使用XML配置时替换WebSecurity和DefaultWebSecurityExpressionHandler

时间:2017-02-13 12:26:29

标签: xml spring spring-mvc spring-security

在过去的Spring项目中,当我通过Java配置类配置Spring Security时,将添加此方法以配置网页中的安全性:

  @Override
  public void configure(WebSecurity web) throws Exception {
      DefaultWebSecurityExpressionHandler handler = new DefaultWebSecurityExpressionHandler();
      handler.setPermissionEvaluator(permissionEvaluator);
      web.expressionHandler(handler);
}

配置类是WebSecurityConfigurerAdapter的子类。

在我最近的项目中,我使用的是XML配置,但我没有找到如何使用XML配置同一主题。有人可以暗示如何做到这一点吗?

ps。:我目前的Spring Security XML配置:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:p="http://www.springframework.org/schema/p"
        xmlns:context="http://www.springframework.org/schema/context"
        xmlns:security="http://www.springframework.org/schema/security"
        xmlns:mvc="http://www.springframework.org/schema/mvc"
        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd">  
    <security:http pattern="/" security="none"></security:http>

    <security:http pattern="/css/**" security="none"></security:http>

    <security:http pattern="/img/**" security="none"></security:http>

    <security:http pattern="/js/**" security="none"></security:http>
    <security:http pattern="/c/**" security="none"></security:http>
    <security:http pattern="/p/**" security="none"></security:http>
    <security:http pattern="/page/**" security="none"></security:http>

    <security:http use-expressions="true" auto-config="true">
        <security:form-login login-page="/signin"
            login-processing-url="/login" username-parameter="login"
            password-parameter="senha" default-target-url="/"
            always-use-default-target="true" />
        <security:logout logout-url="/logout"
            delete-cookies='JSESSIONID' logout-success-url="/" />
        <security:remember-me key="remember-me"
            remember-me-parameter="remember-me" remember-me-cookie="remember-me" />
        <security:csrf disabled="true" />
    </security:http>

    <security:authentication-manager>
        <security:authentication-provider user-service-ref="userDetailsService">
            <security:password-encoder ref="passwordEncoder"></security:password-encoder>
        </security:authentication-provider>
    </security:authentication-manager>

    <bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
        <property name="dataSource" ref="dataSource"></property>
        <property name="usersByUsernameQuery" value="select login, senha, enabled from usuario where login = ?"></property>
        <property name="authoritiesByUsernameQuery" value="SELECT t1.username, t2.authority FROM (SELECT u.login as username, c.nome as credencial FROM usuario u, usuario_credencial uc, credencial c WHERE u.id = uc.usuario_id and c.id = uc.credenciais_id) as t1 INNER JOIN (SELECT c.nome as credencial, a.nome as authority FROM credencial c, credencial_autorizacao ca, autorizacao a WHERE c.id = ca.credencial_id and a.id = ca.autorizacoes_id) as t2 ON t1.credencial = t2.credencial WHERE t1.username = ?;"></property>
    </bean>

    <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
        <constructor-arg name="strength" value="4"></constructor-arg></bean>
    <bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
        <property name="permissionEvaluator" ref="permissionEvaluator"></property></bean>
    <bean id="permissionEvaluator" class="org.kleber.MyPermissionEvaluator"></bean>
</beans>

1 个答案:

答案 0 :(得分:0)

请参阅Spring Security Reference

  

41.1.20&lt; expression-handler&gt;

     

定义在启用基于表达式的访问控制时将使用的SecurityExpressionHandler实例。如果没有提供,将使用默认实现(没有ACL支持)。

     

&lt; expression-handler&gt;

的父元素      
      
  • global-method-security
  •   
  • http
  •   
  • websocket-message-broker
  •   
     

<强>&LT;表达处理程序&GT;属性

     
      
  • ref 定义对实现SecurityExpressionHandler的Spring bean的引用。
  •