<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> <http access-denied-page="/deny.jsp" auto-config="true"> <intercept-url pattern="/modules/index.jsp*" filters="none" /> <intercept-url pattern="/js/**" filters="none" /> <intercept-url pattern="/images/**" filters="none" /> <intercept-url pattern="/css/**" filters="none" /> <intercept-url pattern="/flash/**" filters="none" /> <intercept-url pattern="/common/**" filters="none" /> <intercept-url pattern="/myupload/uploadhandler.do" filters="none" /> <intercept-url pattern="/user/uploadAvatar.do" filters="none" /> <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" /> <form-login login-page="/modules/index.jsp" authentication-failure-url="/modules/index.jsp?error=true" login-processing-url="/gjposs_security_check.do" default-target-url="/modules/common/main.jsp" always-use-default-target="true"/> <logout logout-success-url="/modules/index.jsp"/> <http-basic/> </http> <beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" /> <authentication-manager alias="authenticationManager"> <authentication-provider user-service-ref="securityManager"> <password-encoder ref="passwordEncoder"> <!-- salt-source user-property="getUsername"/> --> </password-encoder> </authentication-provider> </authentication-manager> <beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased"> <beans:property name="allowIfAllAbstainDecisions" value="false"/> <beans:property name="decisionVoters"> <beans:list> <beans:bean class="org.springframework.security.access.vote.RoleVoter"/> <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/> </beans:list> </beans:property> </beans:bean> <beans:bean id="resourceSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> <beans:property name="authenticationManager" ref="authenticationManager"/> <beans:property name="accessDecisionManager" ref="accessDecisionManager"/> <beans:property name="securityMetadataSource" ref="secureResourceFilterInvocationDefinitionSource" /> <beans:property name="observeOncePerRequest" value="false" /> </beans:bean> <beans:bean id="secureResourceFilterInvocationDefinitionSource" class="com.gjp.oss.security.interceptor.SecureResourceFilterInvocationDefinitionSource" /> <beans:bean id="securityManager" class="com.gjp.oss.security.support.SecurityManagerSupport"> <beans:property name="sessionFactory"> <beans:ref bean="sessionFactory" /> </beans:property> </beans:bean> </beans:beans>
然后是适合portal的配置:
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd"> <bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy"> <sec:filter-chain-map path-type="ant"> <sec:filter-chain pattern="/**" filters=" securityContextPersistenceFilter, logoutFilter, formLoginFilter, exceptionTranslationFilter, filterSecurityInterceptor" /> </sec:filter-chain-map> </bean> <bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"> <property name="securityContextRepository"> <bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/> </property> </bean> <bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter"> <constructor-arg><bean class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler"/></constructor-arg> <constructor-arg><bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/></constructor-arg> <property name="filterProcessesUrl" value="/security-logout.do"></property> </bean> <bean id="formLoginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> <property name="authenticationManager" ref="authenticationManager"/> <property name="filterProcessesUrl" value="/security-login.do"/> <property name="authenticationSuccessHandler"> <bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"> <property name="defaultTargetUrl" value="/login/forward.do"></property> <property name="alwaysUseDefaultTargetUrl" value="true"></property> </bean> </property> <property name="authenticationFailureHandler"> <bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> <property name="defaultFailureUrl" value="/login/login.do"></property> </bean> </property> <property name="sessionAuthenticationStrategy"> <bean class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> <constructor-arg> <bean class="org.springframework.security.core.session.SessionRegistryImpl"></bean> </constructor-arg> <property name="maximumSessions" value="1"></property> </bean> </property> </bean> <bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter"> <property name="authenticationEntryPoint"> <bean class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> <property name="loginFormUrl" value="/login/login.do"/> </bean> </property> <property name="accessDeniedHandler"> <bean class="org.springframework.security.web.access.AccessDeniedHandlerImpl"> <property name="errorPage" value="/login/login.do"/> </bean> </property> </bean> <bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager"/> <property name="accessDecisionManager" ref="accessDecisionManager"/> <property name="securityMetadataSource"> <sec:filter-security-metadata-source> <sec:intercept-url pattern="/usercenter/**" access="ROLE_VERIFIED_PORTAL_USER" /> </sec:filter-security-metadata-source> </property> </bean> <bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" /> <bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager"> <property name="providers"> <bean class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> <property name="userDetailsService" ref="portalUserDetailsService" /> <property name="passwordEncoder" ref="passwordEncoder" /> <property name="hideUserNotFoundExceptions" value="false" /> </bean> </property> </bean> <bean id="accessDecisionManager" class="org.springframework.security.access.vote.ConsensusBased"> <property name="decisionVoters"> <list> <bean class="org.springframework.security.access.vote.RoleVoter"></bean> </list> </property> </bean> </beans>