<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <global-method-security pre-post-annotations="enabled" /> <!-- 该路径下的资源不用过滤 --> <http pattern="/images/**" security="none" /> <http pattern="/script/**" security="none" /> <http pattern="/skins/**" security="none" /> <http pattern="/style/**" security="none" /> <!-- 登录页面不过滤 --> <http pattern="/admin/login" security="none" /> <http pattern="/admin/doLogin" security="none" /> <http use-expressions="true" entry-point-ref="authenticationProcessingFilterEntryPoint"> <!-- <remember-me key="mlog_security_cookie" /> --> <session-management invalid-session-url="/admin/login"> <concurrency-control max-sessions="10" error-if-maximum-exceeded="true" /> </session-management> <custom-filter ref="loginFilter" position="FORM_LOGIN_FILTER" /> <custom-filter ref="securityFilter" before="FILTER_SECURITY_INTERCEPTOR" /> <custom-filter ref="logoutFilter" position="LOGOUT_FILTER" /> <custom-filter ref="rememberMeFilter" position="REMEMBER_ME_FILTER"/> </http> <!-- 未登录的切入点 --> <beans:bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> <beans:property name="loginFormUrl" value="/admin/login"></beans:property> </beans:bean> <beans:bean id="userDetailService" class="org.mspring.mlog.web.security.UserDetailServiceImpl" /> <!-- 登录验证器 start--> <beans:bean id="loginFilter" class="org.mspring.mlog.web.security.UsernamePasswordAuthenticationFilter"> <beans:property name="filterProcessesUrl" value="/admin/doSecurity"></beans:property> <beans:property name="authenticationSuccessHandler" ref="loginLogAuthenticationSuccessHandler" /> <beans:property name="authenticationFailureHandler" ref="simpleUrlAuthenticationFailureHandler" /> <beans:property name="authenticationManager" ref="authenticationManager" /> <beans:property name="rememberMeServices" ref="rememberMeServices" /> </beans:bean> <beans:bean id="loginLogAuthenticationSuccessHandler" class="org.mspring.mlog.web.security.LoginAuthenticationSuccesssHandler"> <beans:property name="defaultTargetUrl" value="/admin/index" /> </beans:bean> <beans:bean id="simpleUrlAuthenticationFailureHandler" class="org.mspring.mlog.web.security.LoginAuthenticationFailureHandler"> <beans:property name="defaultFailureUrl" value="/admin/login"></beans:property> </beans:bean> <!-- 登录验证器 end--> <!-- 配置过滤器 start --> <beans:bean id="securityFilter" class="org.mspring.mlog.web.security.SecurityFilter"> <beans:property name="authenticationManager" ref="authenticationManager" /> <beans:property name="accessDecisionManager" ref="accessDecisionManager" /> <beans:property name="securityMetadataSource" ref="securityMetadataSource" /> </beans:bean> <beans:bean id="accessDecisionManager" class="org.mspring.mlog.web.security.AccessDecisionManager" /> <beans:bean id="securityMetadataSource" class="org.mspring.mlog.web.security.SecurityMetadataSource" /> <!-- 配置过滤器 end --> <!-- 注销登录 start --> <beans:bean id="logoutFilter" class="org.mspring.mlog.web.security.LogoutFilter"> <beans:constructor-arg value="/admin/login" /> <beans:constructor-arg> <beans:list> <beans:ref local="rememberMeServices" /> <beans:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" /> </beans:list> </beans:constructor-arg> <beans:property name="filterProcessesUrl" value="/admin/logout"></beans:property> </beans:bean> <!-- 注销登录 end --> <!-- remember me Configuration start --> <beans:bean id="rememberMeFilter" class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter"> <beans:property name="rememberMeServices" ref="rememberMeServices"/> <beans:property name="authenticationManager" ref="authenticationManager" /> </beans:bean> <!-- <beans:bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices"> --> <beans:bean id="rememberMeServices" class="org.mspring.mlog.web.security.rememberme.TokenBasedRememberMeServices"> <beans:property name="userDetailsService" ref="userDetailService" /> <beans:property name="key" value="mlog_security_cookie" /> <beans:property name="alwaysRemember" value="true"></beans:property> <!-- <beans:property name="tokenValiditySeconds" value="86400"></beans:property> --> <beans:property name="parameter" value="rememberMe"></beans:property> </beans:bean> <beans:bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider"> <beans:property name="key" value="mlog_security_cookie" /> </beans:bean> <!-- remember me Configuration end --> <!-- authenticationManager Configuration start --> <beans:bean id="authenticationManager" name="org.springframework.security.authenticationManager" class="org.springframework.security.authentication.ProviderManager"> <beans:property name="providers"> <beans:list> <beans:ref local="daoAuthenticationProvider" /> <beans:ref local="rememberMeAuthenticationProvider"/> </beans:list> </beans:property> </beans:bean> <beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> <beans:property name="userDetailsService" ref="userDetailService" /> <beans:property name="passwordEncoder" ref="md5PasswordEncoder" /> </beans:bean> <beans:bean id="md5PasswordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" /> <!-- authenticationManager Configuration end --> </beans:beans>