spring security2中对method进行拦截的配置

1、配置web.xml文件：

<!-- 指定spring security的配置文件--> <context-param> <param-name>contextConfigLocation</param-name> <param-value>/WEB-INF/spring-security.xml</param-value> </context-param> <!-- spring security 的 Filter Chain 代理 --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 取得Spring的Context --> <listener> <listener-class> org.springframework.web.context.ContextLoaderListener </listener-class> </listener>

 

2、配置spring-security.xml（该文件名字与web.xml中的<context-param />中的相对应） ：

 

method拦截有三种配置方式：

第一种方式是在java代码添加注释@Secured({"ROLE_SUPER"})、在spring-security.xml中添加<global-method-security secured-annotations="enabled"></global-method-security>，具体配置如下：

 

spring-security.xml

<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"> <global-method-security secured-annotations="enabled"></global-method-security> <http auto-config="true"> <!-- 登录页面不拦截，任何人都可以访问到 --> <intercept-url pattern="/login.jsp" filters="none" /> <!-- 需要拦截的路径，pattern表示要拦截的路径，access表示能够访问的角色 --> <intercept-url pattern="/a/*" access="ROLE_A,ROLE_ADMIN,ROLE_SUPER" /> <intercept-url pattern="/a/aa/*" access="ROLE_AA,ROLE_ADMIN,ROLE_SUPER" /> <intercept-url pattern="/b/*" access="ROLE_B,ROLE_ADMIN,ROLE_SUPER" /> <intercept-url pattern="/b/bb/*" access="ROLE_BB,ROLE_ADMIN,ROLE_SUPER" /> <!-- 指定登录页面 --> <form-login login-page="/login.jsp" /> <!-- 指定退出后要显示的页面 --> <logout logout-success-url="/index.jsp"></logout> <!-- 同步session控制 --> <concurrent-session-control max-sessions="1" /> </http> <!-- 认证提供器 --> <