spring-security

Spring Security is a security framework that can provide declarative security access control solutions for Spring-based enterprise application systems.

<? xml version="1.0" encoding="UTF-8" ?> <beans xmlns="http://www.springframework.org/schema/beans"    xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"    default-lazy-init="true"><!--        auto-config = true 则使用from-login.If this attribute is not used, it defaults to http-basic (no session). 




      

        lowercase-comparisons: Indicates that URLs are converted to lowercase before comparison.
        path-type: Indicates the matching pattern using Apache Ant.
        access-denied-page: The page to redirect to when access is denied.
        access-decision-manager-ref: Specifies a custom access policy manager. When the prefix of the system role name is not the default ROLE_, a custom access policy manager is required.
      --> < sec:http  auto-config ="true"  servlet-api-provision ="false"  lowercase-comparisons ="false"         access-denied-page ="/html/error_page_access_denied.html"  path-type ="ant "         access-decision-manager-ref ="accessDecisionManager" > <!--             login-page: Specifies the login page.
    


          

            login-processing-url: Specifies the URL to be accessed by the customer when they press the Sign In button in the login page. Consistent with the action of the login page form. Its default value is: /j_spring_security_check.
            authentication-failure-url: Specifies the page to redirect to when authentication fails.
            default-target-url: Specifies the page that is rendered to the user by default after successful authentication and authorization.
            always-use-default-target: Specifies whether to always jump to the URL specified by the default-target-url attribute after authentication is passed.
          --> < sec:form-login  login-page ="/admin/page!login.action"  login-processing-url ="/admin/login"             default-target-url ="/admin/page!main.action "  authentication-failure-url ="/admin/page!login.action"             always-use-default-target ="true" /> <!--  " 
          
 
  
            
         --> < sec:remember-me  key ="e37f8888-0ooo-22dd-bd0b-9900211c9a66" /> <!--             logout-url: Specifies the URL used to respond to logout requests. Its default value is: /j_spring_security_logout.             logout-success-url: The URL to redirect to after logging out of the system.             invalidate-session: Specifies whether to destroy the Session when logging out of the system. --> < sec:logout  invalidate-session ="true"  logout-success-url ="/admin/page!login.action"             logout-url ="/admin/logout" /> <!--             max-sessions: The number of times the user account is allowed to log in. The example restricts the user to log in only once.             exception-if-maximum-exceeded: The default value is false, which means that when the user logs in for the second time, the previous login information is cleared.
          
          



         
          
 
          


            When exception-if-maximum-exceeded="true", the system will deny the second login.
          --> < sec:concurrent-session-control  max-sessions ="1"  exception-if-maximum-exceeded ="false" /> <!--  Background login  --> <!--  intercept-url:Interceptor , you can set which paths require which permissions to access. filters=none does not use filtering, it can also be understood as ignore  --> < sec:intercept-url  pattern = "/admin/page!login.action"  filters = "none" /> <!--  Goods management  --> < sec:intercept-url  pattern ="/admin/goods!**"  access ="ROLE_GOODS"
          
        
        
          
          
        
          
        
         < sec:intercept-url  pattern ="/admin/**"  access ="ROLE_BASE"   />
         <!--  
                   下面是对Struts2的Action请求时的配置。注意在前面加/，否则不会被拦截验证。
                          表示具有访问/unitsManager资源的用户必须具有ROLE_PLATFORMADMIN的权限。
                          当用户登录时,将用户的所有权限从数据库中提取出来，形成列表。 当用户访问该资源时，
                          将登录用户的权限列表提出来跟下面配置的权限进行比对，若有，则允许访问，若没有，
                          则给出AccessDeniedException。     
          -->
         < sec:intercept-url  pattern ="/unitsManager"  access ="ROLE_PLATFORMADMIN"   />
         < sec:intercept-url  pattern ="/usersManager"  access ="ROLE_PLATFORMADMIN"   />
         < sec:intercept-url  pattern ="/horizontalQuery"  access ="ROLE_PLATFORMADMIN"   />
         < sec:intercept-url  pattern ="/verticalQuery"  access ="ROLE_PLATFORMADMIN"   />  
     </ sec:http >

     < sec:authentication-provider  user-service-ref ="adminDetailsServiceImpl" >
         < sec:password-encoder  hash ="md5"   />
     </ sec:authentication-provider >

</ beans >