Spring Security 配置文件

spring_security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security.xsd">
    <!-- 权限不拦截静态资源 -->
    <security:http pattern="/js/**" security="none" />
    <security:http pattern="/css/**" security="none" />
    <security:http pattern="/img/**" security="none" />

    <!-- access 权限自定义 可以定义为任何字符串 ROLE_ADMIN,1,2,3,4,5 -->
    <security:http use-expressions="false" auto-config="true">
        <!-- 该 intercept-url 配置的是匿名账户可以访问login.jsp这个地址 access="IS_AUTHENTICATED_ANONYMOUSLY" -->
        <security:intercept-url pattern="/jsp/login.jsp"
            access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <!-- 生成验证问题URL，匿名可以访问 -->
        <security:intercept-url pattern="/question"
            access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <!-- url /dba 设置权限为DBA -->
        <security:intercept-url pattern="/dba" access="ROLE_DBA" />
        <security:intercept-url pattern="/admin"
            access="ROLE_ADMIN" />
        <security:intercept-url pattern="/city/**"
            access="ROLE_1,ROLE_ADMIN" />
        <!-- /login* 该Url配置匿名访问 -->                
        <security:intercept-url pattern="/login*"
            access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <!-- /** 权限认证拦截所有访问路径 -->
        <security:intercept-url pattern="/**"
            access="ROLE_USER,ROLE_ADMIN" />
        <security:form-login login-page="/jsp/login.jsp"
            authentication-failure-url="/login?error" />
        <!-- logout 登陆配置 默认登出URL：logout ，logout-url 显示指定登陆URL -->
        <security:logout invalidate-session="true" logout-url="/login?logout"
            delete-cookies="JSESSIONID" />
    </security:http>
    
    <!-- 定义我们自己的Session验证策略 -->
    <bean id="sas"
        class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
        <constructor-arg>
            <list>
                <bean
                    class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
                    <constructor-arg ref="sessionRegistry" />
                    <property name="maximumSessions" value="1" />
                    <property name="exceptionIfMaximumExceeded" value="true" /><!--true(已有会话登陆，不允许其他登陆) or false(已有会话登陆，其他登陆时会把原会话剔除)-->
                </bean>
                <!-- Session固话攻击Bean -->
                <bean
                    class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy" />
                <bean
                    class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy" />
            </list>
        </constructor-arg>
    </bean>

    <bean id="sessionRegistry"
        class="org.springframework.security.core.session.SessionRegistryImpl" />
        
    <!-- 从指定的UserDetail获取属性作为盐值 -->    
    <bean
        class="org.springframework.security.authentication.dao.ReflectionSaltSource"
        id="saltSelf">
        <property name="userPropertyToUse" value="username" />
    </bean>
    
    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider
            user-service-ref="myUserDetailService"><!-- 注入我们自己实现的myUserDetailService -->
            <security:password-encoder hash="md5"> <!-- 配置密码加密以及加盐值 -->
                <security:salt-source ref="saltSelf" />
            </security:password-encoder>
        </security:authentication-provider>
    </security:authentication-manager>

</beans>