81,094
社区成员
发帖
与我相关
我的任务
分享
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd">
<!-- auto-config='true'将自动配置几种常用的权限控制机制,包括form, anonymous, rememberMe -->
<http use-expressions="true">
<form-login login-page="/ims/login" default-target-url="/ims/index" always-use-default-target="true"/>
<logout/>
<session-management invalid-session-url="/ims/login" /> <!-- 检测session超时,并把用户转发到对应的URL -->
<custom-filter ref="mySecurityFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
</http>
<!-- 配置过滤器 -->
<beans:bean id="mySecurityFilter" class="com.zhl.ims.util.MySecurityFilter" >
<!-- 用户拥有的权限 -->
<beans:property name="authenticationManager" ref="myAuthenticationManager" />
<!-- 资源与权限对应关系 -->
<beans:property name="securityMetadataSource" ref="mySecurityMetadataSource" />
<!-- 资源 和 用户权限 -->
<beans:property name="accessDecisionManager" ref="affirmativeBased" />
</beans:bean>
<!-- AffirmativeBased 认证管理器 -->
<beans:bean id="affirmativeBased" class="org.springframework.security.access.vote.AffirmativeBased">
<!-- 是否允许所有的投票者弃权,如果为false,表示如果所有的投票者弃权,就禁止访问 -->
<beans:property name="allowIfAllAbstainDecisions" value="false" />
<beans:property name="decisionVoters">
<beans:list>
<beans:bean class="org.springframework.security.access.vote.RoleVoter" />
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</beans:list>
</beans:property>
</beans:bean>
<!-- 配置URL+权限管理器 -->
<beans:bean id="mySecurityMetadataSource" class="com.zhl.ims.util.MyFilterInvocationSecurityMetadataSource">
<beans:property name="resourceDao" ref="resourceDaoBean" />
</beans:bean>
<beans:bean id="resourceDaoBean" class="com.zhl.ims.dao.ResourceDao" >
<beans:property name="jdbcTemplate" ref="jdbcTemplateBean"/>
</beans:bean>
<!-- authentication-manager管理器 -->
<authentication-manager alias="myAuthenticationManager">
<authentication-provider user-service-ref="myUserDetailServiceBean" />
</authentication-manager>
<!-- UserDetailsService实现 -->
<beans:bean id="myUserDetailServiceBean" class="com.zhl.ims.util.MyUserDetailsService">
<beans:property name="userDao" ref="userDaoBean" />
</beans:bean>
<beans:bean id="userDaoBean" class="com.zhl.ims.dao.UserDao" >
<beans:property name="jdbcTemplate" ref="jdbcTemplateBean"/>
</beans:bean>
<beans:bean id="jdbcTemplateBean" class="org.springframework.jdbc.core.JdbcTemplate">
<beans:property name="dataSource" ref="dataSource"/>
</beans:bean>
<!-- 未登录的切入点 -->
<beans:bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/ims/login"></beans:property>
</beans:bean>
<!-- 启用 jsr250-annotations注解 进行方法访问控制 -->
<!--
<global-method-security jsr250-annotations="enabled"></global-method-security>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_ADMIN"/>
<user name="user" password="user" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
-->
</beans:beans>
<http auto-config="true" access-denied-page="/common/403.jsp">
<!-- intercept-url:拦截器,可以设定哪些路径需要哪些权限来访问. filters=none 不使用过滤,也可以理解为忽略 -->
<intercept-url pattern="/index.jsp" access="ROLE_USER" />
<intercept-url pattern="/login.jsp" filters="none" />
<intercept-url pattern="/common/**" filters="none" />
<intercept-url pattern="/script/**" filters="none" />
<intercept-url pattern="/admin.jsp" access="ROLE_ADMIN" />
<intercept-url pattern="/user.jsp" access="ROLE_USER" />
<!-- session-management是针对session的管理. 这里可以不配置. 如有需求可以配置. -->
<!-- id登陆唯一. 后登陆的账号会挤掉第一次登陆的账号 error-if-maximum-exceeded="true" 禁止2次登陆;
session-fixation-protection="none" 防止伪造sessionid攻击. 用户登录成功后会销毁用户当前的session.
创建新的session,并把用户信息复制到新session中.
-->
<session-management session-fixation-protection="none">
<concurrency-control/>
</session-management>
<!-- login-page:默认指定的登录页面. authentication-failure-url:出错后跳转页面. default-target-url:成功登陆后跳转页面 -->
<form-login login-page="/login.jsp"
authentication-failure-url="/common/403.jsp"
default-target-url="/admin.jsp" />
<!-- logout-success-url:成功注销后跳转到的页面; -->
<logout logout-success-url="/login.jsp"/>
<http-basic />
</http>