Others are best practices, because my current settings are not recommended according to the reference document, or use delegatingfilterproxy, so I can only say concise practices. First paste my applicationContext-security.xml
<? XML version = "1.0" encoding = "UTF-8"?> </P> <p> <beans: Beans xmlns = "http://www.springframework.org/schema/security" <br/> xmlns: Beans = "http://www.springframework.org/schema/beans" <br/> xmlns: xsi = "http://www.w3.org/2001/XMLSchema-instance" <br/> xsi: schemalocation = "http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd <br/> http://www.springframework.org/schema/security http://www.spr Ingframework.org/schema/security/spring-security-2.0.4.xsd "> <br/> <global-method-Security secured-annotations =" enabled "> <br/> </Global-method-Security> <br/> <pttp auto -Config = "true"> </P> <p> <! -- Intercept-URL pattern = "/**" filters = "NONE"/--> <br/> <intercept-URL pattern = "/login. JSP * "filters =" NONE "/> <br/> <intercept-URL pattern ="/common/pages/** "Access =" is_authenticated_remembered "/> <br/> <intercept-URL pattern = "/common/**" filters = "NONE"/> <br/> <intercept-URL pattern = "/secure/Extreme/**" Access = "role_supervisor"/> <br/> <intercept-URL pattern = "/secure/**" Access = "is_authenticated_r Emembered "/> <br/> <intercept-URL pattern ="/** "Access =" is_authenticated_remembered "/> </P> <p> <form-login Login-page = '/login. JSP 'authentication-failure-url = "/login. JSP? Login_error = 1 "default-target-url = '/index. JSP '/> </P> <p> </HTTP> <br/> <Authentication-provider> <br/> <JDBC-user-Service Data-source-ref = "datasource" <br/> group-authorities-by-username-query = "select U. username, G. group_name, Ga. authority as 'authority 'from users U join group_members GM on u. username = GM. username join groups G on GM. group_id = G. id join group_authorities GA on G. id = Ga. group_id where u. us Ername =? "<Br/> </P> <p> <password-Encoder hash =" plaintext "/> <br/> </authentication-provider> <br/> </beans: beans>
For the above configuration instructions, the authentication-failure-URL and default-target-URL attributes of form-login can be basically set to avoid the trouble of using predictiontranslationfilter, authentication-provider is the most convenient and available configuration method. As my database is built on SQL Server, the group-authorities-by-username-query attribute is added, password-Encoder I personally suggest using the Sha code recommended by username for salt in reference documents. I use Plaintext here because my project is still in the development and testing phase, the user management module has not been fully established, so plaintext encoding is used for testing convenience. The datasource, which I recommended according to the API documentation, creates a container JNDI and then uses jndiobjectfactorybean in spring as the proxy.
The user-managed facility code is dominated by jdbcuserdetailsmanager and supplemented by jdbctemplate. The former should not be created under springcontext; otherwise, multiple userdetailservices may conflict.
Next, let's talk about how to configure spring Security internationalization (i18n) and paste the code first:
<Bean id = "messagesource" <br/> class = "org. springframework. context. support. reloadableresourcebundlemessagesource "> <br/> <property name =" basename "value ="/WEB-INF/SSM "/> <br/> </bean> <br/> <bean id = "localeresolver" class = "org. springframework. web. servlet. i18n. acceptheaderlocaleresolver "/>
Note: The bean definition above is not in the applicationContext-security.xml, but in a applicationContext-beans.xml that uses beans as the default namespace, and I'm talking about the problem with the configuration above, the value of basename, I just started to use the "org/springframework/security/messages" mentioned in the Development Guide, but I still cannot find the messages file in the jar package. Later, I saw a foreigner with the problem posted, he used the above way, put the messages file in the/WEB-INF/, anyway, this configuration method, messages file can finally find, i18n can run normally. As for the messages file, it is also extracted from the jar package.