• spring security xml配置详解


    security 3.x

    <?xml version="1.0" encoding="UTF-8"?>  
    <beans:beans xmlns="http://www.springframework.org/schema/security"  
        xmlns:beans="http://www.springframework.org/schema/beans"   
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
    xsi:schemaLocation="http://www.springframework.org/schema/beans   
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd    
    http://www.springframework.org/schema/security   
    http://www.springframework.org/schema/security/spring-security-3.1.xsd">  
        <global-method-security pre-post-annotations="enabled">  
        </global-method-security>  
        <!-- 该路径下的资源不用过滤 -->  
        <http pattern="/include/js/**" security="none" />  
        <http pattern="/include/css/**" security="none" />  
        <http pattern="/include/scripts/**" security="none" />  
        <http pattern="/include/jsp/**" security="none" />  
        <http pattern="/images/**" security="none" />  
        <http pattern="/login.jsp" security="none" />  
        <!--auto-config = true 则使用from-login. 如果不使用该属性 则默认为http-basic(没有session).-->  
        <!-- lowercase-comparisons:表示URL比较前先转为小写。-->  
            <!-- path-type:表示使用Apache Ant的匹配模式。-->  
        <!--access-denied-page:访问拒绝时转向的页面。-->  
        <!-- access-decision-manager-ref:指定了自定义的访问策略管理器。-->  
          
        <http use-expressions="true" auto-config="true"  
            access-denied-page="/include/jsp/timeout.jsp">  
    <!--login-page:指定登录页面。  -->  
    <!-- login-processing-url:指定了客户在登录页面中按下 Sign In 按钮时要访问的 URL。-->  
            <!-- authentication-failure-url:指定了身份验证失败时跳转到的页面。-->  
            <!-- default-target-url:指定了成功进行身份验证和授权后默认呈现给用户的页面。-->  
    <!-- always-use-default-target:指定了是否在身份验证通过后总是跳转到default-target-url属性指定的URL。 
    -->  
              
    <form-login login-page="/login.jsp" default-target-url='/system/default.jsp'  
            always-use-default-target="true" authentication-failure-url="/login.jsp?login_error=1" />  
    <!--logout-url:指定了用于响应退出系统请求的URL。其默认值为:/j_spring_security_logout。-->  
            <!-- logout-success-url:退出系统后转向的URL。-->  
            <!-- invalidate-session:指定在退出系统时是否要销毁Session。-->  
            <logout invalidate-session="true" logout-success-url="/login.jsp"  
                logout-url="/j_spring_security_logout" />  
            <!-- 实现免登陆验证 -->  
            <remember-me />  
      
            <!-- max-sessions:允许用户帐号登录的次数。范例限制用户只能登录一次。-->  
    <!-- 此值表示:用户第二次登录时,前一次的登录信息都被清空。-->  
     <!--   exception-if-maximum-exceeded:默认为false,-->  
    <!-- 当exception-if-maximum-exceeded="true"时系统会拒绝第二次登录。-->  
      
            <session-management invalid-session-url="/login.jsp"  
                session-fixation-protection="none">  
                <concurrency-control max-sessions="1"  
                    error-if-maximum-exceeded="false" />  
            </session-management>  
            <custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR" />  
            <session-management  
                session-authentication-strategy-ref="sas" />  
      
        </http>  
    <beans:bean id="sas"  
    class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">  
            <beans:constructor-arg name="sessionRegistry"  
                ref="sessionRegistry" />  
            <beans:property name="maximumSessions" value="1" />  
            <!-- 防止session攻击 -->  
            <beans:property name="alwaysCreateSession" value="true" />  
            <beans:property name="migrateSessionAttributes" value="false" />  
            <!--  同一个帐号 同时只能一个人登录 -->  
            <beans:property name="exceptionIfMaximumExceeded"  
                value="false" />  
        </beans:bean>  
        <beans:bean id="sessionRegistry"  
            class="org.springframework.security.core.session.SessionRegistryImpl" />  
        <!-- 
    事件监听:实现了ApplicationListener监听接口,包括AuthenticationCredentialsNotFoundEvent 事件,-->  
        <!-- AuthorizationFailureEvent事件,AuthorizedEvent事件, PublicInvocationEvent事件-->  
        <beans:bean  
            class="org.springframework.security.authentication.event.LoggerListener" />  
        <!-- 自定义资源文件   提示信息 -->  
        <beans:bean id="messageSource"  
    class="org.springframework.context.support.ReloadableResourceBundleMessageSource">  
            <beans:property name="basenames" value="classpath:message_zh_CN">  
    </beans:property>  
        </beans:bean>  
        <!-- 配置过滤器 -->  
        <beans:bean id="myFilter"  
            class="com.taskmanager.web.security.MySecurityFilter">  
        <!-- 用户拥有的权限 -->  
        <beans:property name="authenticationManager" ref="myAuthenticationManager" />  
        <!-- 用户是否拥有所请求资源的权限 -->  
        <beans:property name="accessDecisionManager" ref="myAccessDecisionManager" />  
        <!-- 资源与权限对应关系 -->  
        <beans:property name="securityMetadataSource" ref="mySecurityMetadataSource" />  
        </beans:bean>  
        <!-- 实现了UserDetailsService的Bean -->  
        <authentication-manager alias="myAuthenticationManager">  
            <authentication-provider user-service-ref="myUserDetailServiceImpl">  
                <!-- 登入 密码  采用MD5加密 -->  
                <password-encoder hash="md5" ref="passwordEncoder">  
                </password-encoder>  
            </authentication-provider>  
        </authentication-manager>  
        <!-- 验证用户请求资源  是否拥有权限 -->  
        <beans:bean id="myAccessDecisionManager"  
            class="com.taskmanager.web.security.MyAccessDecisionManager">  
        </beans:bean>  
        <!-- 系统运行时加载 系统要拦截的资源   与用户请求时要过滤的资源 -->  
        <beans:bean id="mySecurityMetadataSource"  
            class="com.taskmanager.web.security.MySecurityMetadataSource">  
            <beans:constructor-arg name="powerService" ref="powerService">  
    </beans:constructor-arg>  
        </beans:bean>  
        <!-- 获取用户登入角色信息 -->  
        <beans:bean id="myUserDetailServiceImpl"  
            class="com.taskmanager.web.security.MyUserDetailServiceImpl">  
            <beans:property name="userService" ref="userService"></beans:property>  
        </beans:bean>  
      
        <!-- 用户的密码加密或解密 -->  
        <beans:bean id="passwordEncoder"  
    class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />  
    </beans:beans>    

    security 4.x

    <beans:beans  
            xmlns="http://www.springframework.org/schema/security"  
            xmlns:beans="http://www.springframework.org/schema/beans"  
            xmlns:p="http://www.springframework.org/schema/p"  
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
            xmlns:context="http://www.springframework.org/schema/context"  
            xsi:schemaLocation="http://www.springframework.org/schema/beans  
              http://www.springframework.org/schema/beans/spring-beans.xsd  
              http://www.springframework.org/schema/context  
              http://www.springframework.org/schema/context/spring-context.xsd  
              http://www.springframework.org/schema/security  
                  http://www.springframework.org/schema/security/spring-security.xsd">  
      
      
        <context:component-scan base-package="com.framework.security"/>  
      
      
        <!--<http pattern="/pm/**" security="none" />-->  
        <http pattern="/login.jsp" security="none" />  
        <http pattern="/common/**" security="none" />  
        <http pattern="/*.ico" security="none" />  
      
      
        <http  use-expressions="false" >  
            <!-- IS_AUTHENTICATED_ANONYMOUSLY 匿名登录 -->  
            <intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />  
            <intercept-url pattern="/pm/**/*.jsp" access="ROLE_STATIC" />  
            <form-login login-page="/login"    authentication-failure-url="/login?error=1" authentication-success-forward-url="/main.to" />  
            <logout invalidate-session="true" logout-url="/logout"  logout-success-url="/"  />  
            <http-basic/>  
            <headers >  
                <frame-options disabled="true"></frame-options>  
            </headers>  
      
      
            <csrf token-repository-ref="csrfTokenRepository" />  
      
      
            <session-management session-authentication-error-url="/frame.expired" >  
                <!-- max-sessions只容许一个账号登录,error-if-maximum-exceeded 后面账号登录后踢出前一个账号,expired-url session过期跳转界面 -->  
                <concurrency-control max-sessions="1" error-if-maximum-exceeded="false" expired-url="/frame.expired" session-registry-ref="sessionRegistry" />  
            </session-management>  
      
      
            <expression-handler ref="webexpressionHandler" ></expression-handler>  
        </http>  
      
      
        <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />  
      
      
        <beans:bean id="userDetailsService" class="com.framework.security.UserDetailsServiceImpl" />  
      
      
        <!--配置web端使用权限控制-->  
        <beans:bean id="webexpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" />  
      
      
        <authentication-manager >  
            <authentication-provider ref="authenticationProvider" />  
        </authentication-manager>  
      
      
        <!-- 自定义userDetailsService, 盐值加密 -->  
        <beans:bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">  
            <beans:property name="hideUserNotFoundExceptions" value="true" />  
            <beans:property name="userDetailsService" ref="userDetailsService" />  
            <beans:property name="passwordEncoder" ref="passwordEncoder" />  
            <beans:property name="saltSource" ref="saltSource" />  
        </beans:bean>  
      
      
        <!-- Md5加密 -->  
        <beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />  
      
      
        <!-- 盐值加密 salt对应数据库字段-->  
        <beans:bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource">  
            <beans:property name="userPropertyToUse" value="salt"/>  
        </beans:bean>  
      
      
        <beans:bean id="csrfTokenRepository" class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository" />  
    </beans:beans>  
  • 相关阅读:
    魔镜完全是被王后问烦了才给她找点事做不再来烦它吧(豆瓣的经典评论)
    调色板QPalette类用法详解(附实例、源码)
    当程序调用dll时获取dll路径,DLL中获取自身的句柄
    把硬盘格式化成ext格式的cpu占用率就下来了
    Delphi XE6 如何设计并使用FireMonkeyStyle
    系统重构
    阅读Google的C++代码规范有感
    VS2010生成安装包制作步骤
    MVC视图中的@Html.xxx(...)
    高性能的JavaScript--加载和执行
  • 原文地址:https://www.cnblogs.com/yyxxn/p/8080141.html
Copyright © 2020-2023  润新知