<beans
xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-4.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd ">
<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map request-matcher="ant">
<security:filter-chain pattern="/resources/**" filters="none" />
<security:filter-chain pattern="/*.html" filters="none" />
<security:filter-chain pattern="/**" filters="
securityContextPersistenceFilter,
concurrentSessionFilter,
webAsyncManagerIntegrationFilter,
csrfFilter,
logoutFilter,
usernamePasswordAuthenticationFilter,
basicAuthenticationFilter,
requestCacheAwareFilter,
securityContextHolderAwareRequestFilter,
rememberMeAuthenticationFilter,
anonymousAuthenticationFilter,
sessionManagementFilter,
exceptionTranslationFilter,
filterSecurityInterceptor
" />
</security:filter-chain-map>
</bean>
<!-- SecurityContextPersistenceFilter -->
<bean id="securityContextPersistenceFilter"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<constructor-arg ref="securityContextRepository" />
<property name="forceEagerSessionCreation" value="false" />
</bean>
<bean id="securityContextRepository"
class="org.springframework.security.web.context.HttpSessionSecurityContextRepository">
<property name="allowSessionCreation" value="true" />
<property name="disableUrlRewriting" value="true" />
</bean>
<!-- CsrfFilter -->
<bean id="csrfFilter"
class="org.springframework.security.web.csrf.CsrfFilter">
<constructor-arg ref="httpSessionCsrfTokenRepository" />
<property name="accessDeniedHandler" ref="accessDeniedHandler" />
</bean>
<bean id="httpSessionCsrfTokenRepository"
class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository" />
<!-- UsernamePasswordAuthenticationFilter -->
<bean id="usernamePasswordAuthenticationFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="usernameParameter" value="username" />
<property name="passwordParameter" value="password" />
<property name="rememberMeServices" ref="persistentTokenBasedRememberMeServices" />
<property name="sessionAuthenticationStrategy" ref="compositeSessionAuthenticationStrategy" />
<property name="authenticationSuccessHandler" ref="savedRequestAwareAuthenticationSuccessHandler" />
<property name="authenticationFailureHandler" ref="simpleUrlAuthenticationFailureHandler" />
<property name="requiresAuthenticationRequestMatcher" ref="authenticationFilterProcessUrlRequestMatcher" />
<property name="allowSessionCreation" value="true"/>
</bean>
<bean id="savedRequestAwareAuthenticationSuccessHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler" >
<property name="requestCache" ref="httpSessionRequestCache" />
<property name="defaultTargetUrl" value="/welcome.jsp" />
</bean>
<bean id="simpleUrlAuthenticationFailureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<constructor-arg value="/login.jsp?error" />
<property name="allowSessionCreation" value="true" />
</bean>
<bean id="authenticationFilterProcessUrlRequestMatcher"
class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg value="/login" />
<constructor-arg value="POST" />
</bean>
<!-- AnonymousAuthenticationFilter -->
<bean id="anonymousAuthenticationFilter"
class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
<constructor-arg value="BF93JFJ091N00Q7HF" />
</bean>
<bean id="anonymousAuthenticationProvider"
class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
<constructor-arg type="java.lang.String" value="BF93JFJ091N00Q7HF"/>
</bean>
<!-- FilterSecurityInterceptor -->
<bean id="filterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="affirmativeBased" />
<property name="securityMetadataSource" ref="securityMetadataSource" />
<!--
<property name="securityMetadataSource">
<security:filter-security-metadata-source use-expressions="true">
<security:intercept-url pattern="/*.html" access="permitAll" />
<security:intercept-url pattern="/login.jsp*" access="permitAll" />
<security:intercept-url pattern="/login*" access="permitAll" />
<security:intercept-url pattern="/security/**" access="hasRole('ROLE_ADMIN')" />
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
</security:filter-security-metadata-source>
</property> -->
</bean>
<bean id="securityMetadataSource" class="com.jaeson.springstudy.security.URLFilterInvocationSecurityMetadataSource">
<property name="resourceRepository" ref="resourceRepository" />
</bean>
<bean id="resourceRepository" class="com.jaeson.springstudy.security.ResourceRepository">
<property name="dataSource" ref="dataSource" />
</bean>
<bean id="affirmativeBased" class="org.springframework.security.access.vote.AffirmativeBased">
<constructor-arg type="java.util.List">
<list>
<ref bean="expressionVoter" />
<ref bean="roleVoter" />
<ref bean="authenticatedVoter" />
</list>
</constructor-arg>
</bean>
<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter" />
<bean id="authenticatedVoter" class="org.springframework.security.access.vote.AuthenticatedVoter" />
<bean id="expressionVoter" class="org.springframework.security.web.access.expression.WebExpressionVoter">
<property name="expressionHandler" ref="expressionHandler" />
</bean>
<bean id="expressionHandler"
class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" />
<!-- AuthenticationManager -->
<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
<constructor-arg type="java.util.List">
<list>
<ref bean="daoAuthenticationProvider" />
<ref bean="anonymousAuthenticationProvider" />
<ref bean="rememberMeAuthenticationProvider" />
</list>
</constructor-arg>
<property name="authenticationEventPublisher" ref="defaultAuthenticationEventPublisher" />
</bean>
<bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<bean id="defaultAuthenticationEventPublisher"
class="org.springframework.security.authentication.DefaultAuthenticationEventPublisher" />
<bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService"/>
<property name="passwordEncoder" ref="passwordEncoder"/>
</bean>
<bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
<property name="dataSource" ref="dataSource" />
<property name="usersByUsernameQuery"
value="SELECT username, password, enable FROM user WHERE username=?" />
<property name="authoritiesByUsernameQuery"
value="SELECT u.username as username, r.rolename as rolename
FROM user u
JOIN user_group ug ON u.id=ug.user_id
JOIN groups g ON ug.group_id=g.id
JOIN group_role gr ON g.id=gr.group_id
JOIN role r ON gr.role_id=r.id
WHERE u.username=?" />
</bean>
<!-- LogoutFilter -->
<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg type="java.lang.String" value="/logout.html"/>
<constructor-arg>
<array>
<ref bean="securityContextLogoutHandler" />
<ref bean="cookieClearingLogoutHandler" />
<ref bean="persistentTokenBasedRememberMeServices" />
</array>
</constructor-arg>
<property name="logoutRequestMatcher" ref="logoutFilterProcessUrlRequestMatcher" />
</bean>
<bean id="securityContextLogoutHandler"
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
<property name="invalidateHttpSession" value="true"/>
<property name="clearAuthentication" value="true"/>
</bean>
<bean id="cookieClearingLogoutHandler"
class="org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler">
<constructor-arg>
<array>
<value>JSESSIONID</value>
</array>
</constructor-arg>
</bean>
<bean id="logoutFilterProcessUrlRequestMatcher"
class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg value="/logout"/>
</bean>
<!-- RememberMeAuthenticationFilter -->
<bean id="rememberMeAuthenticationFilter"
class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
<constructor-arg ref="authenticationManager"/>
<constructor-arg ref="persistentTokenBasedRememberMeServices"/>
</bean>
<bean id="persistentTokenBasedRememberMeServices"
class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
<constructor-arg type="java.lang.String" value="BoSk70Yar38~veg91DoCKs=sLaIn!met" />
<constructor-arg
type="org.springframework.security.core.userdetails.UserDetailsService"
ref="userDetailsService" />
<constructor-arg
type="org.springframework.security.web.authentication.rememberme.PersistentTokenRepository"
ref="jdbcTokenRepository" />
<property name="cookieName" value="REMEMBER_ME" />
<property name="parameter" value="remember-me" />
</bean>
<bean id="jdbcTokenRepository"
class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
<property name="dataSource" ref="dataSource" />
</bean>
<bean id="rememberMeAuthenticationProvider"
class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
<constructor-arg value="BoSk70Yar38~veg91DoCKs=sLaIn!met"/>
</bean>
<!-- ExceptionTranslationFilter -->
<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
<constructor-arg ref="loginUrlAuthenticationEntryPoint" />
<constructor-arg ref="httpSessionRequestCache" />
<property name="accessDeniedHandler" ref="accessDeniedHandler" />
</bean>
<bean id="loginUrlAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<constructor-arg value="/login.jsp" />
</bean>
<bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<property name="errorPage" value="/accessDenied.html" />
</bean>
<!-- ConcurrentSessionFilter -->
<bean id="concurrentSessionFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
<constructor-arg type="org.springframework.security.core.session.SessionRegistry" ref="sessionRegistry" />
<constructor-arg type="java.lang.String" value="/expire.html" />
<property name="logoutHandlers">
<array>
<ref bean="securityContextLogoutHandler" />
<ref bean="cookieClearingLogoutHandler" />
<ref bean="persistentTokenBasedRememberMeServices" />
</array>
</property>
</bean>
<!-- SessionManagementFilter -->
<bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
<constructor-arg ref="securityContextRepository"/>
<constructor-arg ref="compositeSessionAuthenticationStrategy"/>
<property name="authenticationFailureHandler" ref="simpleUrlAuthenticationFailureHandler"/>
</bean>
<!-- SessionAuthenticationStrategy -->
<bean id="compositeSessionAuthenticationStrategy"
class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
<constructor-arg>
<list>
<ref bean="csrfAuthenticationStrategy" />
<ref bean="sessionControlAuthenticationStrategy" />
<ref bean="sessionFixationProtectionStrategy" />
<ref bean="registerSessionAuthenticationStrategy" />
</list>
</constructor-arg>
</bean>
<bean id="csrfAuthenticationStrategy"
class="org.springframework.security.web.csrf.CsrfAuthenticationStrategy">
<constructor-arg ref="httpSessionCsrfTokenRepository"/>
</bean>
<bean id="sessionControlAuthenticationStrategy"
class="com.jaeson.springstudy.security.MyConcurrentSessionControlAuthenticationStrategy">
<!-- class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy"> -->
<constructor-arg ref="sessionRegistry" />
<property name="maximumSessions" value="1" />
<property name="exceptionIfMaximumExceeded" value="true" />
</bean>
<bean id="sessionFixationProtectionStrategy"
class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
<property name="migrateSessionAttributes" value="true" />
</bean>
<bean id="registerSessionAuthenticationStrategy"
class="com.jaeson.springstudy.security.MyRegisterSessionAuthenticationStrategy">
<!-- class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy"> -->
<constructor-arg ref="sessionRegistry" />
</bean>
<!-- <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/> -->
<bean id="sessionRegistry" class="com.jaeson.springstudy.security.MySessionRegistryImpl" />
<!-- SecurityContextHolderAwareRequestFilter -->
<bean id="securityContextHolderAwareRequestFilter"
class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<!-- WebAsyncManagerIntegrationFilter -->
<bean id="webAsyncManagerIntegrationFilter"
class="org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter" />
<!-- BasicAuthenticationFilter -->
<bean id="basicAuthenticationFilter"
class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<constructor-arg ref="authenticationManager" />
<constructor-arg ref="basicAuthenticationEntryPoint" />
</bean>
<bean id="basicAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="Spring Security Application" />
</bean>
<!-- RequestCacheAwareFilter -->
<bean id="requestCacheAwareFilter" class="org.springframework.security.web.savedrequest.RequestCacheAwareFilter">
<constructor-arg ref="httpSessionRequestCache" />
</bean>
<bean id="httpSessionRequestCache" class="org.springframework.security.web.savedrequest.HttpSessionRequestCache">
<property name="createSessionAllowed" value="true" />
</bean>
<!-- 页面标签权限功能依赖 -->
<bean id="webInvocationFilter"
class="org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator">
<constructor-arg ref="filterSecurityInterceptor" />
</bean>
<!-- 方法权限控制 -->
<bean id="methodSecurityInterceptor"
class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="methodAffirmativeBased" />
<property name="securityMetadataSource">
<security:method-security-metadata-source>
<!-- 指定需要受保护的方法和需要的权限 -->
<security:protect method="com.jaeson.springstudy.security.SessionRegistryExample.getOnline*"
access="ROLE_USER, ROLE_ADMIN" />
<security:protect method="com.jaeson.springstudy.security.SessionRegistryExample.getActive*"
access="ROLE_ADMIN" />
<security:protect method="com.jaeson.springstudy.security.SessionRegistryExample.test*"
access="IS_AUTHENTICATED_FULLY" />
</security:method-security-metadata-source>
</property>
</bean>
<bean id="methodAffirmativeBased" class="org.springframework.security.access.vote.AffirmativeBased">
<constructor-arg type="java.util.List">
<list>
<ref bean="roleVoter" />
<ref bean="authenticatedVoter" />
</list>
</constructor-arg>
</bean>
<!-- <bean id="methodExpressionHandler"
class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler" /> -->
<aop:config>
<aop:pointcut id="securityMethodPointCut" expression="execution(* com.jaeson.springstudy.security.SessionRegistryExample.*(..))" />
<aop:advisor advice-ref="methodSecurityInterceptor" pointcut-ref="securityMethodPointCut"/>
</aop:config>
<!-- Spring Security中定义了四个支持使用表达式的注解,分别是@PreAuthorize、@PostAuthorize、@PreFilter和@PostFilter。
其中前两者可以用来在方法调用前或者调用后进行权限检查,后两者可以用来对集合类型的参数或者返回值进行过滤。 -->
<!-- <security:global-method-security pre-post-annotations="enabled" /> -->
<!-- JSR-250注解: @RolesAllowed -->
<!-- <security:global-method-security jsr250-annotations="enabled"/> -->
</beans>
spring security 自定义bean
猜你喜欢
转载自jaesonchen.iteye.com/blog/2297216
今日推荐
周排行