in web.xml:
Define the filter and filter-mapping for Spring Security (single proxy filter):<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
in the Application Context:
- using security namespace
<security:http access-denied-page="/denied.jsp" use-expressions="true">
<security:form-login login-page="/login.jsp"
authentication-failure-url="/login.jsp?login_error=true" />
<security:intercept-url pattern="/accounts/edit*" access="hasRole('ROLE_EDITOR')" />
<security:intercept-url pattern="/accounts/account*" access="hasAnyRole('ROLE_VIEWER','ROLE_EDITOR')" />
<security:intercept-url pattern="/accounts/**" access="isAuthenticated()" />
<security:logout/>
</security:http>
intercept-url are evaluated in the order listed (the first match will be used; specific matches should be put on top).
access-denied-page - user is logged in but it does not have appropriate role.
security:logout - Incorporates a logout processing filter.
<security:authentication-manager> --configure authentication
<security:authentication-provider>
<security:password-encoder hash="md5" >
<security:salt-source system-wide="MySalt" or user-property=“id“ />
</security:password-encoder>
<security:user-service properties="/WEB-INF/users.properties" />
or use jdbc or ldap -user-service
<security:jdbc-user-service data-source-ref="dataSource"/>
</security:authentication-provider>
</security:authentication-manager>
No comments:
Post a Comment