<?xml version="1.0" encoding="UTF-8"?>
<!-- 配置不需要权限就能访问资源 css js -->
<security:http pattern="/css/**" security="none"></security:http>
<security:http pattern="/js/**" security="none"></security:http>
<security:http pattern="/img/**" security="none"></security:http>
<security:http pattern="/plugins/**" security="none"></security:http>
<security:http pattern="/template/**" security="none"></security:http>
<security:http pattern="/login.html" security="none"></security:http>
<!-- 开启springsecurity自动配置 -->
<security:http auto-config="true">
<security:headers>
<!-- same origin 同源 (协议://ip:port 一样才是同源)-->
<security:frame-options policy="SAMEORIGIN"></security:frame-options>
</security:headers>
<!-- 配置那些页面需要拦截并且需要什么样的权限才能访问
isAuthenticated() 只要登录就可以访问
–>
<security:intercept-url pattern="/**" access=“isAuthenticated()”></security:intercept-url>
<!-- 配置自定义登录页面
always-use-default-target="true" 登录成功之后总是跳转到我们配置的页面
login-processing-url="/login.do" 改了登录处理的url需要告诉框架
–>
<security:form-login
login-page="/login.html"
authentication-failure-url="/login.html"
default-target-url="/pages/main.html"
always-use-default-target=“true”
login-processing-url="/login.do"
username-parameter=“myusername”
password-parameter=“mypassword”
/>
<!-- 禁用csrf-->
<security:csrf disabled="true"></security:csrf>
<!-- 配置退出-->
<security:logout logout-url="/logout.do" logout-success-url="/login.html"></security:logout>
</security:http>
<bean class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" id="passwordEncoder"></bean>
<!-- 配置认证管理器 认证提供者 实现userdetailservice(动态获取用户名 密码 权限) 密码加密-->
<security:authentication-manager>
<security:authentication-provider user-service-ref="springSecurityUserService">
<security:password-encoder ref="passwordEncoder"></security:password-encoder>
</security:authentication-provider>
</security:authentication-manager>
<!-- 开启spring security注解-->
<security:global-method-security pre-post-annotations="enabled"></security:global-method-security>