<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans" xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http>
<!-- 不拦截 -->
<intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/list/**"
access="ROLE_ADMIN,ROLE_MANAGER,ROLE_USER" />
<intercept-url pattern="/delete/**" access="ROLE_ADMIN" />
<!-- 设置登录过滤器 -->
<custom-filter before="FORM_LOGIN_FILTER" ref="validateCodeAuthenticationFilter" />
<!-- 登录表单设置 -->
<form-login login-page="/home/login"
default-target-url="/home/loginSuccess.action"(登录成功的url)
authentication-failure-url="/home/login.action?error=true"(登录失败的url) />
<!-- 登出操作后跳转到该页面 -->
<!-- <logout logout-success-url="/loggedout.jsp" delete-cookies="JSESSIONID"
/> <remember-me /> -->
<!-- SESSION超时后跳转到该页面 -->
<!-- <session-management invalid-session-url="/timeout.jsp"> </session-management> -->
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<!-- 直接使用SQL语句查询登录帐号对应权限, users-by-username-query:查询登录用户是否存在 authorities-by-username-query:查询登录用户权限(登录用户可以不属于任何组,从t_user_role表中获取权限)
group-authorities-by-username-query:查询登录用户所在组的权限 -->
<jdbc-user-service data-source-ref="webDataSource"
users-by-username-query="SELECT t_user.name AS username,t_user.password as password,'true' AS enabled FROM t_user WHERE t_user.name = ?"
authorities-by-username-query="SELECT name AS username,role as authorities
FROM T_USER
LEFT OUTER JOIN t_role AS userrole ON(t_user.id = userrole.user_id)
LEFT OUTER JOIN t_role AS role ON (userrole.role_id = role.id)
WHERE t_user.name = ?" />
</authentication-provider>
</authentication-manager>
<!-- 验证码过滤器 -->
<beans:bean id="validateCodeAuthenticationFilter"
class="**.**.security.ValidateCodeUsernamePasswordAuthenticationFilter">
<beans:property name="authenticationSuccessHandler"
ref="loginLogAuthenticationSuccessHandler"></beans:property>
<beans:property name="authenticationFailureHandler"
ref="simpleUrlAuthenticationFailureHandler"></beans:property>
<beans:property name="authenticationManager" ref="authenticationManager"></beans:property>
</beans:bean>
<!-- 登录成功 -->
<beans:bean id="loginLogAuthenticationSuccessHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/home/loginSuccess.action"></beans:property>
</beans:bean>
<!-- 登录失败 -->
<beans:bean id="simpleUrlAuthenticationFailureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/home/login.action?error=true"></beans:property>
</beans:bean>
</beans:beans>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans" xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http>
<!-- 不拦截 -->
<intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/list/**"
access="ROLE_ADMIN,ROLE_MANAGER,ROLE_USER" />
<intercept-url pattern="/delete/**" access="ROLE_ADMIN" />
<!-- 设置登录过滤器 -->
<custom-filter before="FORM_LOGIN_FILTER" ref="validateCodeAuthenticationFilter" />
<!-- 登录表单设置 -->
<form-login login-page="/home/login"
default-target-url="/home/loginSuccess.action"(登录成功的url)
authentication-failure-url="/home/login.action?error=true"(登录失败的url) />
<!-- 登出操作后跳转到该页面 -->
<!-- <logout logout-success-url="/loggedout.jsp" delete-cookies="JSESSIONID"
/> <remember-me /> -->
<!-- SESSION超时后跳转到该页面 -->
<!-- <session-management invalid-session-url="/timeout.jsp"> </session-management> -->
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<!-- 直接使用SQL语句查询登录帐号对应权限, users-by-username-query:查询登录用户是否存在 authorities-by-username-query:查询登录用户权限(登录用户可以不属于任何组,从t_user_role表中获取权限)
group-authorities-by-username-query:查询登录用户所在组的权限 -->
<jdbc-user-service data-source-ref="webDataSource"
users-by-username-query="SELECT t_user.name AS username,t_user.password as password,'true' AS enabled FROM t_user WHERE t_user.name = ?"
authorities-by-username-query="SELECT name AS username,role as authorities
FROM T_USER
LEFT OUTER JOIN t_role AS userrole ON(t_user.id = userrole.user_id)
LEFT OUTER JOIN t_role AS role ON (userrole.role_id = role.id)
WHERE t_user.name = ?" />
</authentication-provider>
</authentication-manager>
<!-- 验证码过滤器 -->
<beans:bean id="validateCodeAuthenticationFilter"
class="**.**.security.ValidateCodeUsernamePasswordAuthenticationFilter">
<beans:property name="authenticationSuccessHandler"
ref="loginLogAuthenticationSuccessHandler"></beans:property>
<beans:property name="authenticationFailureHandler"
ref="simpleUrlAuthenticationFailureHandler"></beans:property>
<beans:property name="authenticationManager" ref="authenticationManager"></beans:property>
</beans:bean>
<!-- 登录成功 -->
<beans:bean id="loginLogAuthenticationSuccessHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/home/loginSuccess.action"></beans:property>
</beans:bean>
<!-- 登录失败 -->
<beans:bean id="simpleUrlAuthenticationFailureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/home/login.action?error=true"></beans:property>
</beans:bean>
</beans:beans>