SpringMVC4零配置--SpringSecurity相关配置【SpringSecurityConfig】 博客分类： SpringSecuritySpring SpringSecurit

SpringMVC4零配置--SpringSecurity相关配置【SpringSecurityConfig】

博客分类：  SpringSecurity Spring

 

 SpringSecurity的配置相对来说有些复杂，如果是完整的bean配置，则需要配置大量的bean，所以xml配置时使用了命名空间来简化配置，同样，spring为我们提供了一个抽象类WebSecurityConfigurerAdapter和一个注解@EnableWebMvcSecurity，达到同样减少bean配置的目的，如下：

 

applicationContext-SpringSecurityConfig.xml

 <http security="none" pattern="/static/**" />
     <http security="none" pattern="/**/*.jsp" />

     <http auto-config='true' access-decision-manager-ref="accessDecisionManager" access-denied-page="/login"
         use-expressions="true">
         <logout logout-url="/logout" invalidate-session="true"
             logout-success-url="/login" />


         <form-login login-page="/login" authentication-failure-url="/login?error=1"
             login-processing-url="/j_spring_security_check" password-parameter="j_password"
             username-parameter="j_username" />


         <intercept-url pattern="/**/*.do*" access="hasRole('ROLE_USER')" />
         <intercept-url pattern="/**/*.htm" access="hasRole('ROLE_ADMIN')" />

         <session-management session-fixation-protection="changeSessionId">
             <concurrency-control max-sessions="1"
                 expired-url="/access/sameLogin.do" />
         session-management>

         <remember-me key="webmvc#FD637E6D9C0F1A5A67082AF56CE32485"
             remember-me-parameter="remember-me" />
     http>


     <beans:bean
         class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler"
         id="expressionHandler" />
     <beans:bean
         class="org.springframework.security.web.access.expression.WebExpressionVoter"
         id="expressionVoter">
         <beans:property name="expressionHandler" ref="expressionHandler" />
     beans:bean>


     <beans:bean id="loggerListener"
         class="org.springframework.security.authentication.event.LoggerListener" />
     <beans:bean id="authorizationListener"
         class="org.springframework.security.access.event.LoggerListener" />


     <authentication-manager>
         <authentication-provider user-service-ref="userService">
             <password-encoder hash="md5" />
         authentication-provider>
     authentication-manager>





     <beans:bean id="userService" class="web.security.CP_UserDetailsService" />

     <beans:bean id="accessDecisionManager"
         class="org.springframework.security.access.vote.AffirmativeBased">
         <beans:property name="decisionVoters">
             <beans:list>
                 <beans:bean class="org.springframework.security.access.vote.RoleVoter" />
                 <beans:bean
                     class="org.springframework.security.access.vote.AuthenticatedVoter" />
                 <beans:ref bean="expressionVoter" />
             beans:list>
         beans:property>
     beans:bean>

SpringSecurityConfig.java

 @Configuration
 @EnableWebMvcSecurity
 public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {

     private static final Logger logger = Logger
             .getLogger(SpringSecurityConfig.class);

     @Override
     public void configure(WebSecurity web) throws Exception {
         // 设置不拦截规则
         web.ignoring().antMatchers("/static/**", "/**/*.jsp");

     }

     @Override
     protected void configure(HttpSecurity http) throws Exception {
         // 设置拦截规则
         // 自定义accessDecisionManager访问控制器,并开启表达式语言
         http.authorizeRequests().accessDecisionManager(accessDecisionManager())
                 .expressionHandler(webSecurityExpressionHandler())
                 .antMatchers("/**/*.do*").hasRole("USER")
                 .antMatchers("/**/*.htm").hasRole("ADMIN").and()
                 .exceptionHandling().accessDeniedPage("/login");

         // 开启默认登录页面
         // http.formLogin();

         // 自定义登录页面
         http.csrf().disable().formLogin().loginPage("/login")
                 .failureUrl("/login?error=1")
                 .loginProcessingUrl("/j_spring_security_check")
                 .usernameParameter("j_username")
                 .passwordParameter("j_password").permitAll();

         // 自定义注销
         http.logout().logoutUrl("/logout").logoutSuccessUrl("/login")
                 .invalidateHttpSession(true);

         // session管理
         http.sessionManagement().sessionFixation().changeSessionId()
                 .maximumSessions(1).expiredUrl("/");

         // RemeberMe
         http.rememberMe().key("webmvc#FD637E6D9C0F1A5A67082AF56CE32485");

     }

     @Override
     protected void configure(AuthenticationManagerBuilder auth)
             throws Exception {

         // 自定义UserDetailsService
         auth.userDetailsService(userDetailsService()).passwordEncoder(
                 new Md5PasswordEncoder());

     }

     @Bean
     public CP_UserDetailsService userDetailsService() {
         logger.info("CP_UserDetailsService");
         CP_UserDetailsService userDetailsService = new CP_UserDetailsService();
         return userDetailsService;
     }

     @Bean
     public LoggerListener loggerListener() {
         logger.info("org.springframework.security.authentication.event.LoggerListener");
         LoggerListener loggerListener = new LoggerListener();

         return loggerListener;
     }

     @Bean
     public org.springframework.security.access.event.LoggerListener eventLoggerListener() {
         logger.info("org.springframework.security.access.event.LoggerListener");
         org.springframework.security.access.event.LoggerListener eventLoggerListener = new org.springframework.security.access.event.LoggerListener();

         return eventLoggerListener;
     }

     /*
      *
      * 这里可以增加自定义的投票器
      */
     @SuppressWarnings("rawtypes")
     @Bean(name = "accessDecisionManager")
     public AccessDecisionManager accessDecisionManager() {
         logger.info("AccessDecisionManager");
         List decisionVoters = new ArrayList();
         decisionVoters.add(new RoleVoter());
         decisionVoters.add(new AuthenticatedVoter());
         decisionVoters.add(webExpressionVoter());// 启用表达式投票器

         AffirmativeBased accessDecisionManager = new AffirmativeBased(
                 decisionVoters);

         return accessDecisionManager;
     }

     /*
      * 表达式控制器
      */
     @Bean(name = "expressionHandler")
     public DefaultWebSecurityExpressionHandler webSecurityExpressionHandler() {
         logger.info("DefaultWebSecurityExpressionHandler");
         DefaultWebSecurityExpressionHandler webSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
         return webSecurityExpressionHandler;
     }

     /*
      * 表达式投票器
      */
     @Bean(name = "expressionVoter")
     public WebExpressionVoter webExpressionVoter() {
         logger.info("WebExpressionVoter");
         WebExpressionVoter webExpressionVoter = new WebExpressionVoter();
         webExpressionVoter.setExpressionHandler(webSecurityExpressionHandler());
         return webExpressionVoter;
     }

 }