Spring Security使用一系列过滤器处理用户请求,下面是spring-security.xml配置文件。
1 <?xml version="1.0" encoding="UTF-8"?> 2 <beans:beans xmlns="http://www.springframework.org/schema/security" 3 xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 4 xsi:schemaLocation="http://www.springframework.org/schema/beans 5 http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 6 http://www.springframework.org/schema/security 7 http://www.springframework.org/schema/security/spring-security.xsd"> 8 9 <!-- 自定义Spring Security过滤链 --> 10 <beans:bean id="springSecurityFilterChain" 11 class="org.springframework.security.web.FilterChainProxy"> 12 <beans:constructor-arg> 13 <beans:list> 14 <filter-chain pattern="/resources/**" filters="channelProcessingFilter" /> 15 <filter-chain pattern="/login" filters="channelProcessingFilter" /> 16 <filter-chain pattern="/" filters="channelProcessingFilter" /> 17 <filter-chain pattern="/error" filters="channelProcessingFilter" /> 18 <filter-chain pattern="/**" 19 filters="channelProcessingFilter,securityContextPersistenceFilter,concurrentSessionFilter,usernamePasswordAuthenticationFilter, 20 rememberMeAuthenticationFilter,logoutFilter,exceptionTranslationFilter,felicityFilterSecurityInterceptor" /> 21 </beans:list> 22 </beans:constructor-arg> 23 </beans:bean> 24 25 <beans:bean id="authenticationManager" 26 class="org.springframework.security.authentication.ProviderManager"> 27 <beans:property name="providers"> 28 <beans:list> 29 <beans:ref bean="authenticationProvider" /> 30 <beans:ref bean="rememberMeAuthenticationProvider" /> 31 </beans:list> 32 </beans:property> 33 <beans:property name="eraseCredentialsAfterAuthentication" value="false"></beans:property> 34 </beans:bean> 35 <beans:bean id="authenticationProvider" 36 class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> 37 <beans:property name="userDetailsService" ref="felicityUserDetailService" /> 38 <beans:property name="passwordEncoder" ref="passwordEncoder"></beans:property> 39 </beans:bean> 40 41 <beans:bean id="passwordEncoder" 42 class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" /> 43 44 <beans:bean id="felicityUserDetailService" 45 class="com.sds.eci.security.FelicityUserDetailsService"> 46 <beans:property name="dataSource" ref="dataSource"></beans:property> 47 <beans:property name="usersByUsernameQuery" value="select singleid as username, password, realname, userid, empno, ssoid, enabled from felicity_user where singleid = ?"></beans:property> 48 <beans:property name="authoritiesByUsernameQuery" value="select u.singleid as username,ro.name as authority 49 from felicity_user u 50 right join felicity_userrole ur on u.userid=ur.userid 51 right join felicity_role ro on ur.roleid=ro.roleid 52 where u.singleid=?"></beans:property> 53 </beans:bean> 54 55 <!-- 信道拦截 --> 56 <beans:bean id="channelProcessingFilter" class="org.springframework.security.web.access.channel.ChannelProcessingFilter"> 57 <beans:property name="channelDecisionManager" ref="channelDecisionManager"/> 58 <beans:property name="securityMetadataSource"> 59 <filter-security-metadata-source> 60 <intercept-url pattern="/**" access="REQUIRES_SECURE_CHANNEL"/> 61 <!-- <intercept-url pattern="/**" access="REQUIRES_INSECURE_CHANNEL"/>--> 62 </filter-security-metadata-source> 63 </beans:property> 64 </beans:bean> 65 <beans:bean id="channelDecisionManager" class="org.springframework.security.web.access.channel.ChannelDecisionManagerImpl"> 66 <beans:property name="channelProcessors"> 67 <beans:list> 68 <beans:ref bean="secureChannelProcessor"/> 69 <beans:ref bean="insecureChannelProcessor"/> 70 </beans:list> 71 </beans:property> 72 </beans:bean> 73 <beans:bean id="secureChannelProcessor" class="org.springframework.security.web.access.channel.SecureChannelProcessor"> 74 <beans:property name="entryPoint"> 75 <beans:bean class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint"> 76 <beans:property name="portMapper" ref="portMapper"></beans:property> 77 <beans:property name="portResolver" ref="portResolver"></beans:property> 78 </beans:bean> 79 </beans:property> 80 </beans:bean> 81 <beans:bean id="insecureChannelProcessor" class="org.springframework.security.web.access.channel.InsecureChannelProcessor"> 82 <beans:property name="entryPoint"> 83 <beans:bean class="org.springframework.security.web.access.channel.RetryWithHttpEntryPoint"> 84 <beans:property name="portMapper" ref="portMapper"></beans:property> 85 <beans:property name="portResolver" ref="portResolver"></beans:property> 86 </beans:bean> 87 </beans:property> 88 </beans:bean> 89 <beans:bean id="portMapper" class="org.springframework.security.web.PortMapperImpl"> 90 <beans:property name="portMappings"> 91 <beans:map> 92 <beans:entry key="8080" value="443"></beans:entry> 93 <beans:entry key="80" value="443"></beans:entry> 94 <beans:entry key="9090" value="9443"></beans:entry> 95 </beans:map> 96 </beans:property> 97 </beans:bean> 98 <beans:bean id="portResolver" class="org.springframework.security.web.PortResolverImpl"> 99 <beans:property name="portMapper" ref="portMapper"></beans:property> 100 </beans:bean> 101 102 <!-- securityContext拦截 --> 103 <beans:bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"> 104 <beans:property name="securityContextRepository" ref="securityContextRepository" /> 105 </beans:bean> 106 <beans:bean id="securityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"> 107 <beans:property name="allowSessionCreation" value="true" /> 108 <beans:property name="disableUrlRewriting" value="false" /> 109 </beans:bean> 110 111 <!-- usernamePassword授权拦截 --> 112 <beans:bean id="usernamePasswordAuthenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> 113 <beans:property name="usernameParameter" value="username"></beans:property> 114 <beans:property name="passwordParameter" value="password"></beans:property> 115 <beans:property name="authenticationManager" ref="authenticationManager"></beans:property> 116 <beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler"></beans:property> 117 <beans:property name="authenticationFailureHandler"> 118 <beans:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> 119 <beans:property name="defaultFailureUrl" value="/login?para=loginfailure"></beans:property> 120 </beans:bean> 121 </beans:property> 122 <beans:property name="sessionAuthenticationStrategy" ref="sessionAuthenticationStrategy" /> 123 <beans:property name="rememberMeServices" ref="rememberMeServices" /> 124 </beans:bean> 125 <beans:bean id="authenticationSuccessHandler" class="com.sds.eci.security.FelicityAuthenticationSuccessHandler"> 126 <beans:property name="defaultTargetUrl" value="/questions"></beans:property> 127 <beans:property name="securityMetadataSource" ref="felicitysecurityMetadataSource" /> 128 </beans:bean> 129 130 <!-- 2注销过滤器 --> 131 <beans:bean id="logoutFilter" 132 class="org.springframework.security.web.authentication.logout.LogoutFilter"> 133 <beans:constructor-arg value="/login" /><!-- 退出成功后处理URL --> 134 <beans:constructor-arg> 135 <beans:array> 136 <beans:ref bean="logoutHandler" /> 137 <beans:ref bean="rememberMeServices" /> 138 </beans:array> 139 </beans:constructor-arg> 140 <beans:property name="filterProcessesUrl" value="/j_spring_security_logout" /><!-- 退出处理URL --> 141 </beans:bean> 142 <!-- 注销监听器 --> 143 <beans:bean id="logoutHandler" 144 class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"> 145 </beans:bean> 146 147 <!-- 7记住密码功能(COOKIE方式) --> 148 <beans:bean id="rememberMeAuthenticationFilter" 149 class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter"> 150 <beans:property name="rememberMeServices" ref="rememberMeServices" /> 151 <beans:property name="authenticationManager" ref="authenticationManager" /> 152 <beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler"></beans:property> 153 </beans:bean> 154 <!-- rememberMe --> 155 <beans:bean id="rememberMeServices" 156 class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices"> 157 <beans:constructor-arg name="key" value="springRocks"></beans:constructor-arg> 158 <beans:constructor-arg name="userDetailsService" ref="felicityUserDetailService"></beans:constructor-arg> 159 <!-- 默认时间604800秒(一个星期) --> 160 <beans:property name="tokenValiditySeconds" value="604800" /> 161 </beans:bean> 162 <beans:bean id="rememberMeAuthenticationProvider" 163 class="org.springframework.security.authentication.RememberMeAuthenticationProvider"> 164 <beans:property name="key" value="springRocks" /> 165 </beans:bean> 166 167 <!-- 用户的权限控制过滤器 --> 168 <beans:bean id="felicityFilterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> 169 <beans:property name="rejectPublicInvocations" value="true"></beans:property> 170 <beans:property name="authenticationManager" 171 ref="authenticationManager" /> 172 <beans:property name="accessDecisionManager" 173 ref="felicityAccessDecisionManagerBean" /> 174 <beans:property name="securityMetadataSource" 175 ref="felicitysecurityMetadataSource" /> 176 </beans:bean> 177 178 <!-- 访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源 --> 179 <beans:bean id="felicityAccessDecisionManagerBean" 180 class="com.sds.eci.security.FelicityAccessDecisionManager"> 181 </beans:bean> 182 183 <!-- 资源源数据定义,即定义某一资源可以被哪些角色访问 --> 184 <beans:bean id="felicitysecurityMetadataSource" 185 class="com.sds.eci.security.FelicitySecurityMetadataSource"> 186 <beans:constructor-arg ref="dataSource"></beans:constructor-arg> 187 <beans:constructor-arg type="java.lang.String" value="select rce.url, r.name, rce.pid from felicity_role r inner join felicity_roleresource rrce on r.roleid = rrce.roleid inner join felicity_resource rce on rrce.resourceid = rce.resourceid order by pid, sort"></beans:constructor-arg> 188 </beans:bean> 189 190 <!-- 页面标签权限功能依赖 --> 191 <beans:bean id="webInvocationFilter" 192 class="org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator"> 193 <beans:constructor-arg ref="felicityFilterSecurityInterceptor" /> 194 </beans:bean> 195 196 <!-- 9异常处理过滤器 --> 197 <beans:bean id="exceptionTranslationFilter" 198 class="org.springframework.security.web.access.ExceptionTranslationFilter"> 199 <beans:property name="authenticationEntryPoint" ref="authenticationEntryPoint" /> 200 <beans:property name="accessDeniedHandler"> 201 <!-- 拒绝未授权访问跳转 --> 202 <beans:bean 203 class="com.sds.eci.security.FelicityAccessDeniedHandler"> 204 <beans:property name="errorPage" value="/403" /> 205 </beans:bean> 206 </beans:property> 207 </beans:bean> 208 <beans:bean id="authenticationEntryPoint" 209 class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> 210 <beans:property name="loginFormUrl" value="/login?para=errorauth"></beans:property> 211 </beans:bean> 212 213 <!-- sessionManagementFilter --> 214 <beans:bean id="concurrentSessionFilter" 215 class="org.springframework.security.web.session.ConcurrentSessionFilter"> 216 <beans:property name="sessionRegistry" ref="sessionRegistry" /> 217 <beans:property name="expiredUrl" value="/login?para=multi" /> 218 </beans:bean> 219 <beans:bean id="sessionAuthenticationStrategy" 220 class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> 221 <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" /> 222 <beans:property name="maximumSessions" value="1" /> 223 </beans:bean> 224 <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> 225 226 </beans:beans>