<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd "> <bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy"> <security:filter-chain-map request-matcher="ant"> <security:filter-chain pattern="/resources/**" filters="none" /> <security:filter-chain pattern="/*.html" filters="none" /> <security:filter-chain pattern="/**" filters=" securityContextPersistenceFilter, concurrentSessionFilter, webAsyncManagerIntegrationFilter, csrfFilter, logoutFilter, usernamePasswordAuthenticationFilter, basicAuthenticationFilter, requestCacheAwareFilter, securityContextHolderAwareRequestFilter, rememberMeAuthenticationFilter, anonymousAuthenticationFilter, sessionManagementFilter, exceptionTranslationFilter, filterSecurityInterceptor " /> </security:filter-chain-map> </bean> <!-- SecurityContextPersistenceFilter --> <bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"> <constructor-arg ref="securityContextRepository" /> <property name="forceEagerSessionCreation" value="false" /> </bean> <bean id="securityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"> <property name="allowSessionCreation" value="true" /> <property name="disableUrlRewriting" value="true" /> </bean> <!-- CsrfFilter --> <bean id="csrfFilter" class="org.springframework.security.web.csrf.CsrfFilter"> <constructor-arg ref="httpSessionCsrfTokenRepository" /> <property name="accessDeniedHandler" ref="accessDeniedHandler" /> </bean> <bean id="httpSessionCsrfTokenRepository" class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository" /> <!-- UsernamePasswordAuthenticationFilter --> <bean id="usernamePasswordAuthenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> <property name="authenticationManager" ref="authenticationManager" /> <property name="usernameParameter" value="username" /> <property name="passwordParameter" value="password" /> <property name="rememberMeServices" ref="persistentTokenBasedRememberMeServices" /> <property name="sessionAuthenticationStrategy" ref="compositeSessionAuthenticationStrategy" /> <property name="authenticationSuccessHandler" ref="savedRequestAwareAuthenticationSuccessHandler" /> <property name="authenticationFailureHandler" ref="simpleUrlAuthenticationFailureHandler" /> <property name="requiresAuthenticationRequestMatcher" ref="authenticationFilterProcessUrlRequestMatcher" /> <property name="allowSessionCreation" value="true"/> </bean> <bean id="savedRequestAwareAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler" > <property name="requestCache" ref="httpSessionRequestCache" /> <property name="defaultTargetUrl" value="/welcome.jsp" /> </bean> <bean id="simpleUrlAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> <constructor-arg value="/login.jsp?error" /> <property name="allowSessionCreation" value="true" /> </bean> <bean id="authenticationFilterProcessUrlRequestMatcher" class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"> <constructor-arg value="/login" /> <constructor-arg value="POST" /> </bean> <!-- AnonymousAuthenticationFilter --> <bean id="anonymousAuthenticationFilter" class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter"> <constructor-arg value="BF93JFJ091N00Q7HF" /> </bean> <bean id="anonymousAuthenticationProvider" class="org.springframework.security.authentication.AnonymousAuthenticationProvider"> <constructor-arg type="java.lang.String" value="BF93JFJ091N00Q7HF"/> </bean> <!-- FilterSecurityInterceptor --> <bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager" /> <property name="accessDecisionManager" ref="affirmativeBased" /> <property name="securityMetadataSource" ref="securityMetadataSource" /> <!-- <property name="securityMetadataSource"> <security:filter-security-metadata-source use-expressions="true"> <security:intercept-url pattern="/*.html" access="permitAll" /> <security:intercept-url pattern="/login.jsp*" access="permitAll" /> <security:intercept-url pattern="/login*" access="permitAll" /> <security:intercept-url pattern="/security/**" access="hasRole('ROLE_ADMIN')" /> <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" /> </security:filter-security-metadata-source> </property> --> </bean> <bean id="securityMetadataSource" class="com.jaeson.springstudy.security.URLFilterInvocationSecurityMetadataSource"> <property name="resourceRepository" ref="resourceRepository" /> </bean> <bean id="resourceRepository" class="com.jaeson.springstudy.security.ResourceRepository"> <property name="dataSource" ref="dataSource" /> </bean> <bean id="affirmativeBased" class="org.springframework.security.access.vote.AffirmativeBased"> <constructor-arg type="java.util.List"> <list> <ref bean="expressionVoter" /> <ref bean="roleVoter" /> <ref bean="authenticatedVoter" /> </list> </constructor-arg> </bean> <bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter" /> <bean id="authenticatedVoter" class="org.springframework.security.access.vote.AuthenticatedVoter" /> <bean id="expressionVoter" class="org.springframework.security.web.access.expression.WebExpressionVoter"> <property name="expressionHandler" ref="expressionHandler" /> </bean> <bean id="expressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" /> <!-- AuthenticationManager --> <bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager"> <constructor-arg type="java.util.List"> <list> <ref bean="daoAuthenticationProvider" /> <ref bean="anonymousAuthenticationProvider" /> <ref bean="rememberMeAuthenticationProvider" /> </list> </constructor-arg> <property name="authenticationEventPublisher" ref="defaultAuthenticationEventPublisher" /> </bean> <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" /> <bean id="defaultAuthenticationEventPublisher" class="org.springframework.security.authentication.DefaultAuthenticationEventPublisher" /> <bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> <property name="userDetailsService" ref="userDetailsService"/> <property name="passwordEncoder" ref="passwordEncoder"/> </bean> <bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl"> <property name="dataSource" ref="dataSource" /> <property name="usersByUsernameQuery" value="SELECT username, password, enable FROM user WHERE username=?" /> <property name="authoritiesByUsernameQuery" value="SELECT u.username as username, r.rolename as rolename FROM user u JOIN user_group and ON u.id = ug.user_id JOIN groups g ON ug.group_id=g.id JOIN group_role gr ON g.id=gr.group_id JOIN role r ON gr.role_id=r.id WHERE u.username=?" /> </bean> <!-- LogoutFilter --> <bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter"> <constructor-arg type="java.lang.String" value="/logout.html"/> <constructor-arg> <array> <ref bean="securityContextLogoutHandler" /> <ref bean="cookieClearingLogoutHandler" /> <ref bean="persistentTokenBasedRememberMeServices" /> </array> </constructor-arg> <property name="logoutRequestMatcher" ref="logoutFilterProcessUrlRequestMatcher" /> </bean> <bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"> <property name="invalidateHttpSession" value="true"/> <property name="clearAuthentication" value="true"/> </bean> <bean id="cookieClearingLogoutHandler" class="org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler"> <constructor-arg> <array> <value>JSESSIONID</value> </array> </constructor-arg> </bean> <bean id="logoutFilterProcessUrlRequestMatcher" class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"> <constructor-arg value="/logout"/> </bean> <!-- RememberMeAuthenticationFilter --> <bean id="rememberMeAuthenticationFilter" class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter"> <constructor-arg ref="authenticationManager"/> <constructor-arg ref="persistentTokenBasedRememberMeServices"/> </bean> <bean id="persistentTokenBasedRememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices"> <constructor-arg type="java.lang.String" value="BoSk70Yar38~veg91DoCKs=sLaIn!met" /> <constructor-arg type="org.springframework.security.core.userdetails.UserDetailsService" ref="userDetailsService" /> <constructor-arg type="org.springframework.security.web.authentication.rememberme.PersistentTokenRepository" ref="jdbcTokenRepository" /> <property name="cookieName" value="REMEMBER_ME" /> <property name="parameter" value="remember-me" /> </bean> <bean id="jdbcTokenRepository" class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl"> <property name="dataSource" ref="dataSource" /> </bean> <bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider"> <constructor-arg value="BoSk70Yar38~veg91DoCKs=sLaIn!met"/> </bean> <!-- ExceptionTranslationFilter --> <bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter"> <constructor-arg ref="loginUrlAuthenticationEntryPoint" /> <constructor-arg ref="httpSessionRequestCache" /> <property name="accessDeniedHandler" ref="accessDeniedHandler" /> </bean> <bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> <constructor-arg value="/login.jsp" /> </bean> <bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl"> <property name="errorPage" value="/accessDenied.html" /> </bean> <!-- ConcurrentSessionFilter --> <bean id="concurrentSessionFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"> <constructor-arg type="org.springframework.security.core.session.SessionRegistry" ref="sessionRegistry" /> <constructor-arg type="java.lang.String" value="/expire.html" /> <property name="logoutHandlers"> <array> <ref bean="securityContextLogoutHandler" /> <ref bean="cookieClearingLogoutHandler" /> <ref bean="persistentTokenBasedRememberMeServices" /> </array> </property> </bean> <!-- SessionManagementFilter --> <bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter"> <constructor-arg ref="securityContextRepository"/> <constructor-arg ref="compositeSessionAuthenticationStrategy"/> <property name="authenticationFailureHandler" ref="simpleUrlAuthenticationFailureHandler"/> </bean> <!-- SessionAuthenticationStrategy --> <bean id="compositeSessionAuthenticationStrategy" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy"> <constructor-arg> <list> <ref bean="csrfAuthenticationStrategy" /> <ref bean="sessionControlAuthenticationStrategy" /> <ref bean="sessionFixationProtectionStrategy" /> <ref bean="registerSessionAuthenticationStrategy" /> </list> </constructor-arg> </bean> <bean id="csrfAuthenticationStrategy" class="org.springframework.security.web.csrf.CsrfAuthenticationStrategy"> <constructor-arg ref="httpSessionCsrfTokenRepository"/> </bean> <bean id="sessionControlAuthenticationStrategy" class="com.jaeson.springstudy.security.MyConcurrentSessionControlAuthenticationStrategy"> <!-- class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy"> --> <constructor-arg ref="sessionRegistry" /> <property name="maximumSessions" value="1" /> <property name="exceptionIfMaximumExceeded" value="true" /> </bean> <bean id="sessionFixationProtectionStrategy" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy"> <property name="migrateSessionAttributes" value="true" /> </bean> <bean id="registerSessionAuthenticationStrategy" class="com.jaeson.springstudy.security.MyRegisterSessionAuthenticationStrategy"> <!-- class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy"> --> <constructor-arg ref="sessionRegistry" /> </bean> <!-- <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/> --> <bean id="sessionRegistry" class="com.jaeson.springstudy.security.MySessionRegistryImpl" /> <!-- SecurityContextHolderAwareRequestFilter --> <bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter"> <property name="authenticationManager" ref="authenticationManager" /> </bean> <!-- WebAsyncManagerIntegrationFilter --> <bean id="webAsyncManagerIntegrationFilter" class="org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter" /> <!-- BasicAuthenticationFilter --> <bean id="basicAuthenticationFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter"> <constructor-arg ref="authenticationManager" /> <constructor-arg ref="basicAuthenticationEntryPoint" /> </bean> <bean id="basicAuthenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint"> <property name="realmName" value="Spring Security Application" /> </bean> <!-- RequestCacheAwareFilter --> <bean id="requestCacheAwareFilter" class="org.springframework.security.web.savedrequest.RequestCacheAwareFilter"> <constructor-arg ref="httpSessionRequestCache" /> </bean> <bean id="httpSessionRequestCache" class="org.springframework.security.web.savedrequest.HttpSessionRequestCache"> <property name="createSessionAllowed" value="true" /> </bean> <!-- Page label permission function dependency --> <bean id="webInvocationFilter" class="org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator"> <constructor-arg ref="filterSecurityInterceptor" /> </bean> <!-- Method permission control--> <bean id="methodSecurityInterceptor" class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager" /> <property name="accessDecisionManager" ref="methodAffirmativeBased" /> <property name="securityMetadataSource"> <security:method-security-metadata-source> <!-- Specify the methods that need to be protected and the permissions needed--> <security:protect method="com.jaeson.springstudy.security.SessionRegistryExample.getOnline*" access="ROLE_USER, ROLE_ADMIN" /> <security:protect method="com.jaeson.springstudy.security.SessionRegistryExample.getActive*" access="ROLE_ADMIN" /> <security:protect method="com.jaeson.springstudy.security.SessionRegistryExample.test*" access="IS_AUTHENTICATED_FULLY" /> </security:method-security-metadata-source> </property> </bean> <bean id="methodAffirmativeBased" class="org.springframework.security.access.vote.AffirmativeBased"> <constructor-arg type="java.util.List"> <list> <ref bean="roleVoter" /> <ref bean="authenticatedVoter" /> </list> </constructor-arg> </bean> <!-- <bean id="methodExpressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler" /> --> <aop:config> <aop:pointcut id="securityMethodPointCut" expression="execution(* com.jaeson.springstudy.security.SessionRegistryExample.*(..))" /> <aop:advisor advice-ref="methodSecurityInterceptor" pointcut-ref="securityMethodPointCut"/> </aop:config> <!-- Spring Security defines four annotations that support the use of expressions, namely @PreAuthorize, @PostAuthorize, @PreFilter and @PostFilter. The first two can be used to check permissions before or after the method is called, and the latter two can be used to filter the parameters or return values of the collection type. --> <!-- <security:global-method-security pre-post-annotations="enabled" /> --> <!-- JSR-250 annotation: @RolesAllowed --> <!-- <security:global-method-security jsr250-annotations="enabled"/> --> </beans>