<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd "> <bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy"> <security:filter-chain-map request-matcher="ant"> <security:filter-chain pattern="/resources/**" filters="none" /> <security:filter-chain pattern="/*.html" filters="none" /> <security:filter-chain pattern="/**" filters=" securityContextPersistenceFilter, concurrentSessionFilter, webAsyncManagerIntegrationFilter, csrfFilter, logoutFilter, usernamePasswordAuthenticationFilter, basicAuthenticationFilter, requestCacheAwareFilter, securityContextHolderAwareRequestFilter, rememberMeAuthenticationFilter, anonymousAuthenticationFilter, sessionManagementFilter, exceptionTranslationFilter, filterSecurityInterceptor " /> </security:filter-chain-map> </bean> <!-- SecurityContextPersistenceFilter --> <bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"> <constructor-arg ref="securityContextRepository" /> <property name="forceEagerSessionCreation" value="false" /> </bean> <bean id="securityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"> <property name="allowSessionCreation" value="true" /> <property name="disableUrlRewriting" value="true" /> </bean> <!-- CsrfFilter --> <bean id="csrfFilter" class="org.springframework.security.web.csrf.CsrfFilter"> <constructor-arg ref="httpSessionCsrfTokenRepository" /> <property name="accessDeniedHandler" ref="accessDeniedHandler" /> </bean> <bean id="httpSessionCsrfTokenRepository" class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository" /> <!-- UsernamePasswordAuthenticationFilter --> <bean id="usernamePasswordAuthenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> <property name="authenticationManager" ref="authenticationManager" /> <property name="usernameParameter" value="username" /> <property name="passwordParameter" value="password" /> <property name="rememberMeServices" ref="persistentTokenBasedRememberMeServices" /> <property name="sessionAuthenticationStrategy" ref="compositeSessionAuthenticationStrategy" /> <property name="authenticationSuccessHandler" ref="savedRequestAwareAuthenticationSuccessHandler" /> <property name="authenticationFailureHandler" ref="simpleUrlAuthenticationFailureHandler" /> <property name="requiresAuthenticationRequestMatcher" ref="authenticationFilterProcessUrlRequestMatcher" /> <property name="allowSessionCreation" value="true"/> </bean> <bean id="savedRequestAwareAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler" > <property name="requestCache" ref="httpSessionRequestCache" /> <property name="defaultTargetUrl" value="/welcome.jsp" /> </bean> <bean id="simpleUrlAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> <constructor-arg value="/login.jsp?error" /> <property name="allowSessionCreation" value="true" /> </bean> <bean id="authenticationFilterProcessUrlRequestMatcher" class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"> <constructor-arg value="/login" /> <constructor-arg value="POST" /> </bean> <!-- AnonymousAuthenticationFilter --> <bean id="anonymousAuthenticationFilter" class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter"> <constructor-arg value="BF93JFJ091N00Q7HF" /> </bean> <bean id="anonymousAuthenticationProvider" class="org.springframework.security.authentication.AnonymousAuthenticationProvider"> <constructor-arg type="java.lang.String" value="BF93JFJ091N00Q7HF"/> </bean> <!-- FilterSecurityInterceptor --> <bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager" /> <property name="accessDecisionManager" ref="affirmativeBased" /> <property name="securityMetadataSource" ref="securityMetadataSource" /> <!-- <property name="securityMetadataSource"> <security:filter-security-metadata-source use-expressions="true"> <security:intercept-url pattern="/*.html" access="permitAll" /> <security:intercept-url pattern="/login.jsp*" access="permitAll" /> <security:intercept-url pattern="/login*" access="permitAll" /> <security:intercept-url pattern="/security/**" access="hasRole('ROLE_ADMIN')" /> <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" /> </security:filter-security-metadata-source> </property> --> </bean> <bean id="securityMetadataSource" class="com.jaeson.springstudy.security.URLFilterInvocationSecurityMetadataSource"> <property name="resourceRepository" ref="resourceRepository" /> </bean> <bean id="resourceRepository" class="com.jaeson.springstudy.security.ResourceRepository"> <property name="dataSource" ref="dataSource" /> </bean> <bean id="affirmativeBased" class="org.springframework.security.access.vote.AffirmativeBased"> <constructor-arg type="java.util.List"> <list> <ref bean="expressionVoter" /> <ref bean="roleVoter" /> <ref bean="authenticatedVoter" /> </list> </constructor-arg> </bean> <bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter" /> <bean id="authenticatedVoter" class="org.springframework.security.access.vote.AuthenticatedVoter" /> <bean id="expressionVoter" class="org.springframework.security.web.access.expression.WebExpressionVoter"> <property name="expressionHandler" ref="expressionHandler" /> </bean> <bean id="expressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" /> <!-- AuthenticationManager --> <bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager"> <constructor-arg type="java.util.List"> <list> <ref bean="daoAuthenticationProvider" /> <ref bean="anonymousAuthenticationProvider" /> <ref bean="rememberMeAuthenticationProvider" /> </list> </constructor-arg> <property name="authenticationEventPublisher" ref="defaultAuthenticationEventPublisher" /> </bean> <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" /> <bean id="defaultAuthenticationEventPublisher" class="org.springframework.security.authentication.DefaultAuthenticationEventPublisher" /> <bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> <property name="userDetailsService" ref="userDetailsService"/> <property name="passwordEncoder" ref="passwordEncoder"/> </bean> <bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl"> <property name="dataSource" ref="dataSource" /> <property name="usersByUsernameQuery" value="SELECT username, password, enable FROM user WHERE username=?" /> <property name="authoritiesByUsernameQuery" value="SELECT u.username as username, r.rolename as rolename FROM user u JOIN user_group ug ON u.id=ug.user_id JOIN groups g ON ug.group_id=g.id JOIN group_role gr ON g.id=gr.group_id JOIN role r ON gr.role_id=r.id WHERE u.username=?" /> </bean> <!-- LogoutFilter --> <bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter"> <constructor-arg type="java.lang.String" value="/logout.html"/> <constructor-arg> <array> <ref bean="securityContextLogoutHandler" /> <ref bean="cookieClearingLogoutHandler" /> <ref bean="persistentTokenBasedRememberMeServices" /> </array> </constructor-arg> <property name="logoutRequestMatcher" ref="logoutFilterProcessUrlRequestMatcher" /> </bean> <bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"> <property name="invalidateHttpSession" value="true"/> <property name="clearAuthentication" value="true"/> </bean> <bean id="cookieClearingLogoutHandler" class="org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler"> <constructor-arg> <array> <value>JSESSIONID</value> </array> </constructor-arg> </bean> <bean id="logoutFilterProcessUrlRequestMatcher" class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"> <constructor-arg value="/logout"/> </bean> <!-- RememberMeAuthenticationFilter --> <bean id="rememberMeAuthenticationFilter" class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter"> <constructor-arg ref="authenticationManager"/> <constructor-arg ref="persistentTokenBasedRememberMeServices"/> </bean> <bean id="persistentTokenBasedRememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices"> <constructor-arg type="java.lang.String" value="BoSk70Yar38~veg91DoCKs=sLaIn!met" /> <constructor-arg type="org.springframework.security.core.userdetails.UserDetailsService" ref="userDetailsService" /> <constructor-arg type="org.springframework.security.web.authentication.rememberme.PersistentTokenRepository" ref="jdbcTokenRepository" /> <property name="cookieName" value="REMEMBER_ME" /> <property name="parameter" value="remember-me" /> </bean> <bean id="jdbcTokenRepository" class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl"> <property name="dataSource" ref="dataSource" /> </bean> <bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider"> <constructor-arg value="BoSk70Yar38~veg91DoCKs=sLaIn!met"/> </bean> <!-- ExceptionTranslationFilter --> <bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter"> <constructor-arg ref="loginUrlAuthenticationEntryPoint" /> <constructor-arg ref="httpSessionRequestCache" /> <property name="accessDeniedHandler" ref="accessDeniedHandler" /> </bean> <bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> <constructor-arg value="/login.jsp" /> </bean> <bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl"> <property name="errorPage" value="/accessDenied.html" /> </bean> <!-- ConcurrentSessionFilter --> <bean id="concurrentSessionFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"> <constructor-arg type="org.springframework.security.core.session.SessionRegistry" ref="sessionRegistry" /> <constructor-arg type="java.lang.String" value="/expire.html" /> <property name="logoutHandlers"> <array> <ref bean="securityContextLogoutHandler" /> <ref bean="cookieClearingLogoutHandler" /> <ref bean="persistentTokenBasedRememberMeServices" /> </array> </property> </bean> <!-- SessionManagementFilter --> <bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter"> <constructor-arg ref="securityContextRepository"/> <constructor-arg ref="compositeSessionAuthenticationStrategy"/> <property name="authenticationFailureHandler" ref="simpleUrlAuthenticationFailureHandler"/> </bean> <!-- SessionAuthenticationStrategy --> <bean id="compositeSessionAuthenticationStrategy" class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy"> <constructor-arg> <list> <ref bean="csrfAuthenticationStrategy" /> <ref bean="sessionControlAuthenticationStrategy" /> <ref bean="sessionFixationProtectionStrategy" /> <ref bean="registerSessionAuthenticationStrategy" /> </list> </constructor-arg> </bean> <bean id="csrfAuthenticationStrategy" class="org.springframework.security.web.csrf.CsrfAuthenticationStrategy"> <constructor-arg ref="httpSessionCsrfTokenRepository"/> </bean> <bean id="sessionControlAuthenticationStrategy" class="com.jaeson.springstudy.security.MyConcurrentSessionControlAuthenticationStrategy"> <!-- class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy"> --> <constructor-arg ref="sessionRegistry" /> <property name="maximumSessions" value="1" /> <property name="exceptionIfMaximumExceeded" value="true" /> </bean> <bean id="sessionFixationProtectionStrategy" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy"> <property name="migrateSessionAttributes" value="true" /> </bean> <bean id="registerSessionAuthenticationStrategy" class="com.jaeson.springstudy.security.MyRegisterSessionAuthenticationStrategy"> <!-- class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy"> --> <constructor-arg ref="sessionRegistry" /> </bean> <!-- <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/> --> <bean id="sessionRegistry" class="com.jaeson.springstudy.security.MySessionRegistryImpl" /> <!-- SecurityContextHolderAwareRequestFilter --> <bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter"> <property name="authenticationManager" ref="authenticationManager" /> </bean> <!-- WebAsyncManagerIntegrationFilter --> <bean id="webAsyncManagerIntegrationFilter" class="org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter" /> <!-- BasicAuthenticationFilter --> <bean id="basicAuthenticationFilter" class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter"> <constructor-arg ref="authenticationManager" /> <constructor-arg ref="basicAuthenticationEntryPoint" /> </bean> <bean id="basicAuthenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint"> <property name="realmName" value="Spring Security Application" /> </bean> <!-- RequestCacheAwareFilter --> <bean id="requestCacheAwareFilter" class="org.springframework.security.web.savedrequest.RequestCacheAwareFilter"> <constructor-arg ref="httpSessionRequestCache" /> </bean> <bean id="httpSessionRequestCache" class="org.springframework.security.web.savedrequest.HttpSessionRequestCache"> <property name="createSessionAllowed" value="true" /> </bean> <!-- 页面标签权限功能依赖 --> <bean id="webInvocationFilter" class="org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator"> <constructor-arg ref="filterSecurityInterceptor" /> </bean> <!-- 方法权限控制 --> <bean id="methodSecurityInterceptor" class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager" /> <property name="accessDecisionManager" ref="methodAffirmativeBased" /> <property name="securityMetadataSource"> <security:method-security-metadata-source> <!-- 指定需要受保护的方法和需要的权限 --> <security:protect method="com.jaeson.springstudy.security.SessionRegistryExample.getOnline*" access="ROLE_USER, ROLE_ADMIN" /> <security:protect method="com.jaeson.springstudy.security.SessionRegistryExample.getActive*" access="ROLE_ADMIN" /> <security:protect method="com.jaeson.springstudy.security.SessionRegistryExample.test*" access="IS_AUTHENTICATED_FULLY" /> </security:method-security-metadata-source> </property> </bean> <bean id="methodAffirmativeBased" class="org.springframework.security.access.vote.AffirmativeBased"> <constructor-arg type="java.util.List"> <list> <ref bean="roleVoter" /> <ref bean="authenticatedVoter" /> </list> </constructor-arg> </bean> <!-- <bean id="methodExpressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler" /> --> <aop:config> <aop:pointcut id="securityMethodPointCut" expression="execution(* com.jaeson.springstudy.security.SessionRegistryExample.*(..))" /> <aop:advisor advice-ref="methodSecurityInterceptor" pointcut-ref="securityMethodPointCut"/> </aop:config> <!-- Spring Security中定义了四个支持使用表达式的注解,分别是@PreAuthorize、@PostAuthorize、@PreFilter和@PostFilter。 其中前两者可以用来在方法调用前或者调用后进行权限检查,后两者可以用来对集合类型的参数或者返回值进行过滤。 --> <!-- <security:global-method-security pre-post-annotations="enabled" /> --> <!-- JSR-250注解: @RolesAllowed --> <!-- <security:global-method-security jsr250-annotations="enabled"/> --> </beans>
相关推荐
本文将详细探讨SpringSecurity中关于自定义用户权限信息存取的实现方法,包括如何通过配置文件和数据库来管理用户的认证信息和权限数据。 首先,当我们谈论用户权限信息的存取,实际上是在处理两个方面的问题:用户...
添加一个新的bean,指定其为我们的自定义AuthenticationProvider,并将其与Spring Security的AuthenticationManager关联。例如: ```xml <bean id="customAuthenticationProvider" class=...
在配置文件中,需要引入Spring Security的命名空间,并设置默认命名空间,以便于后续的Bean定义和安全策略配置。 ```xml <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans=...
此外,还涉及了如何手动配置Spring Security的bean以及基于bean的高级配置。 ### 第七章:访问控制列表(Access Control List, ACL) 这一章节介绍了ACL的概念和用法,包括如何创建高级ACL以及使用ACL时需要注意的...
### 初识 Spring Security #### 一、Spring Security 概述 **Spring Security**是一种广泛应用于Java企业级项目中的安全框架,它基于Spring AOP(面向切面编程)和Servlet过滤器来提供全面的安全解决方案。该框架...
Spring Security提供了对方法调用的保护,可以控制全局范围的方法权限,也可以控制某个bean内的方法权限。此外,Spring Security还支持使用注解来控制方法权限,例如使用@Secured或JSR-250注解。 #### 权限管理的...
在这个例子中,我们将探讨如何将Spring Security与MySQL数据库结合使用,通过bean配置来实现用户认证和权限管理。首先,我们需要理解Spring Security的基本架构,它由一系列组件构成,如AuthenticationManager负责...
4. **配置HttpSecurity**: 在Spring Security的配置类中,将自定义的`SessionAuthenticationStrategy`与`SessionRegistry`结合使用。 ```java @Configuration @EnableWebSecurity public class SecurityConfig ...
- Spring Security允许开发人员通过自定义bean进行扩展,比如自定义认证Provider、权限表达式解析器等。这提供了极大的灵活性,可以根据实际需求定制安全功能。 6. **与其他Spring技术集成** - Spring Security...
例如,通过配置Spring Security的bean,我们可以将安全服务如AuthenticationManager和UserService注入到需要的地方。 总的来说,通过整合Spring Security、Spring 3.0、Hibernate 3.5和Struts2,开发者可以构建出一...
Spring Security具有很高的灵活性,可以通过配置或者编程方式添加自定义逻辑。例如,你可以实现自己的`AuthenticationProvider`、`UserDetailsService`、`AccessDecisionVoter`等,以适应特定的应用场景。 六、整合...
此外,理解Spring Security的过滤器链工作流程,以及如何自定义认证和授权逻辑也是至关重要的。 总之,Spring和Spring Security是Java开发中的重要工具,它们提供的强大功能和灵活性使得开发者能够更专注于业务逻辑...
该框架利用Spring框架的核心功能,如IoC(Inversion of Control,控制反转)、DI(Dependency Injection,依赖注入)和AOP(Aspect-Oriented Programming,面向切面编程),通过一组可配置的Bean来实现对应用系统的...
2. **spring-beans-3.1.2.RELEASE.jar**:包含Spring处理bean定义和依赖注入的核心类,使得Spring Security可以动态地管理其组件。 3. **spring-web-3.1.2.RELEASE.jar**:提供了处理HTTP请求和响应的能力,以及...
当用户试图访问其没有权限的资源时,Spring Security 可以显示一个自定义的页面,而不是默认的错误消息。 --- ##### 第8章:动态管理资源结合自定义登录页面 当资源和用户的权限需要实时更新时,可以结合自定义的...
这个 Demo 展示了 Spring Security 的基础功能,但实际项目中,你可能需要配置更复杂的认证和授权策略,例如集成 OAuth2、JWT 令牌、自定义认证和授权逻辑等。 总之,Spring Security 是一个功能强大且灵活的框架,...
Spring Boot集成Spring Security是开发基于Java的Web应用时常见的安全框架选择。Spring Security提供了一整套强大且灵活的安全控制机制,使得开发者可以轻松地实现身份验证、授权以及各种安全功能。下面将详细介绍...
【标题】"spring-security-helloworld" 是一个基于Spring Security框架的简单示例项目,它用于初学者理解并实践Spring Security的基础用法。Spring Security是一个强大的安全框架,为Java应用程序提供了全面的安全...