1、在web.xml中
<!-- ******应用范围内参数初始化,安全认证将放在applicationContext-acegi-security.xml****** -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/context/applicationContext-*.xml
</param-value>
</context-param>
<!--Acegi Filter Chain Proxy -->
<filter>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetBeanName</param-name>
<param-value>filterChainProxy</param-value>
</init-param>
</filter>
<!--Acegi Filter Chain Proxy -->
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>/j_oa_security_check</url-pattern>
</filter-mapping>
<!-- LogOut -->
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>/j_spring_security_logout</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>*.ao</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>*.servlet</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>*.editDoc</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>*.openAccessory</url-pattern>
</filter-mapping>
2、applicationContext-acegi-security.xml中
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
<!-- ======================== FILTER CHAIN ======================= -->
<!--
FilterChainProxy会按顺序来调用这些filter,使这些filter能享用Spring ioc的功能,
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON定义了url比较前先转为小写
PATTERN_TYPE_APACHE_ANT定义了使用Apache ant的匹配模式
rememberMeProcessingFilter,,anonymousProcessingFilter
channelProcessingFilter,filterInvocationInterceptor
-->
<!-- CAS 单点登陆 用casProcessingFilter代替authenticationProcessingFilter实现单点登陆 -->
<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
<security:filter-chain-map path-type="ant">
<!--security:filter-chain pattern="/**"
filters="httpSessionContextIntegrationFilter,logoutFilter,casProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor" /-->
<security:filter-chain pattern="/**"
filters="httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor" />
</security:filter-chain-map>
</bean>
<!-- ======================== AUTHENTICATION ======================= -->
<!--
通过Providers提供认证者列表,如果一个认证提供者失败可以尝试另外一个认证提供者,以保证获取不同来源的身份认证,如
DaoAuthenticationProvider 从数据库中读取用户信息验证身份
AnonymousAuthenticationProvider 匿名用户身份认证
RememberMeAuthenticationProvider 已存cookie中的用户信息身份认证
其它的还有
AuthByAdapterProvider 使用容器的适配器验证身份
CasAuthenticationProvider 根据Yale中心认证服务验证身份, 用于实现单点登录
JaasAuthenticationProvider 从JASS登录配置中获取用户信息验证身份
RemoteAuthenticationProvider 根据远程服务验证用户身份
RunAsImplAuthenticationProvider 对身份已被管理器替换的用户进行验证
X509AuthenticationProvider 从X509认证中获取用户信息验证身份
TestingAuthenticationProvider 单元测试时使用
每个认证者会对自己指定的证明信息进行认证,如DaoAuthenticationProvider仅对UsernamePasswordAuthenticationToken这个证明信息进行认证。
-->
<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider"/>
<!-- CAS 单点登陆 用casAuthenticationProvider代替 daoAuthenticationProvider实现单点登陆-->
<!--ref bean="casAuthenticationProvider"/-->
<ref local="anonymousAuthenticationProvider"/>
<ref local="rememberMeAuthenticationProvider"/>
</list>
</property>
</bean>
<!-- 认证提供者 -->
<!-- 用于认证匿名用户 -->
<bean id="anonymousAuthenticationProvider" class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
<property name="key" value="blhOaWebKey2"/>
</bean>
<bean id="passwordEncoder" class="org.springframework.security.providers.encoding.Md5PasswordEncoder"/>
<!--
基于数据库的认证提供者
authenticationDao 认证数据访问对象,用于获取用户信息,包括:用户名,用户密码,用户状态和用户权限
userCache ehcache 缓存user信息。
saltSource 对密码进行私钥加密
-->
<bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
<property name="userDetailsService">
<ref bean="userManagerService"/>
</property>
<property name="passwordEncoder"><ref local="passwordEncoder"/></property>
<property name="saltSource">
<bean class="org.springframework.security.providers.dao.salt.ReflectionSaltSource">
<property name="userPropertyToUse">
<value>getUsername</value>
</property>
</bean>
</property>
</bean>
<!-- ======================== FILTER ======================= -->
<!--
每次request前 HttpSessionContextIntegrationFilter从Session中获取Authentication对象,在request完后
又把Authentication对象保存到Session中供下次request使用,此filter必须其他Acegi filter前使用
org.acegisecurity.context.HttpSessionContextIntegrationFilter
-->
<bean id="httpSessionContextIntegrationFilter" class="com.ber.acegi.extend.BerHttpSessionContextIntegrationFilter">
<property name="loginFormUrl" value="/sof_login.jsp"/>
<!-- 不需要登陆就可以访问的资源 -->
<property name="noAuthenticationUrl">
<list>
<value>/j_oa_security_check</value>
<value>/sof_login.jsp</value>
<value>/sysmanage/ug/useradd.ao</value>
</list>
</property>
</bean>
<!--
利用cookie自動登入
-->
<bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices">
<property name="userDetailsService" ref="userManagerService"/>
<property name="key" value="blhOaWebKey"/>
<property name="tokenValiditySeconds" value="864000"/>
</bean>
<bean id="rememberMeAuthenticationProvider" class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider">
<property name="key" value="blhOaWebKey"/>
</bean>
<!--
登出處理
-->
<bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
<!-- URL redirected to after logout -->
<constructor-arg value="/sof_login.jsp"/>
<constructor-arg>
<list>
<ref bean="rememberMeServices"/>
<bean class="org.springframework.security.ui.logout.SecurityContextLogoutHandler"/>
</list>
</constructor-arg>
</bean>
<!--
处理基于表单的身份验证请求(Acegi提供了三个认证处理过滤器,另外两个是:BasicProcessingFilter和CasProcessingFilter)
authenticationFailureUrl定义登录失败时转向的页面
defaultTargetUrl定义登录成功时转向的页面
filterProcessesUrl定义登录请求的页面
-->
<bean id="authenticationProcessingFilter" class="com.ber.acegi.extend.LogAuthenticationProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureUrl" value="/sof_login.jsp?login_error=1"/>
<property name="defaultTargetUrl" value="/jsp/desktop/main.jsp"/>
<!--
<property name="defaultTargetUrl" value="/jsp/mainFrame.jsp?showFirstMessage=1"/>
-->
<!-- CAS单点登陆 用/j_spring_cas_security_check代替 /j_oa_security_check实现单点登陆-->
<!-- property name="filterProcessesUrl" value="/j_spring_cas_security_check"/-->
<property name="filterProcessesUrl" value="/j_oa_security_check"/>
</bean>
<!--
filterInvocationInterceptor在执行转向url前检查objectDefinitionSource中设定的用户权限信息
过程:
首先,objectDefinitionSource中定义了访问URL需要的属性信息(这里的属性信息仅仅是标志,告诉accessDecisionManager要用哪些voter来投票)
然后,authenticationManager掉用自己的provider来对用户的认证信息进行校验。
最后,有投票者根据用户持有认证和访问url需要的属性,调用自己的voter来投票,决定是否允许访问。-->
<bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
<property name="objectDefinitionSource"> <ref local="rdbmsFilterInvocationDefinitionSource" /></property>
<property name="observeOncePerRequest" value="false"></property>
<property name="alwaysReauthenticate" value="true"></property>
</bean>
<bean id="rdbmsFilterInvocationDefinitionSource" class="com.ber.acegi.extend.RdbmsFilterInvocationDefinitionSource">
<constructor-arg type="org.springframework.security.util.UrlMatcher" ref="antUrlPathMatcher" />
<property name="webresdbCache" ref="webresCacheBackend" />
<property name="rdbmsInvocationDefinition">
<bean class="com.ber.acegi.extend.RdbmsSecuredUrlDefinition">
<constructor-arg index="0">
<ref bean="dataSource"/>
</constructor-arg>
<constructor-arg index="1">
<value>
SELECT MATCHURL_ AS url, MENUCODE_ AS role
FROM T_MENU_RESOURCE
ORDER BY INDEX_ DESC
</value>
</constructor-arg>
<property name="urlField" value="url"/>
<property name="rolesField" value="role"/>
</bean>
</property>
</bean>
<bean id="antUrlPathMatcher" class="org.springframework.security.util.AntUrlPathMatcher" />
<bean id="webresCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<property name="cacheManager">
<ref bean="cacheManager"/>
</property>
<property name="cacheName">
<value>webresdbCache</value>
</property>
</bean>
<!-- httpRequestAccessDecisionManager(投票通过策略管理器)用于管理投票通过策略。Acegi提供三种投票通过策略的实现:
AffirmativeBased(至少一个投票者同意方可通过),ConsensusBased(多数投票者同意方可通过),UnanimousBased(所有投
票者同意方可通过)
allowIfAllAbstainDecisions : 设定是否允许:“没人反对就通过”的投票策略
decisionVoters : 投票者
-->
<bean id="httpRequestAccessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions"><value>false</value></property>
<property name="decisionVoters">
<list>
<ref bean="roleVoter"/>
</list>
</property>
</bean>
<!--
必须是以rolePrefix设定的value开头的才会进行投票,否则为弃权
-->
<bean id="roleVoter" class="org.springframework.security.vote.RoleVoter">
<property name="rolePrefix"><value>AUTH_</value></property>
</bean>
<bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint">
<ref bean="authenticationProcessingFilterEntryPoint"/>
<!-- CAS 单点登陆 用casProcessingFilterEntryPoint代替authenticationProcessingFilterEntryPoint实现单点登陆 -->
<!--ref bean="casProcessingFilterEntryPoint"/-->
</property>
<property name="accessDeniedHandler">
<bean class="org.springframework.security.ui.AccessDeniedHandlerImpl">
<property name="errorPage" value="/jsp/common/403.jsp"/>
</bean>
</property>
</bean>
<!--
用户尚未通过身份验证时,会将控制转交到一个认证入口点,提供三种实现
BasicProcessingFilterEnteyPoint :HTTP基本认证处理
AuthenticationProcessingFilterEntryPoint :将用户重新定向到一个基于HTML表单的登入界面
CasProssingFilterEntryPoint :将用户重新定向到一个基于Yale CAS登入界面
-->
<bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<property name="loginFormUrl" value="/sof_login.jsp"/>
<property name="forceHttps" value="false"/>
<property name="serverSideRedirect" value="false"></property>
</bean>
</beans>
<!-- ******应用范围内参数初始化,安全认证将放在applicationContext-acegi-security.xml****** -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/context/applicationContext-*.xml
</param-value>
</context-param>
<!--Acegi Filter Chain Proxy -->
<filter>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetBeanName</param-name>
<param-value>filterChainProxy</param-value>
</init-param>
</filter>
<!--Acegi Filter Chain Proxy -->
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>/j_oa_security_check</url-pattern>
</filter-mapping>
<!-- LogOut -->
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>/j_spring_security_logout</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>*.ao</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>*.servlet</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>*.editDoc</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>*.openAccessory</url-pattern>
</filter-mapping>
2、applicationContext-acegi-security.xml中
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
<!-- ======================== FILTER CHAIN ======================= -->
<!--
FilterChainProxy会按顺序来调用这些filter,使这些filter能享用Spring ioc的功能,
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON定义了url比较前先转为小写
PATTERN_TYPE_APACHE_ANT定义了使用Apache ant的匹配模式
rememberMeProcessingFilter,,anonymousProcessingFilter
channelProcessingFilter,filterInvocationInterceptor
-->
<!-- CAS 单点登陆 用casProcessingFilter代替authenticationProcessingFilter实现单点登陆 -->
<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
<security:filter-chain-map path-type="ant">
<!--security:filter-chain pattern="/**"
filters="httpSessionContextIntegrationFilter,logoutFilter,casProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor" /-->
<security:filter-chain pattern="/**"
filters="httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor" />
</security:filter-chain-map>
</bean>
<!-- ======================== AUTHENTICATION ======================= -->
<!--
通过Providers提供认证者列表,如果一个认证提供者失败可以尝试另外一个认证提供者,以保证获取不同来源的身份认证,如
DaoAuthenticationProvider 从数据库中读取用户信息验证身份
AnonymousAuthenticationProvider 匿名用户身份认证
RememberMeAuthenticationProvider 已存cookie中的用户信息身份认证
其它的还有
AuthByAdapterProvider 使用容器的适配器验证身份
CasAuthenticationProvider 根据Yale中心认证服务验证身份, 用于实现单点登录
JaasAuthenticationProvider 从JASS登录配置中获取用户信息验证身份
RemoteAuthenticationProvider 根据远程服务验证用户身份
RunAsImplAuthenticationProvider 对身份已被管理器替换的用户进行验证
X509AuthenticationProvider 从X509认证中获取用户信息验证身份
TestingAuthenticationProvider 单元测试时使用
每个认证者会对自己指定的证明信息进行认证,如DaoAuthenticationProvider仅对UsernamePasswordAuthenticationToken这个证明信息进行认证。
-->
<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider"/>
<!-- CAS 单点登陆 用casAuthenticationProvider代替 daoAuthenticationProvider实现单点登陆-->
<!--ref bean="casAuthenticationProvider"/-->
<ref local="anonymousAuthenticationProvider"/>
<ref local="rememberMeAuthenticationProvider"/>
</list>
</property>
</bean>
<!-- 认证提供者 -->
<!-- 用于认证匿名用户 -->
<bean id="anonymousAuthenticationProvider" class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
<property name="key" value="blhOaWebKey2"/>
</bean>
<bean id="passwordEncoder" class="org.springframework.security.providers.encoding.Md5PasswordEncoder"/>
<!--
基于数据库的认证提供者
authenticationDao 认证数据访问对象,用于获取用户信息,包括:用户名,用户密码,用户状态和用户权限
userCache ehcache 缓存user信息。
saltSource 对密码进行私钥加密
-->
<bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
<property name="userDetailsService">
<ref bean="userManagerService"/>
</property>
<property name="passwordEncoder"><ref local="passwordEncoder"/></property>
<property name="saltSource">
<bean class="org.springframework.security.providers.dao.salt.ReflectionSaltSource">
<property name="userPropertyToUse">
<value>getUsername</value>
</property>
</bean>
</property>
</bean>
<!-- ======================== FILTER ======================= -->
<!--
每次request前 HttpSessionContextIntegrationFilter从Session中获取Authentication对象,在request完后
又把Authentication对象保存到Session中供下次request使用,此filter必须其他Acegi filter前使用
org.acegisecurity.context.HttpSessionContextIntegrationFilter
-->
<bean id="httpSessionContextIntegrationFilter" class="com.ber.acegi.extend.BerHttpSessionContextIntegrationFilter">
<property name="loginFormUrl" value="/sof_login.jsp"/>
<!-- 不需要登陆就可以访问的资源 -->
<property name="noAuthenticationUrl">
<list>
<value>/j_oa_security_check</value>
<value>/sof_login.jsp</value>
<value>/sysmanage/ug/useradd.ao</value>
</list>
</property>
</bean>
<!--
利用cookie自動登入
-->
<bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices">
<property name="userDetailsService" ref="userManagerService"/>
<property name="key" value="blhOaWebKey"/>
<property name="tokenValiditySeconds" value="864000"/>
</bean>
<bean id="rememberMeAuthenticationProvider" class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider">
<property name="key" value="blhOaWebKey"/>
</bean>
<!--
登出處理
-->
<bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
<!-- URL redirected to after logout -->
<constructor-arg value="/sof_login.jsp"/>
<constructor-arg>
<list>
<ref bean="rememberMeServices"/>
<bean class="org.springframework.security.ui.logout.SecurityContextLogoutHandler"/>
</list>
</constructor-arg>
</bean>
<!--
处理基于表单的身份验证请求(Acegi提供了三个认证处理过滤器,另外两个是:BasicProcessingFilter和CasProcessingFilter)
authenticationFailureUrl定义登录失败时转向的页面
defaultTargetUrl定义登录成功时转向的页面
filterProcessesUrl定义登录请求的页面
-->
<bean id="authenticationProcessingFilter" class="com.ber.acegi.extend.LogAuthenticationProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureUrl" value="/sof_login.jsp?login_error=1"/>
<property name="defaultTargetUrl" value="/jsp/desktop/main.jsp"/>
<!--
<property name="defaultTargetUrl" value="/jsp/mainFrame.jsp?showFirstMessage=1"/>
-->
<!-- CAS单点登陆 用/j_spring_cas_security_check代替 /j_oa_security_check实现单点登陆-->
<!-- property name="filterProcessesUrl" value="/j_spring_cas_security_check"/-->
<property name="filterProcessesUrl" value="/j_oa_security_check"/>
</bean>
<!--
filterInvocationInterceptor在执行转向url前检查objectDefinitionSource中设定的用户权限信息
过程:
首先,objectDefinitionSource中定义了访问URL需要的属性信息(这里的属性信息仅仅是标志,告诉accessDecisionManager要用哪些voter来投票)
然后,authenticationManager掉用自己的provider来对用户的认证信息进行校验。
最后,有投票者根据用户持有认证和访问url需要的属性,调用自己的voter来投票,决定是否允许访问。-->
<bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
<property name="objectDefinitionSource"> <ref local="rdbmsFilterInvocationDefinitionSource" /></property>
<property name="observeOncePerRequest" value="false"></property>
<property name="alwaysReauthenticate" value="true"></property>
</bean>
<bean id="rdbmsFilterInvocationDefinitionSource" class="com.ber.acegi.extend.RdbmsFilterInvocationDefinitionSource">
<constructor-arg type="org.springframework.security.util.UrlMatcher" ref="antUrlPathMatcher" />
<property name="webresdbCache" ref="webresCacheBackend" />
<property name="rdbmsInvocationDefinition">
<bean class="com.ber.acegi.extend.RdbmsSecuredUrlDefinition">
<constructor-arg index="0">
<ref bean="dataSource"/>
</constructor-arg>
<constructor-arg index="1">
<value>
SELECT MATCHURL_ AS url, MENUCODE_ AS role
FROM T_MENU_RESOURCE
ORDER BY INDEX_ DESC
</value>
</constructor-arg>
<property name="urlField" value="url"/>
<property name="rolesField" value="role"/>
</bean>
</property>
</bean>
<bean id="antUrlPathMatcher" class="org.springframework.security.util.AntUrlPathMatcher" />
<bean id="webresCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<property name="cacheManager">
<ref bean="cacheManager"/>
</property>
<property name="cacheName">
<value>webresdbCache</value>
</property>
</bean>
<!-- httpRequestAccessDecisionManager(投票通过策略管理器)用于管理投票通过策略。Acegi提供三种投票通过策略的实现:
AffirmativeBased(至少一个投票者同意方可通过),ConsensusBased(多数投票者同意方可通过),UnanimousBased(所有投
票者同意方可通过)
allowIfAllAbstainDecisions : 设定是否允许:“没人反对就通过”的投票策略
decisionVoters : 投票者
-->
<bean id="httpRequestAccessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions"><value>false</value></property>
<property name="decisionVoters">
<list>
<ref bean="roleVoter"/>
</list>
</property>
</bean>
<!--
必须是以rolePrefix设定的value开头的才会进行投票,否则为弃权
-->
<bean id="roleVoter" class="org.springframework.security.vote.RoleVoter">
<property name="rolePrefix"><value>AUTH_</value></property>
</bean>
<bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint">
<ref bean="authenticationProcessingFilterEntryPoint"/>
<!-- CAS 单点登陆 用casProcessingFilterEntryPoint代替authenticationProcessingFilterEntryPoint实现单点登陆 -->
<!--ref bean="casProcessingFilterEntryPoint"/-->
</property>
<property name="accessDeniedHandler">
<bean class="org.springframework.security.ui.AccessDeniedHandlerImpl">
<property name="errorPage" value="/jsp/common/403.jsp"/>
</bean>
</property>
</bean>
<!--
用户尚未通过身份验证时,会将控制转交到一个认证入口点,提供三种实现
BasicProcessingFilterEnteyPoint :HTTP基本认证处理
AuthenticationProcessingFilterEntryPoint :将用户重新定向到一个基于HTML表单的登入界面
CasProssingFilterEntryPoint :将用户重新定向到一个基于Yale CAS登入界面
-->
<bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<property name="loginFormUrl" value="/sof_login.jsp"/>
<property name="forceHttps" value="false"/>
<property name="serverSideRedirect" value="false"></property>
</bean>
</beans>
109
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
