2019獨角獸企業重金招聘Python工程師標準>>>

web.xml配置如：

<filter><filter-name>springSecurityFilterChain</filter-name><filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class></filter><filter-mapping><filter-name>springSecurityFilterChain</filter-name><url-pattern>/*</url-pattern></filter-mapping>

?

?

通常在spring-security.xml的配置：

<!--設置匹配管理員用戶url，登錄頁面和所擁的權限，以及引用adminAuthManager驗證管理 --><http auto-config="true" pattern="/admin/**" use-expressions="true" authentication-manager-ref="adminAuthManager"><form-login login-processing-url="/admin/j_spring_security_check" login-page="/admin_login.html" authentication-failure-url="/common/login/usernameCheckFailed" default-target-url="/admin/login/adminCheckSuccess"always-use-default-target="true"/><!-- <logout logout-url="/module/j_spring_security_logout" logout-success-url="/" /> --><!-- 自定義退出過濾器 --><custom-filter ref="userLogoutFilter" position="LOGOUT_FILTER" /><intercept-url pattern="/admin/department/**" access="hasRole('ROLE_ADMIN_DEPARTMENT')" /><intercept-url pattern="/admin/processdefinition/**" access="hasRole('ROLE_ADMIN_PROCESSDEFINITION')" /><intercept-url pattern="/admin/roleManage/**" access="hasRole('ROLE_ADMIN_ROLEMANAGE')" /><intercept-url pattern="/admin/moduleManage/**" access="hasRole('ROLE_ADMIN_MODULEMANAGE')" /><intercept-url pattern="/admin/parentModuleManage/**" access="hasRole('ROLE_ADMIN_PARENTMODULEMANAGE')" /><intercept-url pattern="/admin/manageUserAccount/**" access="hasRole('ROLE_ADMIN_MANAGEUSERACCOUNT')" /><intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" /></http><!-- 不需要進行認證的資源，3.0之后才改為這樣配置 --><!-- <http security="none" pattern="/**/index" /> --><http security="none" pattern="/**/*login.html" /><http security="none" pattern="/**/*.jpg" /><http security="none" pattern="/**/*.png" /><http security="none" pattern="/**/*.gif" /><http security="none" pattern="/**/*.css" /><http security="none" pattern="/**/*.js" /><http security="none" pattern="/*.ico" /><http security="none" pattern="/*.jpg" /><!--后臺管理用戶驗證管理bean --><authentication-manager id="adminAuthManager"><authentication-provider user-service-ref="adminDetailService"><password-encoder hash="md5"></password-encoder></authentication-provider></authentication-manager><!-- 普通用戶退出的過濾器配置 --><beans:bean id="userLogoutFilter" class="com.bluedon.cb.util.filter.UserLogoutFilter"><!-- 處理退出的虛擬url --><beans:property name="filterProcessesUrl" value="/module/logout" /><!-- 退出處理成功后的默認顯示url --><beans:constructor-arg index="0" value="/" /><beans:constructor-arg index="1"><!-- 退出成功后的handler列表 --><beans:array><!-- 加入了開發人員自定義的退出成功處理 --><beans:bean id="userLogoutSuccessHandler" class="com.bluedon.cb.util.filter.UserLogoutHandler" /></beans:array></beans:constructor-arg></beans:bean>

說明： ?

lowercase-comparisons：表示URL比較前先轉為小寫。?
??path-type：表示使用Apache Ant的匹配模式。?
??access-denied-page：訪問拒絕時轉向的頁面。?
??access-decision-manager-ref：指定了自定義的訪問策略管理器。當系統角色名的前綴不是默認的ROLE_時，需要自定義訪問策略管理器。?
??login-page：指定登錄頁面。?
??login-processing-url：指定了客戶在登錄頁面中按下 Sign In 按鈕時要訪問的 URL。與登錄頁面form的action一致。其默認值為：/j_spring_security_check。?
??authentication-failure-url：指定了身份驗證失敗時跳轉到的頁面。?
??default-target-url：指定了成功進行身份驗證和授權后默認呈現給用戶的頁面。?
??always-use-default-target：指定了是否在身份驗證通過后總是跳轉到default-target-url屬性指定的URL。?
??logout-url：指定了用于響應退出系統請求的URL。其默認值為：/j_spring_security_logout。?
??logout-success-url：退出系統后轉向的URL。?
??invalidate-session：指定在退出系統時是否要銷毀Session。?
??max-sessions:允許用戶帳號登錄的次數。范例限制用戶只能登錄一次。?
??exception-if-maximum-exceeded: 默認為false，此值表示：用戶第二次登錄時，前一次的登錄信息都被清空。?
??當exception-if-maximum-exceeded="true"時系統會拒絕第二次登錄。

下面是security，用戶退出的session處理（可以不寫）:

package com.bluedon.cb.util.filter;import org.springframework.security.web.authentication.logout.LogoutFilter; import org.springframework.security.web.authentication.logout.LogoutHandler; import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;/*** * * Description:退出過濾器* * Time:2016年3月2日下午5:38:04* @version 1.0* @since 1.0*/ public class UserLogoutFilter extends LogoutFilter{public UserLogoutFilter(String logoutSuccessUrl, LogoutHandler[] handlers) {super(logoutSuccessUrl, handlers);}public UserLogoutFilter(LogoutSuccessHandler logoutSuccessHandler,LogoutHandler[] handlers) {super(logoutSuccessHandler, handlers);}} package com.bluedon.cb.util.filter;import java.util.Date;import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession;import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.BeansException; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.authentication.logout.LogoutHandler;import com.bluedon.cb.common.entity.LoginLog; import com.bluedon.cb.common.service.CommonLogService; import com.bluedon.cb.util.SpringContextUtil; import com.bluedon.cb.util.constants.Constants;/*** * * Description:退出成功處理器* * Time:2016年3月2日下午5:38:29* @version 1.0* @since 1.0*/ public class UserLogoutHandler implements LogoutHandler {private Logger log = LoggerFactory.getLogger(UserLogoutHandler.class);public UserLogoutHandler() {}@Overridepublic void logout(HttpServletRequest req, HttpServletResponse arg1, Authentication arg2) {// TODO Auto-generated method stub//modify by qinguidong 添加try catch 為了防止session超時，而取到的loginLog為空，報錯。不能返回到登錄頁面try {HttpSession session = req.getSession();LoginLog loginLog = (LoginLog)session.getAttribute(Constants.LOGIN_LOG);CommonLogService commonLogService = (CommonLogService)SpringContextUtil.getBean("commonLogServiceImpl");loginLog.setLoloLogoutDate(new Date());//退出時間//清除sessionif (session != null) { session.invalidate(); } SecurityContextHolder.clearContext(); //入庫int count = commonLogService.updateLoginLog(loginLog);if(count != Constants.SUCCESS){log.error("記錄登錄日志失敗了："+loginLog.getLoloUsroName());}} catch (BeansException e) {// TODO Auto-generated catch blocke.printStackTrace();}}}

?

轉載于:https://my.oschina.net/u/920528/blog/692824

總結

以上是生活随笔為你收集整理的spring_security权限应用的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。