SpringSecurity框架(一)xml配置

1.web.xml配置

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
  <display-name>springCecurityDemo</display-name>
 <!-- 1项目启动，初始化springSecurity配置-->
 <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
 </listener>

 <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>classpath:springSecurity.xml</param-value>
 </context-param>
 <!-- 2注册过滤器链，这些过滤器实际是在spring容器中管理，这里只是代理注册给web容器 -->
 <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
 </filter>
 <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
 </filter-mapping>
</web-app>

2、Spring Security配置

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans.xsd
          http://www.springframework.org/schema/security
          http://www.springframework.org/schema/security/spring-security.xsd">  

<security:http security="none" pattern="/login.html"></security:http>   
<security:http security="none" pattern="/failer.html"></security:http>         
<security:http auto-config="true"  use-expressions="false"  >
    <!-- <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" /> -->
    <security:intercept-url  pattern="/**" access="ROLE_ACCESS"  />
    <security:form-login login-page="/login.html" 
                login-processing-url="/login.do" 
                default-target-url="/index.html" 
                authentication-failure-forward-url="/failer.html" />

    <security:csrf disabled="true"/>
</security:http>

<security:authentication-manager>
    <security:authentication-provider>
        <security:user-service>
            <security:user name="admin" password="{noop}admin" authorities="ROLE_ADMIN"/>
            <security:user name="itcast" password="{noop}itcast" authorities="ROLE_ACCESS"/>

        </security:user-service>
    </security:authentication-provider>
</security:authentication-manager>

</beans>

3.权限的设置

在业务层方法上通过注解@PreAuthorize，配置调用方法需要的权限：
@PreAuthorize(“hasAuthority(‘PRODUCT_LIST’)”)

    /**
     * 
     * 查询所有商品
     * @PreAuthorize("hasAuthority('PRODUCT_LIST')")
     * 配置调用该业务层方法需要的权限为：PRODUCT_LIST
     * */
    @PreAuthorize("hasAuthority('PRODUCT_LIST')")
    @Transactional(propagation = Propagation.SUPPORTS ,readOnly = true)
    public PageInfo findAllProduct(Integer pageNum,Integer pageSize){
         PageHelper.startPage(pageNum, pageSize);
         List<Product> products = productDao.findAllProduct();
         PageInfo pageInfo = new PageInfo(products);
         return pageInfo;
    };