配置檔案記錄

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
             http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

	<http security="none" pattern="/fonts/**" />
	<http security="none" pattern="/favicon.ico" />
	<http security="none" pattern="/**/*.js" />
	<http security="none" pattern="/**/*.css" />
	<http security="none" pattern="/**/*.jpg" />
	<http security="none" pattern="/**/*.gif" />
	<http security="none" pattern="/**/*.png" />
	<!-- 無需登入就可以訪問首頁和登入頁 -->
	<!-- <http security="none" pattern="/views/index.jsp"/> <http security="none" 
		pattern="/views/login.jsp"/> -->

	<!-- todo access-decision-manager-ref='accessDecisionManager' -->
	<http auto-config="true" access-decision-manager-ref='accessDecisionManager'
		use-expressions="false" security-context-repository-ref="securityContextRepository">
		<headers>
			<frame-options policy="SAMEORIGIN"/>
		</headers>
		<form-login login-page="/login.html" default-target-url="/"
			authentication-success-handler-ref="authenticationSuccessHandler"
			authentication-failure-handler-ref="authenticationFailureHandler" />
		<intercept-url pattern="/login.html" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
		<!--<intercept-url pattern="/views/user/**" access="hasRole('ROLE_USER')" 
			/> -->
		<!--IS_AUTHENTICATED_FULLY表示admin下的所有頁面，登入後才能訪問 <intercept-url pattern="*.html*" 
			access="IS_AUTHENTICATED_FULLY" /> <intercept-url pattern="/miner/manager/*.do*" 
			access="ROLE_ADMIN" /> -->
		<access-denied-handler error-page="/views/accessDenied.html"/>
		<logout success-handler-ref="logoutSuccessHandler" />
		<csrf disabled="true" />
		<!-- todo -->
		<!-- <remember-me key="lemon"/> -->
		<!-- <custom-filter ref="autoLoginFilter" after="SECURITY_CONTEXT_FILTER" 
			/> -->
		<!-- <custom-filter ref="captchaFilter" before="FORM_LOGIN_FILTER" /> <custom-filter 
			ref="switchUserFilter" position="SWITCH_USER_FILTER" /> -->
	</http>

	<authentication-manager>
		<authentication-provider user-service-ref="userDetailsService">
			<!-- <password-encoder hash="md5"> <salt-source ref="saltSource"></salt-source> 
				</password-encoder> -->
		</authentication-provider>
	</authentication-manager>

	<!-- 校驗許可權和角色是否匹配 -->
	<!-- <global-method-security proxy-target-class="true" access-decision-manager-ref="accessDecisionManager" 
		secured-annotations="enabled"/> -->




<bean id="accessDecisionManager"
		class="org.springframework.security.access.vote.AffirmativeBased">
		<constructor-arg name="decisionVoters">
			<list>
				<ref bean="authenticatedVoter" />
				<ref bean="roleVoter" />
				<!-- <ref bean="webExpressionVoter" /> -->

			</list>
		</constructor-arg>
		<property name="messageSource" ref="messageSource"></property>
	</bean>

	<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter" > 
 		<property name="rolePrefix" value=""></property>//此處可以自定義access=""裡的內容格式
		</bean>

	<bean id="authenticatedVoter"
		class="org.springframework.security.access.vote.AuthenticatedVoter" />

	<!-- <bean id="webExpressionVoter" class="org.springframework.security.web.access.expression.WebExpressionVoter" 
		/> -->

	<!-- 認證 -->
<!-- 	<bean id="authenticationProvider" -->
<!-- 		class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> -->
<!-- 		<property name="userDetailsService" ref="userDetailsService" /> -->
<!-- 		<property name="passwordEncoder" ref="passwordEncoder" /> -->
<!-- 		<property name="saltSource" ref="saltSource" /> -->
<!-- 	</bean> -->

<!-- 鹽值設定 -->
	<!-- <bean id="saltSource"
		class="org.springframework.security.authentication.dao.SystemWideSaltSource">
		<property name="systemWideSalt" value="ebm1spmbt5galyngk" />
	</bean> -->

	<!-- 為認證獲取使用者資訊 -->
	<bean id="userDetailsService"
		class="com.security.impl.UserDetailsServiceImpl">
		<!-- <property name="userAuthConnector" ref="userAuthConnector"/> <property 
			name="accountCredentialConnector" ref="accountCredentialConnector"/> -->
		<!-- <property name="debug" value="${security.autologin.enabled}"/> -->
	</bean>


	<!-- 獲取當前登入使用者的工具 -->
	<bean id="currentUserHolder"
		class="com.security.impl.SpringSecurityCurrentUserHolderImpl" />


	<!-- 日誌 -->
	<bean
		class="org.springframework.security.authentication.event.LoggerListener" />
	<bean class="org.springframework.security.access.event.LoggerListener" />


	<!-- 實現使用者許可權修改後，不用重新登入就重新整理許可權 -->
	<bean id="securityContextRepository"
		class="com.security.CachedSecurityContextRepository">
		<property name="debug" value="${security.autologin.enabled}" />
	</bean>

	<!-- 認證成功後 -->
	<bean id="authenticationSuccessHandler"
		class="com.security.api.AuthenticationSuccessHandler" >
		<property name="defaultTargetUrl" value="/" ></property>
	</bean>
	
	<!-- 認證失敗-->
	<bean id="authenticationFailureHandler"
		class="com.security.api.AuthenticationFailureHandler">
		<property name="defaultFailureUrl" value="/views/login.jsp" />
	</bean>


	<!-- 登出成功以後傳送LogoutEvent -->
	<bean id="logoutSuccessHandler"
		class="com.security.impl.LogoutSuccessHandlerImpl" />

	<!-- 把spring security的event轉化成LoginEvent和LogoutEvent -->
	<bean class="com.security.api.SpringSecurityListener" />

	<!-- 提供從session中直接獲取UserAuthDTO -->
	<bean id="internalUserAuthConnector"
		class="com.security.impl.InternalUserAuthConnectorImpl" />
</beans:beans>