maven的jar包引入在spring security环境的构建中已经介绍过了.web.xml的配置也不变,不知道的小伙伴可以返回去看下配置的博客。下面我们就直接切入正题.
1.修改spring_security.xml的配置文件
<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!--登录页面不过滤 -->
<http pattern="/login.jsp" security="none" />
<!-- 配置不过滤的资源(静态资源及登录相关) -->
<http pattern="/**/*.css" security="none"></http>
<http pattern="/**/*.jpg" security="none"></http>
<http pattern="/**/*.jpeg" security="none"></http>
<http pattern="/**/*.gif" security="none"></http>
<http pattern="/**/*.png" security="none"></http>
<http pattern="/js/*.js" security="none"></http>
<http pattern="/login.jsp" security="none"></http>
<!-- <http pattern="/getCode" security="none" /> --> <!-- 不过滤验证码 -->
<http pattern="/test/**" security="none"></http><!-- 不过滤测试内容 -->
<!-- 一般用于对动态资源的过滤 -->
<http access-denied-page="/accessDenied.jsp">
<form-login login-page="/login.jsp" />
<!--访问/admin.jsp资源的用户必须具有ROLE_ADMIN的权限 -->
<intercept-url pattern="/admin.jsp" access="ROLE_ADMIN" />
<!-- <intercept-url pattern="/index.jsp" access="ROLE_ADMIN"/> -->
<!--访问/**资源的用户必须具有ROLE_USER的权限 -->
<!-- <intercept-url pattern="/**" access="ROLE_USER" /> -->
<!-- 防止多个用户同时登陆一个账号 -->
<session-management>
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="false" />
</session-management>
<!--增加一个filter,这点与 Acegi是不一样的,不能修改默认的filter了, 这个filter位于FILTER_SECURITY_INTERCEPTOR之前 -->
<custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR" />
</http>
<!--一个自定义的filter,必须包含 authenticationManager,accessDecisionManager,securityMetadataSource三个属性,
我们的所有控制将在这三个类中实现 -->
<b:bean id="myFilter"
class="com.erdangjiade.spring.security.MyFilterSecurityInterceptor">
<b:property name="authenticationManager" ref="authenticationManager" />
<b:property name="accessDecisionManager" ref="myAccessDecisionManagerBean" />
<b:property name="securityMetadataSource" ref="securityMetadataSource" />
<
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!--登录页面不过滤 -->
<http pattern="/login.jsp" security="none" />
<!-- 配置不过滤的资源(静态资源及登录相关) -->
<http pattern="/**/*.css" security="none"></http>
<http pattern="/**/*.jpg" security="none"></http>
<http pattern="/**/*.jpeg" security="none"></http>
<http pattern="/**/*.gif" security="none"></http>
<http pattern="/**/*.png" security="none"></http>
<http pattern="/js/*.js" security="none"></http>
<http pattern="/login.jsp" security="none"></http>
<!-- <http pattern="/getCode" security="none" /> --> <!-- 不过滤验证码 -->
<http pattern="/test/**" security="none"></http><!-- 不过滤测试内容 -->
<!-- 一般用于对动态资源的过滤 -->
<http access-denied-page="/accessDenied.jsp">
<form-login login-page="/login.jsp" />
<!--访问/admin.jsp资源的用户必须具有ROLE_ADMIN的权限 -->
<intercept-url pattern="/admin.jsp" access="ROLE_ADMIN" />
<!-- <intercept-url pattern="/index.jsp" access="ROLE_ADMIN"/> -->
<!--访问/**资源的用户必须具有ROLE_USER的权限 -->
<!-- <intercept-url pattern="/**" access="ROLE_USER" /> -->
<!-- 防止多个用户同时登陆一个账号 -->
<session-management>
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="false" />
</session-management>
<!--增加一个filter,这点与 Acegi是不一样的,不能修改默认的filter了, 这个filter位于FILTER_SECURITY_INTERCEPTOR之前 -->
<custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR" />
</http>
<!--一个自定义的filter,必须包含 authenticationManager,accessDecisionManager,securityMetadataSource三个属性,
我们的所有控制将在这三个类中实现 -->
<b:bean id="myFilter"
class="com.erdangjiade.spring.security.MyFilterSecurityInterceptor">
<b:property name="authenticationManager" ref="authenticationManager" />
<b:property name="accessDecisionManager" ref="myAccessDecisionManagerBean" />
<b:property name="securityMetadataSource" ref="securityMetadataSource" />
<