摘要:--该路径下的资源不用过滤--˃˂!--lowercase-comparisons:表示URL比较前先转为小写。--path-type:表示使用ApacheAnt的匹配模式。--login-processing-url:指定了客户在登录页面中按下SignIn按钮时要访问的URL。--authentication-failure-url:指定了身份验证失败时跳转到的页面。--default-target-url:指定了成功进行身份验证和授权后默认呈现给用户的页面。--always-use-default-target:指定了是否在身份验证通过后总是跳转到default-target-url属性指定的URL。--logout-success-url:退出系统后转向的URL。--当exception-if-maximum-exceeded="true"时系统会拒绝第二次登录。
security 3.x
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"xmlns:beans="http://www.springframework.org/schema/beans"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<global-method-security pre-post-annotations="enabled">
</global-method-security>
<!--该路径下的资源不用过滤 -->
<http pattern="/include/js/**"security="none" />
<http pattern="/include/css/**"security="none" />
<http pattern="/include/scripts/**"security="none" />
<http pattern="/include/jsp/**"security="none" />
<http pattern="/images/**"security="none" />
<http pattern="/login.jsp"security="none" />
<!--auto-config = true 则使用from-login. 如果不使用该属性 则默认为http-basic(没有session).-->
<!--lowercase-comparisons:表示URL比较前先转为小写。-->
<!--path-type:表示使用Apache Ant的匹配模式。-->
<!--access-denied-page:访问拒绝时转向的页面。-->
<!--access-decision-manager-ref:指定了自定义的访问策略管理器。-->
<http use-expressions="true"auto-config="true"access-denied-page="/include/jsp/timeout.jsp">
<!--login-page:指定登录页面。 -->
<!--login-processing-url:指定了客户在登录页面中按下 Sign In 按钮时要访问的 URL。-->
<!--authentication-failure-url:指定了身份验证失败时跳转到的页面。-->
<!--default-target-url:指定了成功进行身份验证和授权后默认呈现给用户的页面。-->
<!--always-use-default-target:指定了是否在身份验证通过后总是跳转到default-target-url属性指定的URL。
-->
<form-login login-page="/login.jsp"default-target-url='/system/default.jsp'always-use-default-target="true"authentication-failure-url="/login.jsp?login_error=1" />
<!--logout-url:指定了用于响应退出系统请求的URL。其默认值为:/j_spring_security_logout。-->
<!--logout-success-url:退出系统后转向的URL。-->
<!--invalidate-session:指定在退出系统时是否要销毁Session。-->
<logout invalidate-session="true"logout-success-url="/login.jsp"logout-url="/j_spring_security_logout" />
<!--实现免登陆验证 -->
<remember-me />
<!--max-sessions:允许用户帐号登录的次数。范例限制用户只能登录一次。-->
<!--此值表示:用户第二次登录时,前一次的登录信息都被清空。-->
<!--exception-if-maximum-exceeded:默认为false,-->
<!--当exception-if-maximum-exceeded="true"时系统会拒绝第二次登录。-->
<session-management invalid-session-url="/login.jsp"session-fixation-protection="none">
<concurrency-control max-sessions="1"error-if-maximum-exceeded="false" />
</session-management>
<custom-filter ref="myFilter"before="FILTER_SECURITY_INTERCEPTOR" />
<session-management
session-authentication-strategy-ref="sas" />
</http>
<beans:bean id="sas"class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry"ref="sessionRegistry" />
<beans:property name="maximumSessions"value="1" />
<!--防止session攻击 -->
<beans:property name="alwaysCreateSession"value="true" />
<beans:property name="migrateSessionAttributes"value="false" />
<!--同一个帐号 同时只能一个人登录 -->
<beans:property name="exceptionIfMaximumExceeded"value="false" />
</beans:bean>
<beans:bean id="sessionRegistry"class="org.springframework.security.core.session.SessionRegistryImpl" />
<!--事件监听:实现了ApplicationListener监听接口,包括AuthenticationCredentialsNotFoundEvent 事件,-->
<!--AuthorizationFailureEvent事件,AuthorizedEvent事件, PublicInvocationEvent事件-->
<beans:bean
class="org.springframework.security.authentication.event.LoggerListener" />
<!--自定义资源文件 提示信息 -->
<beans:bean id="messageSource"class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
<beans:property name="basenames"value="classpath:message_zh_CN">
</beans:property>
</beans:bean>
<!--配置过滤器 -->
<beans:bean id="myFilter"class="com.taskmanager.web.security.MySecurityFilter">
<!--用户拥有的权限 -->
<beans:property name="authenticationManager"ref="myAuthenticationManager" />
<!--用户是否拥有所请求资源的权限 -->
<beans:property name="accessDecisionManager"ref="myAccessDecisionManager" />
<!--资源与权限对应关系 -->
<beans:property name="securityMetadataSource"ref="mySecurityMetadataSource" />
</beans:bean>
<!--实现了UserDetailsService的Bean -->
<authentication-manager alias="myAuthenticationManager">
<authentication-provider user-service-ref="myUserDetailServiceImpl">
<!--登入 密码 采用MD5加密 -->
<password-encoder hash="md5"ref="passwordEncoder">
</password-encoder>
</authentication-provider>
</authentication-manager>
<!--验证用户请求资源 是否拥有权限 -->
<beans:bean id="myAccessDecisionManager"class="com.taskmanager.web.security.MyAccessDecisionManager">
</beans:bean>
<!--系统运行时加载 系统要拦截的资源 与用户请求时要过滤的资源 -->
<beans:bean id="mySecurityMetadataSource"class="com.taskmanager.web.security.MySecurityMetadataSource">
<beans:constructor-arg name="powerService"ref="powerService">
</beans:constructor-arg>
</beans:bean>
<!--获取用户登入角色信息 -->
<beans:bean id="myUserDetailServiceImpl"class="com.taskmanager.web.security.MyUserDetailServiceImpl">
<beans:property name="userService"ref="userService"></beans:property>
</beans:bean>
<!--用户的密码加密或解密 -->
<beans:bean id="passwordEncoder"class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />
</beans:beans>
security 4.x
<beans:beans
xmlns="http://www.springframework.org/schema/security"xmlns:beans="http://www.springframework.org/schema/beans"xmlns:p="http://www.springframework.org/schema/p"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:context="http://www.springframework.org/schema/context"xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<context:component-scan base-package="com.framework.security"/>
<!--<http pattern="/pm/**" security="none" />-->
<http pattern="/login.jsp"security="none" />
<http pattern="/common/**"security="none" />
<http pattern="/*.ico"security="none" />
<http use-expressions="false" >
<!--IS_AUTHENTICATED_ANONYMOUSLY 匿名登录 -->
<intercept-url pattern="/login"access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/pm/**/*.jsp"access="ROLE_STATIC" />
<form-login login-page="/login"authentication-failure-url="/login?error=1"authentication-success-forward-url="/main.to" />
<logout invalidate-session="true"logout-url="/logout"logout-success-url="/" />
<http-basic/>
<headers >
<frame-options disabled="true"></frame-options>
</headers>
<csrf token-repository-ref="csrfTokenRepository" />
<session-management session-authentication-error-url="/frame.expired" >
<!--max-sessions只容许一个账号登录,error-if-maximum-exceeded 后面账号登录后踢出前一个账号,expired-url session过期跳转界面 -->
<concurrency-control max-sessions="1"error-if-maximum-exceeded="false"expired-url="/frame.expired"session-registry-ref="sessionRegistry" />
</session-management>
<expression-handler ref="webexpressionHandler" ></expression-handler>
</http>
<beans:bean id="sessionRegistry"class="org.springframework.security.core.session.SessionRegistryImpl" />
<beans:bean id="userDetailsService"class="com.framework.security.UserDetailsServiceImpl" />
<!--配置web端使用权限控制-->
<beans:bean id="webexpressionHandler"class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" />
<authentication-manager >
<authentication-provider ref="authenticationProvider" />
</authentication-manager>
<!--自定义userDetailsService, 盐值加密 -->
<beans:bean id="authenticationProvider"class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="hideUserNotFoundExceptions"value="true" />
<beans:property name="userDetailsService"ref="userDetailsService" />
<beans:property name="passwordEncoder"ref="passwordEncoder" />
<beans:property name="saltSource"ref="saltSource" />
</beans:bean>
<!--Md5加密 -->
<beans:bean id="passwordEncoder"class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />
<!--盐值加密 salt对应数据库字段-->
<beans:bean id="saltSource"class="org.springframework.security.authentication.dao.ReflectionSaltSource">
<beans:property name="userPropertyToUse"value="salt"/>
</beans:bean>
<beans:bean id="csrfTokenRepository"class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository" />
</beans:beans>