level 1
time梦幻_星空
楼主
我用的是版本是3.0.5版本authentication-manager标签里没有erase-credentials="false"的属性,下面上配置文件请大神们指点。
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<!-- 访问被拒绝时跳转到403界面 -->
<!-- 在http标签中配置 use-expressions="true" 支持sec:authorize权限控制后在所有非java文件的地方都要使用hasRole(**) -->
<http entry-point-ref="authenticationProcessingFilterEntryPoint" auto-config="false"
access-denied-page="/403.jsp">
<!-- 放行页面 -->
<intercept-url pattern="/*.css" filters="none" />
<intercept-url pattern="/error.jsp" filters="none" />
<intercept-url pattern="/captcha.jsp" filters="none" />
<intercept-url pattern="/logout.jsp" filters="none"/>
<!-- 自定义登录页面 任何人都可以访问,此属性为只有https才可以访问 requires-channel="https" -->
<intercept-url pattern="/index*.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="any" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<!-- 访问全部要有ROLE_USER权限 -->
<intercept-url pattern="/*role_admin.jsp" access="ROLE_ADMIN" />
<intercept-url pattern="/**" access="ROLE_USER" />
<!-- ROLE_ADMIN和ROLE_USER都不是管理员权限 -->
<!-- 安全退出后的页面 -->
<logout logout-success-url="/logout.jsp" invalidate-session="true" />
<!-- 两周内记住我 token-validity-seconds="300" key="springRocks" services-ref="rememberMeServices" -->
<remember-me data-source-ref="dataSource" />
<!-- session管理过滤器 -->
<custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER" />
<!-- 登录过滤器 -->
<custom-filter ref="loginFilter" position="FORM_LOGIN_FILTER" />
<!-- 免登陆过滤器
<custom-filter ref="rememberMeFilter" position="REMEMBER_ME_FILTER"/>
-->
<!-- 防止session固话攻击 -->
<session-management session-fixation-protection="none" session-authentication-error-url="/time_out.jsp" invalid-session-url="/time_out.jsp" />
<!-- session相关管理 -->
<session-management
session-authentication-strategy-ref="sas" />
</http>
<!-- 启用jsr250的注解 -->
<global-method-security jsr250-annotations="enabled" />
<!-- session管理过滤器 -->
<beans:bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/session-expired.htm" />
</beans:bean>
<!-- session管理相关注入 -->
<beans:bean id="sas"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry"
ref="sessionRegistry" />
<!-- true限制不允许第二个用户登录,false第二个登陆用户踢掉前一个登陆用户 -->
<beans:property name="exceptionIfMaximumExceeded" value="false" />
<!-- 当前用户最大连接数 -->
<beans:property name="maximumSessions" value="1" />
<!-- 防止session攻击 -->
<!-- 每次都创建一个新的session -->
<beans:property name="alwaysCreateSession" value="true"/>
<!-- 不迁移session数据 -->
<beans:property name="migrateSessionAttributes" value="false" />
</beans:bean>
<beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
<!-- session管理相关注入结束 -->
<!-- 自定义登录过滤 -->
<beans:bean id="loginFilter"
class="filter.UsernamePasswordAuthenticationExtendFilter">
<!-- 认证器 -->
<beans:property name="authenticationManager" ref="authenticationManager" />
<!-- 虚拟处理URL -->
<beans:property name="filterProcessesUrl" value="/login"/>
<!-- 用户名 -->
<beans:property name="usernameParameter" value="username"/>
<!-- 密码 -->
<beans:property name="passwordParameter" value="password"/>
<!-- 验证成功后的处理 -->
<beans:property name="authenticationSuccessHandler"
ref="loginLogAuthenticationSuccessHandler" />
<!-- 验证失败后的处理 -->
<beans:property name="authenticationFailureHandler"
ref="simpleUrlAuthenticationFailureHandler" />
<!-- session管理 -->
<beans:property name="sessionAuthenticationStrategy" ref="sas" />
<!--
<beans:property name="rememberMeServices" ref="rememberMeServices"/>
-->
</beans:bean>
<!-- 开始注入登录过滤器 -->
<beans:bean id="loginLogAuthenticationSuccessHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/welcome.jsp"/>
</beans:bean>
<beans:bean id="simpleUrlAuthenticationFailureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<!-- 可以配置相应的跳转方式。属性forwardToDestination为true采用forward false为sendRedirect -->
<beans:property name="defaultFailureUrl" value="/index.jsp?error=true"/>
</beans:bean>
<!-- 注入登录过滤器结束 -->
<!-- 免登陆过滤器
<beans:bean id="rememberMeFilter" class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
<beans:property name="rememberMeServices" ref="rememberMeServices"/>
<beans:property name="authenticationManager" ref="authenticationManager"/>
</beans:bean>
<beans:bean id="rememberMeServices" class="filter.IPTokenBasedRememberMeServices">
<!-- 这个filter无论是自己重写的还是用Spring原声的 都不好使-->
<beans:property name="userDetailsService" ref="myUserDetailService"/>
<beans:property name="key" value="springRocks"/>
<beans:property name="cookieName" value="springRocks"/>
<beans:property name="parameter" value="_spring_security_remember_me"/>
</beans:bean>
-->
<!--
<beans:bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
<beans:property name="key" value="springRocks"/>
</beans:bean>-->
<!-- 认证器 -->
<authentication-manager alias="authenticationManager" >
<authentication-provider user-service-ref="myUserDetailService" />
</authentication-manager>
<!-- 开始注入认证过滤器 -->
<beans:bean id="myUserDetailService" class="filter.MyUserDetailService" />
<!-- 未登录的切入点 -->
<beans:bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/index.jsp"/>
</beans:bean>
</beans:beans>
2014年10月10日 01点10分
1
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<!-- 访问被拒绝时跳转到403界面 -->
<!-- 在http标签中配置 use-expressions="true" 支持sec:authorize权限控制后在所有非java文件的地方都要使用hasRole(**) -->
<http entry-point-ref="authenticationProcessingFilterEntryPoint" auto-config="false"
access-denied-page="/403.jsp">
<!-- 放行页面 -->
<intercept-url pattern="/*.css" filters="none" />
<intercept-url pattern="/error.jsp" filters="none" />
<intercept-url pattern="/captcha.jsp" filters="none" />
<intercept-url pattern="/logout.jsp" filters="none"/>
<!-- 自定义登录页面 任何人都可以访问,此属性为只有https才可以访问 requires-channel="https" -->
<intercept-url pattern="/index*.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="any" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<!-- 访问全部要有ROLE_USER权限 -->
<intercept-url pattern="/*role_admin.jsp" access="ROLE_ADMIN" />
<intercept-url pattern="/**" access="ROLE_USER" />
<!-- ROLE_ADMIN和ROLE_USER都不是管理员权限 -->
<!-- 安全退出后的页面 -->
<logout logout-success-url="/logout.jsp" invalidate-session="true" />
<!-- 两周内记住我 token-validity-seconds="300" key="springRocks" services-ref="rememberMeServices" -->
<remember-me data-source-ref="dataSource" />
<!-- session管理过滤器 -->
<custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER" />
<!-- 登录过滤器 -->
<custom-filter ref="loginFilter" position="FORM_LOGIN_FILTER" />
<!-- 免登陆过滤器
<custom-filter ref="rememberMeFilter" position="REMEMBER_ME_FILTER"/>
-->
<!-- 防止session固话攻击 -->
<session-management session-fixation-protection="none" session-authentication-error-url="/time_out.jsp" invalid-session-url="/time_out.jsp" />
<!-- session相关管理 -->
<session-management
session-authentication-strategy-ref="sas" />
</http>
<!-- 启用jsr250的注解 -->
<global-method-security jsr250-annotations="enabled" />
<!-- session管理过滤器 -->
<beans:bean id="concurrencyFilter"
class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/session-expired.htm" />
</beans:bean>
<!-- session管理相关注入 -->
<beans:bean id="sas"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry"
ref="sessionRegistry" />
<!-- true限制不允许第二个用户登录,false第二个登陆用户踢掉前一个登陆用户 -->
<beans:property name="exceptionIfMaximumExceeded" value="false" />
<!-- 当前用户最大连接数 -->
<beans:property name="maximumSessions" value="1" />
<!-- 防止session攻击 -->
<!-- 每次都创建一个新的session -->
<beans:property name="alwaysCreateSession" value="true"/>
<!-- 不迁移session数据 -->
<beans:property name="migrateSessionAttributes" value="false" />
</beans:bean>
<beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
<!-- session管理相关注入结束 -->
<!-- 自定义登录过滤 -->
<beans:bean id="loginFilter"
class="filter.UsernamePasswordAuthenticationExtendFilter">
<!-- 认证器 -->
<beans:property name="authenticationManager" ref="authenticationManager" />
<!-- 虚拟处理URL -->
<beans:property name="filterProcessesUrl" value="/login"/>
<!-- 用户名 -->
<beans:property name="usernameParameter" value="username"/>
<!-- 密码 -->
<beans:property name="passwordParameter" value="password"/>
<!-- 验证成功后的处理 -->
<beans:property name="authenticationSuccessHandler"
ref="loginLogAuthenticationSuccessHandler" />
<!-- 验证失败后的处理 -->
<beans:property name="authenticationFailureHandler"
ref="simpleUrlAuthenticationFailureHandler" />
<!-- session管理 -->
<beans:property name="sessionAuthenticationStrategy" ref="sas" />
<!--
<beans:property name="rememberMeServices" ref="rememberMeServices"/>
-->
</beans:bean>
<!-- 开始注入登录过滤器 -->
<beans:bean id="loginLogAuthenticationSuccessHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/welcome.jsp"/>
</beans:bean>
<beans:bean id="simpleUrlAuthenticationFailureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<!-- 可以配置相应的跳转方式。属性forwardToDestination为true采用forward false为sendRedirect -->
<beans:property name="defaultFailureUrl" value="/index.jsp?error=true"/>
</beans:bean>
<!-- 注入登录过滤器结束 -->
<!-- 免登陆过滤器
<beans:bean id="rememberMeFilter" class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
<beans:property name="rememberMeServices" ref="rememberMeServices"/>
<beans:property name="authenticationManager" ref="authenticationManager"/>
</beans:bean>
<beans:bean id="rememberMeServices" class="filter.IPTokenBasedRememberMeServices">
<!-- 这个filter无论是自己重写的还是用Spring原声的 都不好使-->
<beans:property name="userDetailsService" ref="myUserDetailService"/>
<beans:property name="key" value="springRocks"/>
<beans:property name="cookieName" value="springRocks"/>
<beans:property name="parameter" value="_spring_security_remember_me"/>
</beans:bean>
-->
<!--
<beans:bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
<beans:property name="key" value="springRocks"/>
</beans:bean>-->
<!-- 认证器 -->
<authentication-manager alias="authenticationManager" >
<authentication-provider user-service-ref="myUserDetailService" />
</authentication-manager>
<!-- 开始注入认证过滤器 -->
<beans:bean id="myUserDetailService" class="filter.MyUserDetailService" />
<!-- 未登录的切入点 -->
<beans:bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/index.jsp"/>
</beans:bean>
</beans:beans>
