项目中准备用spring security,根据网上搜索的资料做了一个demo,但是测试结果是不用登陆也能正常任意访问,请各位帮忙看下哪里有问题,谢谢。
以下是配置文件:
web.xml
[code="java"]<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >
xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_5.xsd">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath*:/applicationContext.xml,classpath*:/spring-security.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- Spring Security Filter -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
<!-- <init-param>
<param-name>struts.i18n.encoding</param-name>
<param-value>GBK</param-value>
</init-param> -->
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
[/code]
spring-security.xml
[code="java"]<?xml version="1.0" encoding="UTF-8"?>
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
beans:descriptionSpring Security安全配置/beans:description
<http auto-config="true">
<form-login login-page="/login.htm"
authentication-failure-url="/login.htm?error=1" authentication-success-handler-ref="customAuthenticationSuccessHandler" />
<logout logout-success-url="/index.htm" />
<remember-me key="oms123456789" token-validity-seconds="1209600"/>
<access-denied-handler ref="accessDeniedHandler" />
<custom-filter ref="CustomFilterSecurityInterceptorImpl" before="FILTER_SECURITY_INTERCEPTOR" />
<http-basic />
</http>
<!-- 登录成功后 操作类-->
<beans:bean id="customAuthenticationSuccessHandler" class="com.ule.oms.user.security.CustomAuthenticationSuccessHandler" >
<beans:constructor-arg value="/index.htm" />
<beans:property name="customAlwaysUseDefTargUrl" value="false"/>
</beans:bean>
<!-- 拒绝访问操作类 -->
<beans:bean id="accessDeniedHandler" class="com.ule.oms.user.security.CustomAccessDeniedHandler" >
<beans:property name="errorPage" value="/denied.htm"/>
</beans:bean>
<!-- 一个自定义的filter,必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性。 -->
<beans:bean id="CustomFilterSecurityInterceptorImpl" class="com.ule.oms.user.security.CustomFilterSecurityInterceptorImpl">
<beans:property name="authenticationManager" ref="autheticationManager" /><!-- 登陆的认证 -->
<beans:property name="accessDecisionManager" ref="customAccessDecisionManager" /><!-- 资源访问决策 -->
<beans:property name="securityMetadataSource" ref="customSecurityMetadataSource" /><!-- 资源和权限列表 -->
</beans:bean>
<authentication-manager alias="autheticationManager">
<authentication-provider user-service-ref="userDetailsServiceImpl">
</authentication-provider>
</authentication-manager>
/beans:beans [/code]
不胜感激。