spring security2中对method进行拦截的配置

1、配置web.xml文件：

<!-- 指定spring security的配置文件-->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-security.xml</param-value>
</context-param>

<!-- spring security 的 Filter Chain 代理 -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<!-- 取得Spring的Context -->
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>

2、配置spring-security.xml（该文件名字与web.xml中的<context-param />中的相对应） ：

method拦截有三种配置方式：

第一种方式是在java代码添加注释@Secured({"ROLE_SUPER"})、在spring-security.xml中添加<global-method-security secured-annotations="enabled"></global-method-security>，具体配置如下：

spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"> 
<global-method-security secured-annotations="enabled"></global-method-security>

<http auto-config="true">
<!-- 登录页面不拦截，任何人都可以访问到 -->
<intercept-url pattern="/login.jsp" filters="none" />
<!-- 需要拦截的路径，pattern表示要拦截的路径，access表示能够访问的角色 -->
<intercept-url pattern="/a/*"
access="ROLE_A,ROLE_ADMIN,ROLE_SUPER" />
<intercept-url pattern="/a/aa/*"
access="ROLE_AA,ROLE_ADMIN,ROLE_SUPER" />
<intercept-url pattern="/b/*"
access="ROLE_B,ROLE_ADMIN,ROLE_SUPER" />
<intercept-url pattern="/b/bb/*"
access="ROLE_BB,ROLE_ADMIN,ROLE_SUPER" />
<!-- 指定登录页面 -->
<form-login login-page="/login.jsp" />
<!-- 指定退出后要显示的页面 -->
<logout logout-success-url="/index.jsp"></logout>
<!-- 同步session控制 -->
<concurrent-session-control max-sessions="1" />
</http>
<!-- 认证提供器 -->
<authentication-provider>
<password-encoder hash="plaintext"></password-encoder>
<user-service>
<user password="super" name="super"
authorities="ROLE_SUPER" />
<user password="admin" name="admin"
authorities="ROLE_ADMIN" />
<user password="a" name="a" authorities="ROLE_A" />
<user password="b" name="b" authorities="ROLE_B" />
<user password="aa" name="aa" authorities="ROLE_AA" />
<user password="bb" name="bb" authorities="ROLE_BB" />
</user-service>
</authentication-provider>
</beans:beans>

@Secured({"ROLE_SUPER"})注释中Secured是注释的名称，括号中是可以访问该方法的角色，用大括号括起来，多个角色用分号分割。可以加在service中也可以加在dao中，可以加在接口中也可以加在接口的实现中，此处是加在service接口的实现中。

CategoryServiceImpl.java

package com.king.springsecurity.service.impl;

import java.util.List;

import org.springframework.security.annotation.Secured;

import com.king.springsecurity.dao.ICategoryDao;
import com.king.springsecurity.dao.impl.CategoryDaoImpl;
import com.king.springsecurity.model.Category;
import com.king.springsecurity.service.ICategoryService;

public class CategoryServiceImpl implements ICategoryService {
private ICategoryDao categoryDao = new CategoryDaoImpl();

@Override
public void addCategory(Category category) {
// TODO Auto-generated method stub
categoryDao.saveCateogry(category);
}

@Override
@Secured({"ROLE_SUPER"})
public void deleteCategoryById(long id) {
// TODO Auto-generated method stub
categoryDao.deleteCategoryById(id);
}

@Override
public Category getCategoryById(long id) {
// TODO Auto-generated method stub
return categoryDao.getCategoryById(id);
}

@Override
@Secured({"ROLE_ADMIN"})
public List<Category> listCategory() {
// TODO Auto-generated method stub
return categoryDao.getAllCategory();
}

public void setCategoryDao(ICategoryDao categoryDao) {
this.categoryDao = categoryDao;
}

}

第二种方法是不需要在代码中添加注释，只需在spring-security.xml中添加pointcut，利用表达式和通配符指定要拦截的类及方法：

spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"> 
<global-method-security secured-annotations="enabled">
<!-- 利用pointcut使用表达式的方式指定拦截的类及拦截的方法，可以使用通配符。 -->
<protect-pointcut
expression="execution(* com.king.springsecurity.service.impl.CategoryServiceImpl.delete*(..))"
access="ROLE_SUPER" />

<protect-pointcut
expression="execution(* com.king.springsecurity.service.ICategoryService.list*(..))"
access="ROLE_ADMIN" />
......
</global-method-security>

<http auto-config="true">
<!-- 登录页面不拦截，任何人都可以访问到 -->
<intercept-url pattern="/login.jsp" filters="none" />
<!-- 需要拦截的路径，pattern表示要拦截的路径，access表示能够访问的角色 -->
<intercept-url pattern="/a/*"
access="ROLE_A,ROLE_ADMIN,ROLE_SUPER" />
<intercept-url pattern="/a/aa/*"
access="ROLE_AA,ROLE_ADMIN,ROLE_SUPER" />
<intercept-url pattern="/b/*"
access="ROLE_B,ROLE_ADMIN,ROLE_SUPER" />
<intercept-url pattern="/b/bb/*"
access="ROLE_BB,ROLE_ADMIN,ROLE_SUPER" />
<!-- 指定登录页面 -->
<form-login login-page="/login.jsp" />
<!-- 指定退出后要显示的页面 -->
<logout logout-success-url="/index.jsp"></logout>
<!-- 同步session控制 -->
<concurrent-session-control max-sessions="1" />
</http>
<!-- 认证提供器 -->
<authentication-provider>
<password-encoder hash="plaintext"></password-encoder>
<user-service>
<user password="super" name="super"
authorities="ROLE_SUPER" />
<user password="admin" name="admin"
authorities="ROLE_ADMIN" />
<user password="a" name="a" authorities="ROLE_A" />
<user password="b" name="b" authorities="ROLE_B" />
<user password="aa" name="aa" authorities="ROLE_AA" />
<user password="bb" name="bb" authorities="ROLE_BB" />
</user-service>
</authentication-provider>
</beans:beans>

第三种方法是直接在要拦截的bean定义中添加<intercept-methods />对指定方法进行拦截，可以使用通配符：

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"> 
<beans:bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<beans:property name="driverClassName">
<beans:value>com.mysql.jdbc.Driver</beans:value>
</beans:property>
<beans:property name="url">
<beans:value>
jdbc:mysql://localhost:3306/springsecurity
</beans:value>
</beans:property>
<beans:property name="username">
<beans:value>root</beans:value>
</beans:property>
<beans:property name="password">
<beans:value>root</beans:value>
</beans:property>
</beans:bean>

<beans:bean id="sessionFactory"
class="org.springframework.orm.hibernate3.LocalSessionFactoryBean"
destroy-method="destroy">
<beans:property name="dataSource">
<beans:ref bean="dataSource" />
</beans:property>
<!--  一种方法是通过mappingResources直接指定hbm文件 -->
<!--
<beans:property name="mappingResources">
<beans:list>
<beans:value>
com/king/springsecurity/model/Category.hbm.xml
</beans:value>
</beans:list>
</beans:property>
-->

<!-- 另一种方法是通过mappingDirectoryLocations指定某一文件夹下的所以hbm文件 -->
<beans:property name="mappingDirectoryLocations">
<beans:list>
<beans:value>
classpath:com/king/springsecurity/model
</beans:value>
</beans:list>
</beans:property>
<beans:property name="hibernateProperties">
<beans:props>
<beans:prop key="hibernate.dialect">
org.hibernate.dialect.MySQLDialect
</beans:prop>
</beans:props>
</beans:property>
</beans:bean>

<beans:bean id="categoryDao"
class="com.king.springsecurity.dao.impl.CategoryDaoImpl">
<beans:property name="sessionFactory">
<beans:ref bean="sessionFactory" />
</beans:property>
</beans:bean>
<beans:bean id="categoryService"
class="com.king.springsecurity.service.impl.CategoryServiceImpl">
<intercept-methods>
<protect method="delete*" access="ROLE_USER" />
<protect method="list*" access="ROLE_ADMIN" />
</intercept-methods>
<beans:property name="categoryDao">
<beans:ref bean="categoryDao" />
</beans:property>

</beans:bean>
<beans:bean name="/category"
class="com.king.springsecurity.action.CategoryAction">
<beans:property name="categoryService">
<beans:ref bean="categoryService" />
</beans:property>
</beans:bean>

<http auto-config="true">
<!-- 登录页面不拦截，任何人都可以访问到 -->
<intercept-url pattern="/login.jsp" filters="none" />
<!-- 需要拦截的路径，pattern表示要拦截的路径，access表示能够访问的角色 -->
<!--		<intercept-url pattern="/**" access="ROLE_USER" />-->

<intercept-url pattern="/a/*" access="ROLE_A" />
<intercept-url pattern="/a/aa/*" access="ROLE_AA" />
<intercept-url pattern="/b/*" access="ROLE_B" />
<intercept-url pattern="/b/bb/*" access="ROLE_BB" />

<!-- 指定登录页面 -->
<form-login login-page="/login.jsp" />
<!-- 指定退出后要显示的页面 -->
<logout logout-success-url="/index.jsp"></logout>
<!-- 同步session控制 -->
<concurrent-session-control max-sessions="1" />
</http>

<!-- 认证提供器 -->
<authentication-provider>
<password-encoder hash="plaintext"></password-encoder>
<user-service>
<user password="serviceimpl" name="serviceimpl"
authorities="ROLE_SERVICEIMPL" />
<user password="service" name="service"
authorities="ROLE_SERVICE" />
<user password="daoimpl" name="daoimpl"
authorities="ROLE_DAOIMPL" />
<user password="dao" name="dao" authorities="ROLE_DAO" />

<user password="super" name="super"
authorities="ROLE_SUPER,ROLE_ADMIN,ROLE_USER,ROLE_A,ROLE_B,ROLE_AA,ROLE_BB" />
<user password="admin" name="admin"
authorities="ROLE_ADMIN,ROLE_USER,ROLE_A,ROLE_B,ROLE_AA,ROLE_BB" />
<user password="user" name="user"
authorities="ROLE_USER,ROLE_A,ROLE_B,ROLE_AA,ROLE_BB" />
<user password="a" name="a" authorities="ROLE_A" />
<user password="b" name="b" authorities="ROLE_B" />
<user password="aa" name="aa" authorities="ROLE_AA" />
<user password="bb" name="bb" authorities="ROLE_BB" />
</user-service>
</authentication-provider>
</beans:beans>

注意：三种方法都需要在spring-security.xml中保留<http auto-config="true">...</http>，否则会出现找不到springSecurityFilterChain的错误。