spring security xml配置詳解

security 3.x

<?xml version="1.0" encoding="UTF-8"?>  
<beans:beans xmlns="http://www.springframework.org/schema/security"  xmlns:beans="http://www.springframework.org/schema/beans"   
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
xsi:schemaLocation="http://www.springframework.org/schema/beans   
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd    
http://www.springframework.org/schema/security   
http://www.springframework.org/schema/security/spring-security-3.1.xsd">  <global-method-security pre-post-annotations="enabled">  </global-method-security>  <!-- 該路徑下的資源不用過濾 -->  <http pattern="/include/js/**" security="none" />  <http pattern="/include/css/**" security="none" />  <http pattern="/include/scripts/**" security="none" />  <http pattern="/include/jsp/**" security="none" />  <http pattern="/images/**" security="none" />  <http pattern="/login.jsp" security="none" />  <!--auto-config = true 則使用from-login. 如果不使用該屬性 則默認為http-basic(沒有session).-->  <!-- lowercase-comparisons：表示URL比較前先轉為小寫。-->  <!-- path-type：表示使用Apache Ant的匹配模式。-->  <!--access-denied-page：訪問拒絕時轉向的頁面。-->  <!-- access-decision-manager-ref：指定了自定義的訪問策略管理器。-->  <http use-expressions="true" auto-config="true"  access-denied-page="/include/jsp/timeout.jsp">  
<!--login-page：指定登錄頁面。  -->  
<!-- login-processing-url：指定了客戶在登錄頁面中按下 Sign In 按鈕時要訪問的 URL。-->  <!-- authentication-failure-url：指定了身份驗證失敗時跳轉到的頁面。-->  <!-- default-target-url：指定了成功進行身份驗證和授權后默認呈現給用戶的頁面。-->  
<!-- always-use-default-target：指定了是否在身份驗證通過后總是跳轉到default-target-url屬性指定的URL。 
-->  <form-login login-page="/login.jsp" default-target-url='/system/default.jsp'  always-use-default-target="true" authentication-failure-url="/login.jsp?login_error=1" />  
<!--logout-url：指定了用于響應退出系統請求的URL。其默認值為：/j_spring_security_logout。-->  <!-- logout-success-url：退出系統后轉向的URL。-->  <!-- invalidate-session：指定在退出系統時是否要銷毀Session。-->  <logout invalidate-session="true" logout-success-url="/login.jsp"  logout-url="/j_spring_security_logout" />  <!-- 實現免登陸驗證 -->  <remember-me />  <!-- max-sessions:允許用戶帳號登錄的次數。范例限制用戶只能登錄一次。-->  
<!-- 此值表示：用戶第二次登錄時，前一次的登錄信息都被清空。-->  <!--   exception-if-maximum-exceeded:默認為false，-->  
<!-- 當exception-if-maximum-exceeded="true"時系統會拒絕第二次登錄。-->  <session-management invalid-session-url="/login.jsp"  session-fixation-protection="none">  <concurrency-control max-sessions="1"  error-if-maximum-exceeded="false" />  </session-management>  <custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR" />  <session-management  session-authentication-strategy-ref="sas" />  </http>  
<beans:bean id="sas"  
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">  <beans:constructor-arg name="sessionRegistry"  ref="sessionRegistry" />  <beans:property name="maximumSessions" value="1" />  <!-- 防止session攻擊 -->  <beans:property name="alwaysCreateSession" value="true" />  <beans:property name="migrateSessionAttributes" value="false" />  <!--  同一個帳號 同時只能一個人登錄 -->  <beans:property name="exceptionIfMaximumExceeded"  value="false" />  </beans:bean>  <beans:bean id="sessionRegistry"  class="org.springframework.security.core.session.SessionRegistryImpl" />  <!-- 
事件監聽:實現了ApplicationListener監聽接口，包括AuthenticationCredentialsNotFoundEvent 事件，-->  <!-- AuthorizationFailureEvent事件，AuthorizedEvent事件， PublicInvocationEvent事件-->  <beans:bean  class="org.springframework.security.authentication.event.LoggerListener" />  <!-- 自定義資源文件   提示信息 -->  <beans:bean id="messageSource"  
class="org.springframework.context.support.ReloadableResourceBundleMessageSource">  <beans:property name="basenames" value="classpath:message_zh_CN">  
</beans:property>  </beans:bean>  <!-- 配置過濾器 -->  <beans:bean id="myFilter"  class="com.taskmanager.web.security.MySecurityFilter">  <!-- 用戶擁有的權限 -->  <beans:property name="authenticationManager" ref="myAuthenticationManager" />  <!-- 用戶是否擁有所請求資源的權限 -->  <beans:property name="accessDecisionManager" ref="myAccessDecisionManager" />  <!-- 資源與權限對應關系 -->  <beans:property name="securityMetadataSource" ref="mySecurityMetadataSource" />  </beans:bean>  <!-- 實現了UserDetailsService的Bean -->  <authentication-manager alias="myAuthenticationManager">  <authentication-provider user-service-ref="myUserDetailServiceImpl">  <!-- 登入 密碼  采用MD5加密 -->  <password-encoder hash="md5" ref="passwordEncoder">  </password-encoder>  </authentication-provider>  </authentication-manager>  <!-- 驗證用戶請求資源  是否擁有權限 -->  <beans:bean id="myAccessDecisionManager"  class="com.taskmanager.web.security.MyAccessDecisionManager">  </beans:bean>  <!-- 系統運行時加載 系統要攔截的資源   與用戶請求時要過濾的資源 -->  <beans:bean id="mySecurityMetadataSource"  class="com.taskmanager.web.security.MySecurityMetadataSource">  <beans:constructor-arg name="powerService" ref="powerService">  
</beans:constructor-arg>  </beans:bean>  <!-- 獲取用戶登入角色信息 -->  <beans:bean id="myUserDetailServiceImpl"  class="com.taskmanager.web.security.MyUserDetailServiceImpl">  <beans:property name="userService" ref="userService"></beans:property>  </beans:bean>  <!-- 用戶的密碼加密或解密 -->  <beans:bean id="passwordEncoder"  
class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />  
</beans:beans>    

?

security 4.x

<beans:beans  xmlns="http://www.springframework.org/schema/security"  xmlns:beans="http://www.springframework.org/schema/beans"  xmlns:p="http://www.springframework.org/schema/p"  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  xmlns:context="http://www.springframework.org/schema/context"  xsi:schemaLocation="http://www.springframework.org/schema/beans  http://www.springframework.org/schema/beans/spring-beans.xsd  http://www.springframework.org/schema/context  http://www.springframework.org/schema/context/spring-context.xsd  http://www.springframework.org/schema/security  http://www.springframework.org/schema/security/spring-security.xsd">  <context:component-scan base-package="com.framework.security"/>  <!--<http pattern="/pm/**" security="none" />-->  <http pattern="/login.jsp" security="none" />  <http pattern="/common/**" security="none" />  <http pattern="/*.ico" security="none" />  <http  use-expressions="false" >  <!-- IS_AUTHENTICATED_ANONYMOUSLY 匿名登錄 -->  <intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />  <intercept-url pattern="/pm/**/*.jsp" access="ROLE_STATIC" />  <form-login login-page="/login"    authentication-failure-url="/login?error=1" authentication-success-forward-url="/main.to" />  <logout invalidate-session="true" logout-url="/logout"  logout-success-url="/"  />  <http-basic/>  <headers >  <frame-options disabled="true"></frame-options>  </headers>  <csrf token-repository-ref="csrfTokenRepository" />  <session-management session-authentication-error-url="/frame.expired" >  <!-- max-sessions只容許一個賬號登錄，error-if-maximum-exceeded 后面賬號登錄后踢出前一個賬號，expired-url session過期跳轉界面 -->  <concurrency-control max-sessions="1" error-if-maximum-exceeded="false" expired-url="/frame.expired" session-registry-ref="sessionRegistry" />  </session-management>  <expression-handler ref="webexpressionHandler" ></expression-handler>  </http>  <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />  <beans:bean id="userDetailsService" class="com.framework.security.UserDetailsServiceImpl" />  <!--配置web端使用權限控制-->  <beans:bean id="webexpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" />  <authentication-manager >  <authentication-provider ref="authenticationProvider" />  </authentication-manager>  <!-- 自定義userDetailsService， 鹽值加密 -->  <beans:bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">  <beans:property name="hideUserNotFoundExceptions" value="true" />  <beans:property name="userDetailsService" ref="userDetailsService" />  <beans:property name="passwordEncoder" ref="passwordEncoder" />  <beans:property name="saltSource" ref="saltSource" />  </beans:bean>  <!-- Md5加密 -->  <beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />  <!-- 鹽值加密 salt對應數據庫字段-->  <beans:bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource">  <beans:property name="userPropertyToUse" value="salt"/>  </beans:bean>  <beans:bean id="csrfTokenRepository" class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository" />  
</beans:beans>  

?