67,512
社区成员
发帖
与我相关
我的任务
分享
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">
<description>Spring 安全权限配置</description>
<!-- 不拦截静态资源 -->
<security:http pattern="/Images/**" security="none"/>
<security:http pattern="/Style/**" security="none"/>
<security:http pattern="/JScript/**" security="none"/>
<security:http pattern="/error*" security="none"/>
<!-- <security:debug/> -->
<security:global-method-security access-decision-manager-ref="accessDecisionManager" />
<security:http auto-config="true" use-expressions="false">
<security:headers>
<security:frame-options disabled="true"/>
</security:headers>
<security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
<security:form-login login-page="/login" password-parameter="password"
username-parameter="userId" default-target-url="/index"/>
<security:logout delete-cookies="JSESSIONID" invalidate-session="false"
logout-url="/logout" logout-success-url="/login"/>
<security:session-management session-authentication-error-url="/error" invalid-session-url="/login" session-fixation-protection="newSession">
<security:concurrency-control max-sessions="1"/>
</security:session-management>
<security:custom-filter ref="filterSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR"/>
</security:http>
<bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
<!-- 自定义过滤器 -->
<bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="accessDecisionManager" ref="accessDecisionManager" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="securityMetadataSource">
<security:filter-security-metadata-source>
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
</security:filter-security-metadata-source>
</property>
</bean>
<!-- 自定义拒绝访问的实现 -->
<bean id="accessDecisionManager" class="com.proj.security.AccessDecisionManagerImpl" />
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="daoAuthenticationProvider" />
</security:authentication-manager>
<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="hideUserNotFoundExceptions" value="false" />
<property name="userDetailsService" ref="userService" />
<property name="passwordEncoder" ref="passwordEncoder" />
</bean>
<bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />
<bean id="userService" class="com.proj.security.UserDetailServiceImpl" />
<bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
<!-- <property name="basename" value="org/springframework/security/messages_zh_CN" /> -->
<property name="basename" value="com/proj/security/messages" />
<property name="defaultEncoding" value="UTF-8" />
</bean>
</beans>