Spring Security保护Web层

静态资源不需要权限过滤器验证

``
<security:http pattern="/resources/**" security="none" />

HTTP安全设置

设置auto-config =true时,会配置默认的过滤器
use-expressions="true" 代表启用强大的SPEL表达式,例如:permitAll、hasRole('ROLE_USER')等

<security:http auto-config="true" use-expressions="true"> <security:port-mappings><security:port-mapping http="8080" https="8443"/> </security:port-mappings> <security:intercept-url pattern="/login.jsp*" access="permitAll" requires-channel="https" /> <security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=true" default-target-url="/index.jsp" /> <security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" requires-channel="any" /> <security:intercept-url pattern="/user/**" access="hasRole('ROLE_USER')" /> <security:csrf /> <security:session-management session-fixation-protection="none" invalid-session-url="/timeout.jsp" > <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="false" /> </security:session-management> <security:logout logout-success-url="/login.jsp" invalidate-session="true" /> <security:remember-me services-ref="ipTokenBasedRememberMeServices" /> <security:access-denied-handler ref="accessDeniedHandler"/> <security:headers> <security:frame-options policy="SAMEORIGIN" /> </security:headers></security:http>

最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。

推荐阅读更多精彩内容