springsecurity3配置

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> 
<!-- auto-config = true 则使用from-login. 如果不使用该属性 则默认为http-basic(没有session).
access-denied-page:出错后跳转到的错误页面;
-->
<http auto-config="true" access-denied-page="/common/403.jsp" >
<!-- intercept-url:拦截器,可以设定哪些路径需要哪些权限来访问. filters=none 不使用过滤,也可以理解为忽略

<intercept-url pattern="/index.jsp" access="ROLE_ADMIN"/>
<intercept-url pattern="/save" filters="none" />
-->
<intercept-url pattern="/login.jsp" filters="none" />
<intercept-url pattern="/common/**" filters="none" />
<intercept-url pattern="/js/**" filters="none" />
<intercept-url pattern="/main/**" filters="none"/>
<intercept-url pattern="/mission/**" filters="none"/>
<intercept-url pattern="/index.jsp" filters="none"/>
<intercept-url pattern="/**" filters="none"/>

<!-- session-management是针对session的管理. 这里可以不配置. 如有需求可以配置. -->
<!-- id登陆唯一. 后登陆的账号会挤掉第一次登陆的账号  error-if-maximum-exceeded="true" 禁止2次登陆;
session-fixation-protection="none" 防止伪造sessionid攻击. 用户登录成功后会销毁用户当前的session.
创建新的session,并把用户信息复制到新session中.
-->
<session-management session-fixation-protection="none" >
<concurrency-control error-if-maximum-exceeded="true"/>
</session-management>

<!-- login-page:默认指定的登录页面. authentication-failure-url:出错后跳转页面. default-target-url:成功登陆后跳转页面 -->
<form-login login-page="/login.jsp"
authentication-success-handler-ref="jsonSuccessHandler"
authentication-failure-url="/login.jsp?error=true"
authentication-failure-handler-ref="jsonFailureHandler"
default-target-url="/main.jsp" />
<!-- logout-success-url:成功注销后跳转到的页面; -->
<logout logout-success-url="/login.jsp" />
<http-basic />
<custom-filter ref="bdFilter"
before="FILTER_SECURITY_INTERCEPTOR" />
</http>
<beans:bean id="jsonSuccessHandler" class="com.security.JsonSimpleUrlAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/main.jsp"></beans:property>
</beans:bean>
<beans:bean id="jsonFailureHandler" class="com.security.JsonSimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultTargetUrl" value="/"></beans:property>
</beans:bean>
<beans:bean id="bdFilter" class="com.security.BdFilter">
<beans:property name="authenticationManager"
ref="bdAuthenticationManager" />
<beans:property name="accessDecisionManager"
ref="bdAccessDecisionManager" />
<beans:property name="securityMetadataSource"
ref="bdSecurityMetadataSource" />
</beans:bean>
<!-- 权限管理操作 -->
<authentication-manager alias="bdAuthenticationManager">
<authentication-provider
user-service-ref="userDetailsServiceImpl">
<!--
密码加密方式. 常用的有md5 和 sha.
salt-source: . . 类似在md5上又加了一层. 防止暴力破解. 追加安全性.
<password-encoder hash="md5">
<salt-source user-property="username" />
</password-encoder>
-->
</authentication-provider>
</authentication-manager>
<beans:bean id="bdAccessDecisionManager"
class="com.security.BdAccessDecision" />
<beans:bean id="bdSecurityMetadataSource"
class="com.security.BdSecurityMetadataSoruce">
<beans:property name="resourceDaoImpl" ref="resourceDaoImpl"></beans:property>
</beans:bean>
<beans:bean id="userDetailsServiceImpl"
class="com.security.BdUserService">
<beans:property name="userDaoImpl" ref="userDaoImpl"></beans:property>
</beans:bean>
<!--  -->
<beans:bean id="userDaoImpl"
class="com.persistence.impl.UserDaoImpl">
<beans:property name="sessionFactory" ref="sessionFactory"></beans:property>
</beans:bean>
<beans:bean id="resourceDaoImpl"
class="com.persistence.impl.ResourceDaoImpl">

<beans:property name="sessionFactory" ref="sessionFactory"></beans:property>
</beans:bean>

</beans:beans>