1.security.xml配置
(1) 配置一些不需要安全验证即可登录的资源:
<http pattern="/login.html" security="none"/>
(2)认证管理器,也就是确认用户名密码是否正确。
<authentication-manager erase-credentials="false" alias="authenticationManager"> <authentication-provider ref="customAuthenticationProvider" > <!-- 如果用户的密码采用加密的话,可以加点“盐” <password-encoder hash="md5" /> --> </authentication-provider> </authentication-manager>
(3)配置收到HTTP请求时的安全验证配置:
<!--http 标签属性中定义了 登录点,认证类,访问控制类--> <http auto-config="false" entry-point-ref="authenticationEntryPoint" authentication-manager-ref="authenticationManager" access-decision-manager-ref="customAccessDecisionManager"> <csrf disabled="true"></csrf> <logout success-handler-ref="logoutSuccessHandler"></logout> <!-- 一部分允许所有用户访问的.do后台资源在此配置,AccessDecisionManage不再进行权限验证 --> <intercept-url pattern="/admin/**" access="ROLE_ADMIN"></intercept-url> <intercept-url pattern="/user/getCurrentUser.do" access="permitAll"></intercept-url> <!-- 其他所有资源要求进行访问权限验证 --> <intercept-url pattern="/**" access="isAuthenticated()"></intercept-url> <!--自定义实现用户名密码及验证码判断功能的Filter--> <custom-filter ref="customUsernamePasswordAuthenticationFilter" position="FORM_LOGIN_FILTER"/> <anonymous enabled="false"></anonymous> </http>
其中可以自定义实现功能的<b:bean>,比如“自定义实现用户名及密码验证判断功能的Filter”,它将class文件注入,
<!--自定义实现用户名密码及验证码判断功能的Filter,因为用户认证模块涉及了验证码,所以单独写了一个filter,这里这个类就只起了比对用户密码的功能 --> <b:bean id="customUsernamePasswordAuthenticationFilter" class="cn.topcheer.common.authority.springsec.CustomUsernamePasswordAuthenticationFilter"> <b:property name="enableValidateCode" value="false"></b:property> <b:property name="authenticationManager" ref="authenticationManager"></b:property> <b:property name="authenticationFailureHandler" ref="failureHandler"></b:property> <b:property name="authenticationSuccessHandler" ref="successHandler"></b:property> </b:bean>
其中,<b:property>定义的是该类属性,<b:constuctor-arg></b:constructor-arg>是该类的构造方法;
(4)用户自定义过滤器
设定格式形如:
<custom-filter ref="customUsernamePasswordAuthenticationFilter" position="过滤器假名"/>
” position”表示本过滤器,要替代其后的过滤器. "过滤器假名"指示了被替代的过滤器名; 除了” position”,还有”before” 与”after”两种方式。
分别表示将要把本过滤器挂在其后的过滤器前或后。
标准过滤器假名和顺序
假名 过滤器类 CHANNEL_FILTER ChannelProcessingFilter CONCURRENT_SESSION_FILTER ConcurrentSessionFilter SESSION_CONTEXT_INTEGRATION_FILTER HttpSessionContextIntegrationFilter LOGOUT_FILTER LogoutFilter X509_FILTER X509PreAuthenticatedProcessigFilter PRE_AUTH_FILTER AstractPreAuthenticatedProcessingFilter Subclasses CAS_PROCESSING_FILTER CasProcessingFilter AUTHENTICATION_PROCESSING_FILTER AuthenticationProcessingFilter BASIC_PROCESSING_FILTER BasicProcessingFilter SERVLET_API_SUPPORT_FILTER SecurityContextHolderAwareRequestFilter REMEMBER_ME_FILTER RememberMeProcessingFilter ANONYMOUS_FILTER AnonymousProcessingFilter EXCEPTION_TRANSLATION_FILTER ExceptionTranslationFilter NTLM_FILTER NtlmProcessingFilter FILTER_SECURITY_INTERCEPTOR FilterSecurityInterceptor SWITCH_USER_FILTER SwitchUserProcessingFilter