需要注意,如果use-expressions="true"或"false"的配置方式是不一样的,如果启用表达式,则需要看一下org.springframework.security.access.expression.SecurityExpressionRoot类就能明白如何使用,该类是个抽象类,但类中并无抽象方法,这样设计一定有其用意,这个等过段时间了解了再写。示例如下:
<s:http auto-config="true" use-expressions="true">
<s:intercept-url pattern="/login.html" access="permitAll"/>
<s:intercept-url pattern="/**" access="denyAll" />
<s:form-login login-page="/login.html" default-target-url="/" authentication-failure-url="/login.html" />
</s:http>
如果没有启用表达式,则配置形式如下:
<http auto-config="true">
<!-- <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/> -->
<intercept-url pattern="/pages/BackStage/*.do" access="ROLE_ADMIN"/>
<intercept-url pattern="/pages/Users/*.do" access="ROLE_ADMIN,ROLE_USER"/>
<intercept-url pattern="/CredentialImage" access="ROLE_USER"/>
<intercept-url pattern="/pages/OrderInfo/*.do" access="ROLE_USER"/>
<form-login login-page="/common/Login/login.do" authentication-failure-url="/common/Login/login.do" default-target-url="/pages/Users/gotoBaseInfo.do"/>
<http-basic/>
<logout logout-success-url="/index.jsp"/>
<session-management invalid-session-url="/index.jsp">
<concurrency-control max-sessions="1" expired-url="/test.jsp" />
</session-management>
<remember-me />
</http>