SpringSecurity的配置相對來說有些複雜,如果是完整的bean配置,則需要配置大量的bean,所以xml配置時使用了命名空間來簡化配置,同樣,spring爲我們提供了一個抽象類WebSecurityConfigurerAdapter和一個註解@EnableWebMvcSecurity,達到同樣減少bean配置的目的,如下:
applicationContext-SpringSecurityConfig.xml
<http security="none" pattern="/static/**" /> <http security="none" pattern="/**/*.jsp" /> <http auto-config='true' access-decision-manager-ref="accessDecisionManager" access-denied-page="/login" use-expressions="true"> <logout logout-url="/logout" invalidate-session="true" logout-success-url="/login" /> <form-login login-page="/login" authentication-failure-url="/login?error=1" login-processing-url="/j_spring_security_check" password-parameter="j_password" username-parameter="j_username" /> <intercept-url pattern="/**/*.do*" access="hasRole('ROLE_USER')" /> <intercept-url pattern="/**/*.htm" access="hasRole('ROLE_ADMIN')" /> <session-management session-fixation-protection="changeSessionId"> <concurrency-control max-sessions="1" expired-url="/access/sameLogin.do" /> </session-management> <remember-me key="webmvc#FD637E6D9C0F1A5A67082AF56CE32485" remember-me-parameter="remember-me" /> </http> <!-- 啓用表達式 爲了後面的投票器做準備 --> <beans:bean class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" id="expressionHandler" /> <beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter" id="expressionVoter"> <beans:property name="expressionHandler" ref="expressionHandler" /> </beans:bean> <!-- Automatically receives AuthenticationEvent messages --> <beans:bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener" /> <beans:bean id="authorizationListener" class="org.springframework.security.access.event.LoggerListener" /> <!-- 認證管理器,使用自定義的UserDetailsService,並對密碼採用md5加密 --> <authentication-manager> <authentication-provider user-service-ref="userService"> <password-encoder hash="md5" /> </authentication-provider> </authentication-manager> <beans:bean id="userService" class="web.security.CP_UserDetailsService" /> <beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased"> <beans:property name="decisionVoters"> <beans:list> <beans:bean class="org.springframework.security.access.vote.RoleVoter" /> <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter" /> <beans:ref bean="expressionVoter" /> </beans:list> </beans:property> </beans:bean>
SpringSecurityConfig.java
@Configuration
@EnableWebMvcSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
private static final Logger logger = Logger
.getLogger(SpringSecurityConfig.class);
@Override
public void configure(WebSecurity web) throws Exception {
// 設置不攔截規則
web.ignoring().antMatchers("/static/**", "/**/*.jsp");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// 設置攔截規則
// 自定義accessDecisionManager訪問控制器,並開啓表達式語言
http.authorizeRequests().accessDecisionManager(accessDecisionManager())
.expressionHandler(webSecurityExpressionHandler())
.antMatchers("/**/*.do*").hasRole("USER")
.antMatchers("/**/*.htm").hasRole("ADMIN").and()
.exceptionHandling().accessDeniedPage("/login");
// 開啓默認登錄頁面
// http.formLogin();
// 自定義登錄頁面
http.csrf().disable().formLogin().loginPage("/login")
.failureUrl("/login?error=1")
.loginProcessingUrl("/j_spring_security_check")
.usernameParameter("j_username")
.passwordParameter("j_password").permitAll();
// 自定義註銷
http.logout().logoutUrl("/logout").logoutSuccessUrl("/login")
.invalidateHttpSession(true);
// session管理
http.sessionManagement().sessionFixation().changeSessionId()
.maximumSessions(1).expiredUrl("/");
// RemeberMe
http.rememberMe().key("webmvc#FD637E6D9C0F1A5A67082AF56CE32485");
}
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
// 自定義UserDetailsService
auth.userDetailsService(userDetailsService()).passwordEncoder(
new Md5PasswordEncoder());
}
@Bean
public CP_UserDetailsService userDetailsService() {
logger.info("CP_UserDetailsService");
CP_UserDetailsService userDetailsService = new CP_UserDetailsService();
return userDetailsService;
}
@Bean
public LoggerListener loggerListener() {
logger.info("org.springframework.security.authentication.event.LoggerListener");
LoggerListener loggerListener = new LoggerListener();
return loggerListener;
}
@Bean
public org.springframework.security.access.event.LoggerListener eventLoggerListener() {
logger.info("org.springframework.security.access.event.LoggerListener");
org.springframework.security.access.event.LoggerListener eventLoggerListener = new org.springframework.security.access.event.LoggerListener();
return eventLoggerListener;
}
/*
*
* 這裏可以增加自定義的投票器
*/
@SuppressWarnings("rawtypes")
@Bean(name = "accessDecisionManager")
public AccessDecisionManager accessDecisionManager() {
logger.info("AccessDecisionManager");
List<AccessDecisionVoter> decisionVoters = new ArrayList<AccessDecisionVoter>();
decisionVoters.add(new RoleVoter());
decisionVoters.add(new AuthenticatedVoter());
decisionVoters.add(webExpressionVoter());// 啓用表達式投票器
AffirmativeBased accessDecisionManager = new AffirmativeBased(
decisionVoters);
return accessDecisionManager;
}
/*
* 表達式控制器
*/
@Bean(name = "expressionHandler")
public DefaultWebSecurityExpressionHandler webSecurityExpressionHandler() {
logger.info("DefaultWebSecurityExpressionHandler");
DefaultWebSecurityExpressionHandler webSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
return webSecurityExpressionHandler;
}
/*
* 表達式投票器
*/
@Bean(name = "expressionVoter")
public WebExpressionVoter webExpressionVoter() {
logger.info("WebExpressionVoter");
WebExpressionVoter webExpressionVoter = new WebExpressionVoter();
webExpressionVoter.setExpressionHandler(webSecurityExpressionHandler());
return webExpressionVoter;
}
}