spring security xml配置详解
security 3.x
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <global-method-security pre-post-annotations="enabled"> </global-method-security> <!-- 该路径下的资源不用过滤 --> <http pattern="/include/js/**" security="none" /> <http pattern="/include/css/**" security="none" /> <http pattern="/include/scripts/**" security="none" /> <http pattern="/include/jsp/**" security="none" /> <http pattern="/images/**" security="none" /> <http pattern="/login.jsp" security="none" /> <!--auto-config = true 则使用from-login. 如果不使用该属性 则默认为http-basic(没有session).--> <!-- lowercase-comparisons:表示URL比较前先转为小写。--> <!-- path-type:表示使用Apache Ant的匹配模式。--> <!--access-denied-page:访问拒绝时转向的页面。--> <!-- access-decision-manager-ref:指定了自定义的访问策略管理器。--> <http use-expressions="true" auto-config="true" access-denied-page="/include/jsp/timeout.jsp"> <!--login-page:指定登录页面。 --> <!-- login-processing-url:指定了客户在登录页面中按下 Sign In 按钮时要访问的 URL。--> <!-- authentication-failure-url:指定了身份验证失败时跳转到的页面。--> <!-- default-target-url:指定了成功进行身份验证和授权后默认呈现给用户的页面。--> <!-- always-use-default-target:指定了是否在身份验证通过后总是跳转到default-target-url属性指定的URL。 --> <form-login login-page="/login.jsp" default-target-url='/system/default.jsp' always-use-default-target="true" authentication-failure-url="/login.jsp?login_error=1" /> <!--logout-url:指定了用于响应退出系统请求的URL。其默认值为:/j_spring_security_logout。--> <!-- logout-success-url:退出系统后转向的URL。--> <!-- invalidate-session:指定在退出系统时是否要销毁Session。--> <logout invalidate-session="true" logout-success-url="/login.jsp" logout-url="/j_spring_security_logout" /> <!-- 实现免登陆验证 --> <remember-me /> <!-- max-sessions:允许用户帐号登录的次数。范例限制用户只能登录一次。--> <!-- 此值表示:用户第二次登录时,前一次的登录信息都被清空。--> <!-- exception-if-maximum-exceeded:默认为false,--> <!-- 当exception-if-maximum-exceeded="true"时系统会拒绝第二次登录。--> <session-management invalid-session-url="/login.jsp" session-fixation-protection="none"> <concurrency-control max-sessions="1" error-if-maximum-exceeded="false" /> </session-management> <custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR" /> <session-management session-authentication-strategy-ref="sas" /> </http> <beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" /> <beans:property name="maximumSessions" value="1" /> <!-- 防止session攻击 --> <beans:property name="alwaysCreateSession" value="true" /> <beans:property name="migrateSessionAttributes" value="false" /> <!-- 同一个帐号 同时只能一个人登录 --> <beans:property name="exceptionIfMaximumExceeded" value="false" /> </beans:bean> <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> <!-- 事件监听:实现了ApplicationListener监听接口,包括AuthenticationCredentialsNotFoundEvent 事件,--> <!-- AuthorizationFailureEvent事件,AuthorizedEvent事件, PublicInvocationEvent事件--> <beans:bean class="org.springframework.security.authentication.event.LoggerListener" /> <!-- 自定义资源文件 提示信息 --> <beans:bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource"> <beans:property name="basenames" value="classpath:message_zh_CN"> </beans:property> </beans:bean> <!-- 配置过滤器 --> <beans:bean id="myFilter" class="com.taskmanager.web.security.MySecurityFilter"> <!-- 用户拥有的权限 --> <beans:property name="authenticationManager" ref="myAuthenticationManager" /> <!-- 用户是否拥有所请求资源的权限 --> <beans:property name="accessDecisionManager" ref="myAccessDecisionManager" /> <!-- 资源与权限对应关系 --> <beans:property name="securityMetadataSource" ref="mySecurityMetadataSource" /> </beans:bean> <!-- 实现了UserDetailsService的Bean --> <authentication-manager alias="myAuthenticationManager"> <authentication-provider user-service-ref="myUserDetailServiceImpl"> <!-- 登入 密码 采用MD5加密 --> <password-encoder hash="md5" ref="passwordEncoder"> </password-encoder> </authentication-provider> </authentication-manager> <!-- 验证用户请求资源 是否拥有权限 --> <beans:bean id="myAccessDecisionManager" class="com.taskmanager.web.security.MyAccessDecisionManager"> </beans:bean> <!-- 系统运行时加载 系统要拦截的资源 与用户请求时要过滤的资源 --> <beans:bean id="mySecurityMetadataSource" class="com.taskmanager.web.security.MySecurityMetadataSource"> <beans:constructor-arg name="powerService" ref="powerService"> </beans:constructor-arg> </beans:bean> <!-- 获取用户登入角色信息 --> <beans:bean id="myUserDetailServiceImpl" class="com.taskmanager.web.security.MyUserDetailServiceImpl"> <beans:property name="userService" ref="userService"></beans:property> </beans:bean> <!-- 用户的密码加密或解密 --> <beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" /> </beans:beans>
security 4.x
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:p="http://www.springframework.org/schema/p" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <context:component-scan base-package="com.framework.security"/> <!--<http pattern="/pm/**" security="none" />--> <http pattern="/login.jsp" security="none" /> <http pattern="/common/**" security="none" /> <http pattern="/*.ico" security="none" /> <http use-expressions="false" > <!-- IS_AUTHENTICATED_ANONYMOUSLY 匿名登录 --> <intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <intercept-url pattern="/pm/**/*.jsp" access="ROLE_STATIC" /> <form-login login-page="/login" authentication-failure-url="/login?error=1" authentication-success-forward-url="/main.to" /> <logout invalidate-session="true" logout-url="/logout" logout-success-url="/" /> <http-basic/> <headers > <frame-options disabled="true"></frame-options> </headers> <csrf token-repository-ref="csrfTokenRepository" /> <session-management session-authentication-error-url="/frame.expired" > <!-- max-sessions只容许一个账号登录,error-if-maximum-exceeded 后面账号登录后踢出前一个账号,expired-url session过期跳转界面 --> <concurrency-control max-sessions="1" error-if-maximum-exceeded="false" expired-url="/frame.expired" session-registry-ref="sessionRegistry" /> </session-management> <expression-handler ref="webexpressionHandler" ></expression-handler> </http> <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> <beans:bean id="userDetailsService" class="com.framework.security.UserDetailsServiceImpl" /> <!--配置web端使用权限控制--> <beans:bean id="webexpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" /> <authentication-manager > <authentication-provider ref="authenticationProvider" /> </authentication-manager> <!-- 自定义userDetailsService, 盐值加密 --> <beans:bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> <beans:property name="hideUserNotFoundExceptions" value="true" /> <beans:property name="userDetailsService" ref="userDetailsService" /> <beans:property name="passwordEncoder" ref="passwordEncoder" /> <beans:property name="saltSource" ref="saltSource" /> </beans:bean> <!-- Md5加密 --> <beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" /> <!-- 盐值加密 salt对应数据库字段--> <beans:bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource"> <beans:property name="userPropertyToUse" value="salt"/> </beans:bean> <beans:bean id="csrfTokenRepository" class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository" /> </beans:beans>