spring security

1. <?xml version="1.0" encoding="UTF-8"?>   
2. <beans:beans xmlns="http://www.springframework.org/schema/security"  
3.     xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
4.     xsi:schemaLocation="http://www.springframework.org/schema/beans   
5.            http://www.springframework.org/schema/beans/spring-beans-3.0.xsd   
6.            http://www.springframework.org/schema/security   
7.            http://www.springframework.org/schema/security/spring-security-3.0.xsd">   
8.   
9.   
10.     <global-method-security pre-post-annotations="enabled">   
11.   
12.     </global-method-security>   
13.   
14.     <!-- entry-point-ref 为用户第一次访问受保护的url时的处理程序.  -->   
15.     <http use-expressions="true" entry-point-ref="authenticationEntryPoint">   
16.   
17.         <!-- 这里是拒绝用户访问的处理程序 -->   
18.         <access-denied-handler ref="accessDeniedHandler" />   
19.             
20.         <!-- 配置一些不需要认证过滤的地址 -->   
21.         <intercept-url pattern="/roots/login.jsp" filters="none" />   
22.         <intercept-url pattern="/css/**" filters="none" />   
23.         <intercept-url pattern="/common/**" filters="none" />   
24.         <intercept-url pattern="/images/**" filters="none" />   
25.         <intercept-url pattern="/scripts/**" filters="none" />   
26.         <intercept-url pattern="/DatePicker/**" filters="none" />   
27.         <intercept-url pattern="/fckeditor/**" filters="none" />   
28.            
29.         <!-- cooki认证的配置,具体 看rememberMeServices的配置. -->   
30.         <remember-me services-ref="rememberMeServices" />   
31.   
32.         <!--   
33.             增加一个filter，这点与Acegi是不一样的，不能修改默认的filter了，这个filter位于FILTER_SECURITY_INTERCEPTOR之前   
34.         -->   
35.         <custom-filter position="LOGOUT_FILTER" ref="logoutFilter"></custom-filter>   
36.         <custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="myFilter" />   
37.         <custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />   
38.         <!-- 限制用户的最大登陆数,防止一个账号被多人使用 -->   
39.         <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />   
40.         <session-management   
41.             session-authentication-strategy-ref="sas" />   
42.     </http>   
43.   
44.     <!-- 认证管理器，实现用户认证的入口，主要实现UserDetailsService接口即可 如下,可以配置多个Provider-->   
45.     <authentication-manager alias="authenticationManager">   
46.   
47.         <authentication-provider ref="daoAuthenticationProvider">   
48.             <password-encoder hash="plaintext"></password-encoder>   
49.         </authentication-provider>   
50.         <authentication-provider ref="rememberMeAuthenticationProvider">   
51.             <password-encoder hash="plaintext"></password-encoder>   
52.         </authentication-provider>   
53.     </authentication-manager>   
54.   
55.     <beans:bean id="daoAuthenticationProvider"  
56.         class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">   
57.         <beans:property name="userDetailsService" ref="myUserDetailService" />   
58.     </beans:bean>   
59.   
60.     <!--   
61.         一个自定义的filter，必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性，   
62.         我们的所有控制将在这三个类中实现，解释详见具体配置   
63.     -->   
64.     <beans:bean id="myFilter" class="com.security.MyFilterSecurityInterceptor">   
65.         <beans:property name="authenticationManager" ref="authenticationManager" />   
66.         <beans:property name="accessDecisionManager" ref="myAccessDecisionManagerBean" />   
67.         <beans:property name="securityMetadataSource" ref="securityMetadataSource" />   
68.     </beans:bean>   
69.   
70.     <!--   
71.         下面的3个类,已做自动扫描 <beans:bean id="myUserDetailService"  
72.         class="com.security.MyUserDetailService" />   
73.   
74.         访问决策器，决定某个用户具有的角色，是否有足够的权限去访问某个资源 <beans:bean   
75.         id="myAccessDecisionManagerBean"  
76.         class="com.security.MyAccessDecisionManager"> </beans:bean>   
77.   
78.         资源源数据定义，即定义某一资源可以被哪些角色访问 <beans:bean id="securityMetadataSource"  
79.         class="com.security.MyInvocationSecurityMetadataSource" >   
80.   
81.         </beans:bean>   
82.     -->   
83.   
84.     <beans:bean id="logoutFilter"  
85.         class="org.springframework.security.web.authentication.logout.LogoutFilter">   
86.         <beans:constructor-arg value="/roots/login.jsp" />   
87.         <beans:constructor-arg>   
88.             <beans:list>   
89.                 <beans:ref local="rememberMeServices" />   
90.                 <beans:bean   
91.                     class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"></beans:bean>   
92.             </beans:list>   
93.         </beans:constructor-arg>   
94.         <beans:property name="filterProcessesUrl" value="/ss_Loginout"></beans:property>   
95.     </beans:bean>   
96.   
97.   
98.     <beans:bean id="concurrencyFilter"  
99.         class="org.springframework.security.web.session.ConcurrentSessionFilter">   
100.         <beans:property name="sessionRegistry" ref="sessionRegistry" />   
101.         <beans:property name="expiredUrl" value="/error/expired.jsp" />   
102.     </beans:bean>   
103.     <beans:bean id="sas"  
104.         class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">   
105.         <beans:constructor-arg name="sessionRegistry"  
106.             ref="sessionRegistry" />   
107.         <beans:property name="maximumSessions" value="1" />   
108.     </beans:bean>   
109.   
110.     <beans:bean id="myAuthFilter"  
111.         class="com.security.fliter.MyUsernamePasswordAuthenticationFilter">   
112.         <beans:property name="sessionAuthenticationStrategy"  
113.             ref="sas" />   
114.         <beans:property name="authenticationManager" ref="authenticationManager" />   
115.         <beans:property name="rememberMeServices" ref="rememberMeServices"></beans:property>   
116.         <beans:property name="authenticationFailureHandler"  
117.             ref="failureHandler" />   
118.         <beans:property name="authenticationSuccessHandler"  
119.             ref="successHandler" />   
120.         <beans:property name="filterProcessesUrl" value="/ss_Login"></beans:property>   
121.   
122.     </beans:bean>   
123.     <beans:bean id="successHandler"  
124.         class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">   
125.         <beans:property name="defaultTargetUrl" value="/roots/index.jsp" />   
126.     </beans:bean>   
127.     <beans:bean id="failureHandler"  
128.         class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">   
129.         <beans:property name="defaultFailureUrl" value="/roots/login.jsp?error=true" />   
130.     </beans:bean>   
131.   
132.     <beans:bean id="sessionRegistry"  
133.         class="org.springframework.security.core.session.SessionRegistryImpl" />   
134.   
135.   
136.   
137.     <!--   
138.         remember me fliter 此fliter的配置没有使用留做参考 <beans:bean   
139.         id="rememberMeFilter"  
140.         class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">   
141.         <beans:property name="rememberMeServices" ref="rememberMeServices" />   
142.         <beans:property name="authenticationManager"  
143.         ref="authenticationManager" /> </beans:bean>   
144.     -->   
145.   
146.     <beans:bean id="rememberMeServices"  
147.         class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">   
148.         <beans:property name="userDetailsService" ref="myUserDetailService" />   
149.         <beans:property name="key" value="springsecurityCookies1" />   
150.         <beans:property name="alwaysRemember" value="true"></beans:property>   
151.         <beans:property name="tokenValiditySeconds" value="86400"></beans:property>   
152.         <beans:property name="parameter" value="_spring_security_remember_me"></beans:property>   
153.     </beans:bean>   
154.   
155.     <beans:bean id="rememberMeAuthenticationProvider"  
156.         class="org.springframework.security.authentication.RememberMeAuthenticationProvider">   
157.         <beans:property name="key" value="springsecurityCookies1" />   
158.     </beans:bean>   
159.   
160.     <!--   
161.         此fliter的配置没有使用留做参考 <beans:bean id="exceptionTranslationFilter"  
162.         class="org.springframework.security.web.access.ExceptionTranslationFilter">   
163.         <beans:property name="authenticationEntryPoint"  
164.         ref="authenticationEntryPoint"/> <beans:property   
165.         name="accessDeniedHandler" ref="accessDeniedHandler"/> </beans:bean>   
166.     -->   
167.   
168.     <beans:bean id="authenticationEntryPoint"  
169.         class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">   
170.         <beans:property name="loginFormUrl" value="/roots/login.jsp" />   
171.     </beans:bean>   
172.   
173.     <beans:bean id="accessDeniedHandler"  
174.         class="org.springframework.security.web.access.AccessDeniedHandlerImpl">   
175.         <beans:property name="errorPage" value="/roots/login.jsp?error=ad" />   
176.     </beans:bean>   
177.   
178.   
179.   
180.     <!-- 下面配置,security对于方法的保护 -->   
181.     <beans:bean id="methodSecurityInterceptor"  
182.         class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor">   
183.         <beans:property name="validateConfigAttributes">   
184.             <beans:value>false</beans:value>   
185.         </beans:property>   
186.         <beans:property name="authenticationManager">   
187.             <beans:ref bean="authenticationManager" />   
188.         </beans:property>   
189.         <beans:property name="accessDecisionManager">   
190.             <beans:ref bean="myAccessDecisionManagerBean" />   
191.         </beans:property>   
192.         <!-- 这里配置通过数据库配置来查找权限 myMethodSecurityMetadataSource 这个类继承AbstractMethodSecurityMetadataSource -->   
193.         <beans:property name="securityMetadataSource" ref="myMethodSecurityMetadataSource" />   
194.         <!--   
195.             说明:下面的模式是配置了ISome类的doSupervisor的方法只需要ROLE_SUPERVISOR 来访问 <value>   
196.             com.acegi.MethodInterceptionTest.method* = ROLE_ADMIN </value>   
197.             </property>   
198.         -->   
199.     </beans:bean>   
200.     <!--   
201.         在数据库里配置role and datebase... 下面的autoProxyCreator还是要配置切入点的.   
202.         myMethodSecurityMetadataSource 已经配置在自动扫描中.   
203.     -->   
204.     <beans:bean id="sprintsecurityAutoIntercept"  
205.         class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator"  
206.         scope="singleton">   
207.         <beans:property name="beanNames">   
208.             <!-- 在这里配置要切的类的名称, 可以为一个配置好的bean的id,多个id用逗号分隔 -->   
209.             <beans:value>*test</beans:value>   
210.         </beans:property>   
211.   
212.   
213.         <!-- 这里就写上切入点 -->   
214.         <beans:property name="interceptorNames">   
215.             <beans:list>   
216.                 <beans:value>methodSecurityInterceptor</beans:value>   
217.             </beans:list>   
218.         </beans:property>   
219.         <!-- 这个,如果你的类被代理了,比如在spring中使用,一定要设置这个属性为true -->   
220.         <beans:property name="proxyTargetClass" value="true" />   
221.     </beans:bean>   
222.   
223.   
224.     <!--这里接收security日志的配置   
225.         <bean id="authenticationLoggerListener"  
226.         class="org.springframework.security.authentication.event.LoggerListener"/>   
227.         <bean id="authorizationLoggerListener"  
228.         class="org.springframework.security.access.event.LoggerListener"/>   
229.     -->   
230.   
231.   
232. </beans:beans>