SpringSecurity 3配置文件
最近查找了一些Spring security3的资料,感觉网上资料比较混乱,版本各异,对于初学者,摸不着头脑。其实找到门道,简单配置使用还是不难的。不过要想对框架运用自如,还是要阅读其的一些源码,其中lengyun,dead-knight对源码做了一些分析,是很不错的博文。自己e文又很烂,希望权威们能给出更完善和优秀的博文,也是我等的福音了。感谢以下几位网友,他们的博文还是很有帮助的:
http://lengyun3566.iteye.com/category/153689http://dead-knight.iteye.com/blog/1513149http://blog.csdn.net/remote_roamer/article/details/5713777http://downpour.iteye.com/blog/319965http://hotstrong.iteye.com/blog/1160153http://blog.csdn.net/kuaileren003/article/details/6106493http://zhaobohao.iteye.com/blog/701238下面是一位网友给出的配置,自己也没有试过,不过感觉比较完整。<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
?xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
?xsi:schemaLocation="http://www.springframework.org/schema/beans
?????????? http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
?????????? http://www.springframework.org/schema/security
?????????? http://www.springframework.org/schema/security/spring-security-3.0.xsd">
?<global-method-security pre-post-annotations="enabled">
?</global-method-security>
?<!-- entry-point-ref 为用户第一次访问受保护的url时的处理程序.? -->
?<http use-expressions="true"?entry-point-ref="authenticationEntryPoint">
??<!-- 这里是拒绝用户访问的处理程序 -->
??<access-denied-handler ref="accessDeniedHandler" />
??
??<!-- 配置一些不需要认证过滤的地址 -->
??<intercept-url pattern="/roots/login.jsp" filters="none" />
??<intercept-url pattern="/css/**" filters="none" />
??<intercept-url pattern="/common/**" filters="none" />
??<intercept-url pattern="/images/**" filters="none" />
??<intercept-url pattern="/scripts/**" filters="none" />
??<intercept-url pattern="/DatePicker/**" filters="none" />
??<intercept-url pattern="/fckeditor/**" filters="none" />
??
??<!-- cooki认证的配置,具体 看rememberMeServices的配置. -->
??<remember-me services-ref="rememberMeServices" />
??<!--
???增加一个filter,这点与Acegi是不一样的,不能修改默认的filter了,这个filter位于FILTER_SECURITY_INTERCEPTOR之前
??-->
??<custom-filter position="LOGOUT_FILTER" ref="logoutFilter"></custom-filter>
??<custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="myFilter" />
??<custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />
??<!-- 限制用户的最大登陆数,防止一个账号被多人使用 -->
??<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
??<session-management
???session-authentication-strategy-ref="sas" />
?</http>
?<!-- 认证管理器,实现用户认证的入口,主要实现UserDetailsService接口即可 如下,可以配置多个Provider-->
?<authentication-manager alias="authenticationManager">
??<authentication-provider ref="daoAuthenticationProvider">
???<password-encoder hash="plaintext"></password-encoder>
??</authentication-provider>
??<authentication-provider ref="rememberMeAuthenticationProvider">
???<password-encoder hash="plaintext"></password-encoder>
??</authentication-provider>
?</authentication-manager>
?<beans:bean id="daoAuthenticationProvider"
??ref="myUserDetailService" />
?</beans:bean>
?<!--
??一个自定义的filter,必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性,
??我们的所有控制将在这三个类中实现,解释详见具体配置
?-->
?<beans:bean id="myFilter" ref="authenticationManager" />
??<beans:property name="accessDecisionManager" ref="myAccessDecisionManagerBean" />
??<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
?</beans:bean>
?<!--
??下面的3个类,已做自动扫描 <beans:bean id="myUserDetailService"
??/>
??访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源 <beans:bean
??id="myAccessDecisionManagerBean"
??>
??</beans:bean>
?-->
?<beans:bean id="logoutFilter"
??/>
??<beans:constructor-arg>
???<beans:list>
????<beans:ref local="rememberMeServices" />
????<beans:bean
?????value="/ss_Loginout"></beans:property>
?</beans:bean>
?<beans:bean id="concurrencyFilter"
??ref="sessionRegistry" />
??<beans:property name="expiredUrl" value="/error/expired.jsp" />
?</beans:bean>
?<beans:bean id="sas"
??/>
??<beans:property name="maximumSessions" value="1" />
?</beans:bean>
?<beans:bean id="myAuthFilter"
??/>
??<beans:property name="authenticationManager" ref="authenticationManager" />
??<beans:property name="rememberMeServices" ref="rememberMeServices"></beans:property>
??<beans:property name="authenticationFailureHandler"
???ref="failureHandler" />
??<beans:property name="authenticationSuccessHandler"
???ref="successHandler" />
??<beans:property name="filterProcessesUrl" value="/ss_Login"></beans:property>
?</beans:bean>
?<beans:bean id="successHandler"
??value="/roots/index.jsp" />
?</beans:bean>
?<beans:bean id="failureHandler"
??value="/roots/login.jsp?error=true" />
?</beans:bean>
?<beans:bean id="sessionRegistry"
??/>
?
?<!--
??remember me fliter 此fliter的配置没有使用留做参考 <beans:bean
??id="rememberMeFilter"
??ref="rememberMeServices" />
??<beans:property name="authenticationManager"
??ref="authenticationManager" /> </beans:bean>
?-->
?<beans:bean id="rememberMeServices"
??ref="myUserDetailService" />
??<beans:property name="key" value="springsecurityCookies1" />
??<beans:property name="alwaysRemember" value="true"></beans:property>
??<beans:property name="tokenValiditySeconds" value="86400"></beans:property>
??<beans:property name="parameter" value="_spring_security_remember_me"></beans:property>
?</beans:bean>
?<beans:bean id="rememberMeAuthenticationProvider"
??value="springsecurityCookies1" />
?</beans:bean>
?<!--
??此fliter的配置没有使用留做参考 <beans:bean id="exceptionTranslationFilter"
??ref="accessDeniedHandler"/> </beans:bean>
?-->
?<beans:bean id="authenticationEntryPoint"
??value="/roots/login.jsp" />
?</beans:bean>
?<beans:bean id="accessDeniedHandler"
??value="/roots/login.jsp?error=ad" />
?</beans:bean>
?
?<!-- 下面配置,security对于方法的保护 -->
?<beans:bean id="methodSecurityInterceptor"
??/>
??</beans:property>
??<beans:property name="accessDecisionManager">
???<beans:ref bean="myAccessDecisionManagerBean" />
??</beans:property>
??<!-- 这里配置通过数据库配置来查找权限 myMethodSecurityMetadataSource 这个类继承AbstractMethodSecurityMetadataSource -->
??<beans:property name="securityMetadataSource" ref="myMethodSecurityMetadataSource" />
??<!--
???说明:下面的模式是配置了ISome类的doSupervisor的方法只需要ROLE_SUPERVISOR 来访问 <value>
???com.acegi.MethodInterceptionTest.method* = ROLE_ADMIN </value>
???</property>
??-->
?</beans:bean>
?<!--
??在数据库里配置role and datebase... 下面的autoProxyCreator还是要配置切入点的.
??myMethodSecurityMetadataSource 已经配置在自动扫描中.
?-->
?<beans:bean id="sprintsecurityAutoIntercept"
??value="true" />
?</beans:bean>
?<!--这里接收security日志的配置
??<bean id="authenticationLoggerListener"
??class="org.springframework.security.authentication.event.LoggerListener"/>
??<bean id="authorizationLoggerListener"
??class="org.springframework.security.access.event.LoggerListener"/>
?-->
</beans:beans>
