwareRequestWrapper), 附上获取用户权限信息,request参数,header, Date,headers和cookies的方法.
-->
<bean id="securityContextHolderAwareRequestFilter"class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter" lazy-init="default" autowire="default" dependency-check="default" />
<!--
该过滤器负责处理各种异常,然后重定向到相应的页面中。
-->
- <bean id="exceptionTranslationFilter"class="org.acegisecurity.ui.ExceptionTranslationFilter" lazy-init="default"autowire="default" dependency-check="default">
- <property name="authenticationEntryPoint">
- <bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint"lazy-init="default" autowire="default" dependency-check="default">
<property name="loginFormUrl" value="/index.jsp" />
<property name="forceHttps" value="false" />
</bean>
</property>
- <property name="accessDeniedHandler">
- <bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl" lazy-init="default"autowire="default" dependency-check="default">
<property name="errorPage" value="/accessDenied.jsp" />
</bean>
</property>
</bean>
<!--
该Filter 会首先调用AuthenticationManager判断用户是否已登陆认证,如还没认证成功,则重定向到登陆界面. 认证成功,则从 Authentication中获取用户的权限.然后从objectDefinitionSource属性获取各种URL资源所对应的权限. 最后调用AccessDecisionManager来判断用户所拥有的权限与当前受保护的URL资源所对应的权限是否相匹配. 如果匹配失败,则返回403错误给用户.匹配成功则用户可以访问受保护的URL资源
-->
- <bean id="filterInvocationInterceptor"class="org.acegisecurity.intercept.web.FilterSecurityInterceptor" lazy-init="default"autowire="default" dependency-check="default">
<property name="authenticationManager" ref="authenticationManager" />
- <property name="accessDecisionManager">
- <bean class="org.acegisecurity.vote.AffirmativeBased" lazy-init="default"autowire="default" dependency-check="default">
<!--
allowIfAllAbstainDecisions为false时如果有一个或以上的decisionVoters投票通过,则授权通过
-->
<property name="allowIfAllAbstainDecisions" value="false" />
- <property name="decisionVoters">
- <list>
<ref bean="roleVoter" />
<bean class="org.acegisecurity.vote.AuthenticatedVoter" lazy-init="default"autowire="default" dependency-check="default" />
</list>
</property>
</bean>
</property>
- <property name="objectDefinitionSource">
<value>select authority,PROTECTED_RES from tf_authorities where AUTH_TYPE='USER'</value> <!--
</property>
</bean>
<!--
AuthenticationManager的其中一个实现是ProviderManager,它负责把身份验证的工作委托给一个或多个Provider(认证提供者). Provider 都是实现AuthenticationProvider接口,该接口有两个方法authenticate()和support(). authenticate()方法会尝试验证用户身份,若验证成功则返回一个Authentication对象,否则抛出一个 AuthenticationException. support()方法会评估当前Authentication对象是否适合这个Provider来进行进一步的处理,而不是指已经通过. Provider有多个实现.例如daoAuthenticationProvider(从数据库中读取用户信息验证身份), anonymousAuthenticationProvider(匿名用户身份认证), rememberMeAuthenticationProvider(已存cookie中的用户信息身份认证), authByAdapterProvider(使用容器的适配器验证身份), casAuthenticationProvider(根据Yale中心认证服务验证身份, 用于实现单点登陆), jaasAuthenticationProvider(从JASS登陆配置中获取用户信息验证身份), remoteAuthenticationProvider(根据远程服务验证用户身份), runAsImplAuthenticationProvider(对身份已被管理器替换的用户进行验证), x509AuthenticationProvider(从X509认证中获取用户信息验证身份), testingAuthenticationProvider(单元测试时使用).
-->
- <bean id="authenticationManager"class="org.acegisecurity.providers.ProviderManager" lazy-init="default"autowire="default" dependency-check="default">
<!--
该Filter负责为当不存在任何授权信息时,自动为Authentication对象添加userAttribute中定义的匿名用户权限
-->
- <bean id="anonymousProcessingFilter"class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter" lazy-init="default" autowire="default" dependency-check="default">
<!--
daoAuthenticationProvider负责提供用户信息,包括用户名和密码。其中取用户名密码的工作就交给userDetailsService来做。 通过userCache来缓存用户信息,减少查询数据库次数。用passwordEncoder 来使用加密密码。userDetailsService的接口实现有 jdbcDaoImpl和inMemoryDaoImpl。jdbcDaoImpl通过数据库获取用户名和密码,而inMemoryDaoImpl则只是通过xml定义的方式来获取。 userCache的接口实现有EhCacheBasedUserCache和NullUserCache。 NullUserCache实际上就是不进行缓存。EhCacheBasedUserCache是基于ehcache的开源缓存项目来实现的。 passwordEncoder是使用加密器对用户输入的明文进行加密。Acegi提供了三种加密器: PlaintextPasswordEncoder-默认,不加密,返回明文. ShaPasswordEncoder-哈希算法(SHA)加密 d5PasswordEncoder-消息摘要(MD5)加密
-->
- <bean id="daoAuthenticationProvider"class="org.acegisecurity.providers.dao.DaoAuthenticationProvider" lazy-init="default" autowire="default" dependency-check="default">
<property name="userDetailsService" ref="jdbcDaoImpl" />
<!--
property name="userCache"> <ref local="userCache" /> </property
-->
<!--
if u want encode your password with md5,use property passwordEncoder,otherwise delete row below
-->
<property name="passwordEncoder" ref="passwordEncoder" />
</bean>
<bean id="passwordEncoder"class="org.acegisecurity.providers.encoding.Md5PasswordEncoder" lazy-init="default" autowire="default" dependency-check="default" />
<bean id="loggerListener"class="org.acegisecurity.event.authentication.LoggerListener" lazy-init="default"autowire="default" dependency-check="default" />
<!--
add
-->
- <bean id="jdbcDaoImpl" class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl" lazy-init="default" autowire="default" dependency-check="default">
- <property name="dataSource">
<ref bean="dataSource" />
</property>
- <property name="usersByUsernameQuery">
<value>SELECT USERNAME, PASSWORD,ENABLED FROM TF_USERINFO WHERE USERNAME=?</value>
</property>
- <property name="authoritiesByUsernameQuery">
<value>SELECT distinct username, authority FROM tf_userinfo u, tf_authorities a, tf_role_auth ra,tf_user_role ur WHERE u.user_id = ur.user_id and ur.role_id=ra.role_id and a.auth_id = ra.auth_id and u.username = ?</value>
</property>
</bean>
<!--
必须是以rolePrefix设定的value开头的权限才能进行投票,如AUTH_ , ROLE_
-->
- <bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter" lazy-init="default"autowire="default" dependency-check="default">
- <property name="rolePrefix">
<value>AUTH_</value>
</property>
</bean>
- <bean id="anonymousAuthenticationProvider"class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider" lazy-init="default" autowire="default" dependency-check="default">
- <property name="key">
<value>foobar</value>
</property>
</bean>
</beans>