`
jaesonchen
  • 浏览: 309886 次
  • 来自: ...
社区版块
存档分类
最新评论

spring security 自定义bean

 
阅读更多
<beans
	xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:aop="http://www.springframework.org/schema/aop"
	xmlns:security="http://www.springframework.org/schema/security"
	xsi:schemaLocation="
		http://www.springframework.org/schema/beans 
		http://www.springframework.org/schema/beans/spring-beans-4.0.xsd 
		http://www.springframework.org/schema/aop 
        http://www.springframework.org/schema/aop/spring-aop-4.0.xsd
        http://www.springframework.org/schema/security 
		http://www.springframework.org/schema/security/spring-security.xsd ">
		
		
	<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
		<security:filter-chain-map request-matcher="ant">
			<security:filter-chain pattern="/resources/**" filters="none" />
			<security:filter-chain pattern="/*.html" filters="none" />
			<security:filter-chain pattern="/**" filters="
		        securityContextPersistenceFilter,
		        concurrentSessionFilter,
		        webAsyncManagerIntegrationFilter,
		        csrfFilter,
		        logoutFilter,
		        usernamePasswordAuthenticationFilter,
		        basicAuthenticationFilter,
		        requestCacheAwareFilter,
		        securityContextHolderAwareRequestFilter,
		        rememberMeAuthenticationFilter,
		        anonymousAuthenticationFilter,
		        sessionManagementFilter,
		        exceptionTranslationFilter,
		        filterSecurityInterceptor
		        " />
    	</security:filter-chain-map>
  	</bean>
  	
  	<!-- SecurityContextPersistenceFilter -->
	<bean id="securityContextPersistenceFilter"
			class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
		<constructor-arg ref="securityContextRepository" />
    	<property name="forceEagerSessionCreation" value="false" />
	</bean>
	<bean id="securityContextRepository"
			class="org.springframework.security.web.context.HttpSessionSecurityContextRepository">
		<property name="allowSessionCreation" value="true" />
		<property name="disableUrlRewriting" value="true" />
	</bean>
	
	<!-- CsrfFilter -->
	<bean id="csrfFilter"
			class="org.springframework.security.web.csrf.CsrfFilter">
		<constructor-arg ref="httpSessionCsrfTokenRepository" />
    	<property name="accessDeniedHandler" ref="accessDeniedHandler" />
	</bean>
	<bean id="httpSessionCsrfTokenRepository"
			class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository" />
			
	<!-- UsernamePasswordAuthenticationFilter -->
	<bean id="usernamePasswordAuthenticationFilter"
			class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
		<property name="authenticationManager" ref="authenticationManager" />
	    <property name="usernameParameter" value="username" />
	    <property name="passwordParameter" value="password" />
	    <property name="rememberMeServices" ref="persistentTokenBasedRememberMeServices" />
	    <property name="sessionAuthenticationStrategy" ref="compositeSessionAuthenticationStrategy" />
	    <property name="authenticationSuccessHandler" ref="savedRequestAwareAuthenticationSuccessHandler" />
	    <property name="authenticationFailureHandler" ref="simpleUrlAuthenticationFailureHandler" />
	    <property name="requiresAuthenticationRequestMatcher" ref="authenticationFilterProcessUrlRequestMatcher" />
	    <property name="allowSessionCreation" value="true"/>
	</bean>
	<bean id="savedRequestAwareAuthenticationSuccessHandler" 
			class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler" >
	    <property name="requestCache" ref="httpSessionRequestCache" />
	    <property name="defaultTargetUrl" value="/welcome.jsp" />
	</bean>
	<bean id="simpleUrlAuthenticationFailureHandler"
			class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
	    <constructor-arg value="/login.jsp?error" />
	    <property name="allowSessionCreation" value="true" />
	</bean>
	<bean id="authenticationFilterProcessUrlRequestMatcher" 
			class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
    	<constructor-arg value="/login" />
    	<constructor-arg value="POST" />
	</bean>


	<!-- AnonymousAuthenticationFilter -->
	<bean id="anonymousAuthenticationFilter"
			class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
		<constructor-arg value="BF93JFJ091N00Q7HF" />
	</bean>
	<bean id="anonymousAuthenticationProvider"
			class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
    	<constructor-arg type="java.lang.String" value="BF93JFJ091N00Q7HF"/>
	</bean>
	
	<!-- FilterSecurityInterceptor -->
	<bean id="filterSecurityInterceptor"
			class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
	    <property name="authenticationManager" ref="authenticationManager" />
	    <property name="accessDecisionManager" ref="affirmativeBased" />
		<property name="securityMetadataSource" ref="securityMetadataSource" />
		<!-- 
		<property name="securityMetadataSource">
			<security:filter-security-metadata-source use-expressions="true">
		        <security:intercept-url pattern="/*.html" access="permitAll" />
		        <security:intercept-url pattern="/login.jsp*" access="permitAll" />
				<security:intercept-url pattern="/login*" access="permitAll" />
				<security:intercept-url pattern="/security/**" access="hasRole('ROLE_ADMIN')" />
				<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
			</security:filter-security-metadata-source>
		</property> -->
	</bean>
	<bean id="securityMetadataSource" class="com.jaeson.springstudy.security.URLFilterInvocationSecurityMetadataSource">
		<property name="resourceRepository" ref="resourceRepository" />
	</bean>
	<bean id="resourceRepository" class="com.jaeson.springstudy.security.ResourceRepository">
		<property name="dataSource" ref="dataSource" />
	</bean>
	<bean id="affirmativeBased" class="org.springframework.security.access.vote.AffirmativeBased">
		<constructor-arg type="java.util.List">
			<list>
		        <ref bean="expressionVoter" />
		        <ref bean="roleVoter" />
		        <ref bean="authenticatedVoter" />
			</list>
		</constructor-arg>
	</bean>
 	<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter" />
 	<bean id="authenticatedVoter" class="org.springframework.security.access.vote.AuthenticatedVoter" />
	<bean id="expressionVoter" class="org.springframework.security.web.access.expression.WebExpressionVoter">
		<property name="expressionHandler" ref="expressionHandler" />
	</bean>
	<bean id="expressionHandler"
			class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" />

	
	<!-- AuthenticationManager -->
	<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
		<constructor-arg type="java.util.List">
			<list>
		        <ref bean="daoAuthenticationProvider" />
		        <ref bean="anonymousAuthenticationProvider" />
		        <ref bean="rememberMeAuthenticationProvider" />
			</list>
		</constructor-arg>
    	<property name="authenticationEventPublisher" ref="defaultAuthenticationEventPublisher" />
	</bean>
	<bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
	<bean id="defaultAuthenticationEventPublisher" 
			class="org.springframework.security.authentication.DefaultAuthenticationEventPublisher" />
	<bean id="daoAuthenticationProvider"
			class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
	    <property name="userDetailsService" ref="userDetailsService"/>
	    <property name="passwordEncoder" ref="passwordEncoder"/>
	</bean>
	<bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
		<property name="dataSource" ref="dataSource" />
		<property name="usersByUsernameQuery" 
			value="SELECT username, password, enable FROM user WHERE username=?" />
		<property name="authoritiesByUsernameQuery" 
			value="SELECT u.username as username, r.rolename as rolename
					FROM user u
					JOIN user_group ug ON u.id=ug.user_id
					JOIN groups g ON ug.group_id=g.id
					JOIN group_role gr ON g.id=gr.group_id
					JOIN role r ON gr.role_id=r.id
					WHERE u.username=?" />
	</bean>
	
	<!-- LogoutFilter -->
	<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
	    <constructor-arg type="java.lang.String" value="/logout.html"/>
	    <constructor-arg>
			<array>
				<ref bean="securityContextLogoutHandler" />
				<ref bean="cookieClearingLogoutHandler" />
		        <ref bean="persistentTokenBasedRememberMeServices" />
			</array>
		</constructor-arg>
		<property name="logoutRequestMatcher" ref="logoutFilterProcessUrlRequestMatcher" />
	</bean>
	<bean id="securityContextLogoutHandler"
      		class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
	    <property name="invalidateHttpSession" value="true"/>
	    <property name="clearAuthentication" value="true"/>
	</bean>
	<bean id="cookieClearingLogoutHandler"
      		class="org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler">
		<constructor-arg>
			<array>
				<value>JSESSIONID</value>
			</array>
		</constructor-arg>
	</bean>
	<bean id="logoutFilterProcessUrlRequestMatcher" 
  			class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
    	<constructor-arg value="/logout"/>
  	</bean>
  	
	<!-- RememberMeAuthenticationFilter -->
	<bean id="rememberMeAuthenticationFilter"
			class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
		<constructor-arg ref="authenticationManager"/>
		<constructor-arg ref="persistentTokenBasedRememberMeServices"/>
	</bean>
	<bean id="persistentTokenBasedRememberMeServices"
			class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
		<constructor-arg  type="java.lang.String" value="BoSk70Yar38~veg91DoCKs=sLaIn!met" />
		<constructor-arg 
			type="org.springframework.security.core.userdetails.UserDetailsService"
            ref="userDetailsService" />
    	<constructor-arg
			type="org.springframework.security.web.authentication.rememberme.PersistentTokenRepository"
        	ref="jdbcTokenRepository" />
	    <property name="cookieName" value="REMEMBER_ME" />
	    <property name="parameter" value="remember-me" />
	</bean>
	<bean id="jdbcTokenRepository"
			class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
		<property name="dataSource" ref="dataSource" />
	</bean>
	<bean id="rememberMeAuthenticationProvider"
			class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
		<constructor-arg value="BoSk70Yar38~veg91DoCKs=sLaIn!met"/>
	</bean>

	<!-- ExceptionTranslationFilter -->
	<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
	    <constructor-arg ref="loginUrlAuthenticationEntryPoint" />
	    <constructor-arg ref="httpSessionRequestCache" />
	    <property name="accessDeniedHandler" ref="accessDeniedHandler" />
	</bean>
	<bean id="loginUrlAuthenticationEntryPoint"
			class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
		<constructor-arg value="/login.jsp" />
	</bean>
	<bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
		<property name="errorPage" value="/accessDenied.html" />
	</bean>

	<!-- ConcurrentSessionFilter -->
	<bean id="concurrentSessionFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
	    <constructor-arg type="org.springframework.security.core.session.SessionRegistry" ref="sessionRegistry" />
	    <constructor-arg type="java.lang.String" value="/expire.html" />
		<property name="logoutHandlers">
			<array>
				<ref bean="securityContextLogoutHandler" />
				<ref bean="cookieClearingLogoutHandler" />
		        <ref bean="persistentTokenBasedRememberMeServices" />
			</array>
		</property>
	</bean>
	<!-- SessionManagementFilter -->
	<bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
	    <constructor-arg ref="securityContextRepository"/>
	    <constructor-arg ref="compositeSessionAuthenticationStrategy"/>
	    <property name="authenticationFailureHandler" ref="simpleUrlAuthenticationFailureHandler"/>
	</bean>

	<!-- SessionAuthenticationStrategy -->
	<bean id="compositeSessionAuthenticationStrategy"
			class="org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy">
		<constructor-arg>
			<list>
				<ref bean="csrfAuthenticationStrategy" />
		        <ref bean="sessionControlAuthenticationStrategy" />
		        <ref bean="sessionFixationProtectionStrategy" />
		        <ref bean="registerSessionAuthenticationStrategy" />
			</list>
		</constructor-arg>
	</bean>
	<bean id="csrfAuthenticationStrategy"
			class="org.springframework.security.web.csrf.CsrfAuthenticationStrategy">
		<constructor-arg ref="httpSessionCsrfTokenRepository"/>
	</bean>
	<bean id="sessionControlAuthenticationStrategy"
			class="com.jaeson.springstudy.security.MyConcurrentSessionControlAuthenticationStrategy">
			<!-- class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy"> -->
		<constructor-arg ref="sessionRegistry" />
		<property name="maximumSessions" value="1" />
		<property name="exceptionIfMaximumExceeded" value="true" />
	</bean>
	<bean id="sessionFixationProtectionStrategy"
			class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
		<property name="migrateSessionAttributes" value="true" />
	</bean>
	<bean id="registerSessionAuthenticationStrategy"
			class="com.jaeson.springstudy.security.MyRegisterSessionAuthenticationStrategy">
			<!-- class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy"> -->
    	<constructor-arg ref="sessionRegistry" />
	</bean>
	<!-- <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/> -->
	<bean id="sessionRegistry" class="com.jaeson.springstudy.security.MySessionRegistryImpl" />
	
	<!-- SecurityContextHolderAwareRequestFilter -->
	<bean id="securityContextHolderAwareRequestFilter"
			class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter">
		<property name="authenticationManager" ref="authenticationManager" />
	</bean>	
	
	<!-- WebAsyncManagerIntegrationFilter -->
	<bean id="webAsyncManagerIntegrationFilter"
			class="org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter" />

	<!-- BasicAuthenticationFilter -->
	<bean id="basicAuthenticationFilter"
			class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
	    <constructor-arg ref="authenticationManager" />
	    <constructor-arg ref="basicAuthenticationEntryPoint" />
	</bean>
	<bean id="basicAuthenticationEntryPoint"
			class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
		<property name="realmName" value="Spring Security Application" />
	</bean>

	<!-- RequestCacheAwareFilter -->
	<bean id="requestCacheAwareFilter" class="org.springframework.security.web.savedrequest.RequestCacheAwareFilter">
		<constructor-arg ref="httpSessionRequestCache" />
	</bean>
	<bean id="httpSessionRequestCache" class="org.springframework.security.web.savedrequest.HttpSessionRequestCache">
	    <property name="createSessionAllowed" value="true" />
	</bean>	

	<!-- 页面标签权限功能依赖 -->
	<bean id="webInvocationFilter" 
			class="org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator">
		<constructor-arg ref="filterSecurityInterceptor" />
	</bean>

	<!-- 方法权限控制 -->
	<bean id="methodSecurityInterceptor" 
			class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor">
		<property name="authenticationManager" ref="authenticationManager" />
		<property name="accessDecisionManager" ref="methodAffirmativeBased" />
		<property name="securityMetadataSource">
			<security:method-security-metadata-source>
				<!-- 指定需要受保护的方法和需要的权限 -->
				<security:protect method="com.jaeson.springstudy.security.SessionRegistryExample.getOnline*" 
					access="ROLE_USER, ROLE_ADMIN" />
				<security:protect method="com.jaeson.springstudy.security.SessionRegistryExample.getActive*" 
					access="ROLE_ADMIN" />
				<security:protect method="com.jaeson.springstudy.security.SessionRegistryExample.test*" 
					access="IS_AUTHENTICATED_FULLY" />
			</security:method-security-metadata-source>
		</property>
	</bean>
	<bean id="methodAffirmativeBased" class="org.springframework.security.access.vote.AffirmativeBased">
		<constructor-arg type="java.util.List">
			<list>
		        <ref bean="roleVoter" />
		        <ref bean="authenticatedVoter" />
			</list>
		</constructor-arg>
	</bean>
	<!-- <bean id="methodExpressionHandler"
			class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler" /> -->
	<aop:config>
		<aop:pointcut id="securityMethodPointCut" expression="execution(* com.jaeson.springstudy.security.SessionRegistryExample.*(..))" />
		<aop:advisor advice-ref="methodSecurityInterceptor" pointcut-ref="securityMethodPointCut"/>
	</aop:config>
	
	<!-- Spring Security中定义了四个支持使用表达式的注解,分别是@PreAuthorize、@PostAuthorize、@PreFilter和@PostFilter。
		其中前两者可以用来在方法调用前或者调用后进行权限检查,后两者可以用来对集合类型的参数或者返回值进行过滤。 -->
	<!-- <security:global-method-security pre-post-annotations="enabled" /> -->
	
	<!-- JSR-250注解: @RolesAllowed -->
	<!-- <security:global-method-security jsr250-annotations="enabled"/> -->
</beans>

 

 

分享到:
评论

相关推荐

    SpringSecurity 之自定义用户权限信息的存取

    本文将详细探讨SpringSecurity中关于自定义用户权限信息存取的实现方法,包括如何通过配置文件和数据库来管理用户的认证信息和权限数据。 首先,当我们谈论用户权限信息的存取,实际上是在处理两个方面的问题:用户...

    spring security3.1 实现验证码自定义登录

    添加一个新的bean,指定其为我们的自定义AuthenticationProvider,并将其与Spring Security的AuthenticationManager关联。例如: ```xml &lt;bean id="customAuthenticationProvider" class=...

    初识 Spring Security - v1.1.pdf

    ### 初识 Spring Security #### 一、Spring Security 概述 **Spring Security**是一种广泛应用于Java企业级项目中的安全框架,它基于Spring AOP(面向切面编程)和Servlet过滤器来提供全面的安全解决方案。该框架...

    spring security3 开发手册

    Spring Security提供了对方法调用的保护,可以控制全局范围的方法权限,也可以控制某个bean内的方法权限。此外,Spring Security还支持使用注解来控制方法权限,例如使用@Secured或JSR-250注解。 #### 权限管理的...

    利用spring security控制同一个用户只能一次登陆

    4. **配置HttpSecurity**: 在Spring Security的配置类中,将自定义的`SessionAuthenticationStrategy`与`SessionRegistry`结合使用。 ```java @Configuration @EnableWebSecurity public class SecurityConfig ...

    bean配置跑spring security(mysql数据库)_spring security例子

    在这个例子中,我们将探讨如何将Spring Security与MySQL数据库结合使用,通过bean配置来实现用户认证和权限管理。首先,我们需要理解Spring Security的基本架构,它由一系列组件构成,如AuthenticationManager负责...

    SpringSecurity 3配置文件

    - Spring Security允许开发人员通过自定义bean进行扩展,比如自定义认证Provider、权限表达式解析器等。这提供了极大的灵活性,可以根据实际需求定制安全功能。 6. **与其他Spring技术集成** - Spring Security...

    spring security3,spring3.0,hibernate3.5,struts2

    例如,通过配置Spring Security的bean,我们可以将安全服务如AuthenticationManager和UserService注入到需要的地方。 总的来说,通过整合Spring Security、Spring 3.0、Hibernate 3.5和Struts2,开发者可以构建出一...

    Spring Security学习总结二

    ### Spring Security自定义UserDetailsService详解 #### 一、引言 Spring Security作为Java开发中用于构建安全应用程序的强大框架,提供了丰富的特性和灵活的定制能力。其中,`UserDetailsService`是核心组件之一...

    springSecurity.zip

    Spring Security具有很高的灵活性,可以通过配置或者编程方式添加自定义逻辑。例如,你可以实现自己的`AuthenticationProvider`、`UserDetailsService`、`AccessDecisionVoter`等,以适应特定的应用场景。 六、整合...

    spring参考文档及SpringSecurity参考文档

    此外,理解Spring Security的过滤器链工作流程,以及如何自定义认证和授权逻辑也是至关重要的。 总之,Spring和Spring Security是Java开发中的重要工具,它们提供的强大功能和灵活性使得开发者能够更专注于业务逻辑...

    Spring Security详细介绍及使用含完整代码(值得珍藏)

    该框架利用Spring框架的核心功能,如IoC(Inversion of Control,控制反转)、DI(Dependency Injection,依赖注入)和AOP(Aspect-Oriented Programming,面向切面编程),通过一组可配置的Bean来实现对应用系统的...

    spring-security-web源码所需jar包

    2. **spring-beans-3.1.2.RELEASE.jar**:包含Spring处理bean定义和依赖注入的核心类,使得Spring Security可以动态地管理其组件。 3. **spring-web-3.1.2.RELEASE.jar**:提供了处理HTTP请求和响应的能力,以及...

    spring security安全框架

    这个 Demo 展示了 Spring Security 的基础功能,但实际项目中,你可能需要配置更复杂的认证和授权策略,例如集成 OAuth2、JWT 令牌、自定义认证和授权逻辑等。 总之,Spring Security 是一个功能强大且灵活的框架,...

    Spring Boot集成Spring Security的Demo

    Spring Boot集成Spring Security是开发基于Java的Web应用时常见的安全框架选择。Spring Security提供了一整套强大且灵活的安全控制机制,使得开发者可以轻松地实现身份验证、授权以及各种安全功能。下面将详细介绍...

    spring-security-helloworld

    【标题】"spring-security-helloworld" 是一个基于Spring Security框架的简单示例项目,它用于初学者理解并实践Spring Security的基础用法。Spring Security是一个强大的安全框架,为Java应用程序提供了全面的安全...

Global site tag (gtag.js) - Google Analytics