The security:global-method-security element configures annotation based security so @Secured
can be used to restrict access to methods.
The security:http is set to auto-configure basic HTTP security. Inside the the login, logout, and main style sheet are set to the anonymous role (unrestricted access). The rest of the site is restricted to an authenticated user in the user role. The default login and logout configuration is also customized to use custom pages to maintain the sites look & feel.
The authentication is set to use jdbc based user authentication. Only the DataSource
needs to be set on
the security:jdbc-user-service element if the default tables are used. Although other tables can be used by setting custom queries on
the element. If you look below the security:jdbc-user-service element, you will see a static configuration of users which might
be more convenient for a small application or during testing.
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd"> <security:global-method-security secured-annotations="enabled" /> <security:http auto-config="true"> <!-- Restrict URLs based on role --> <security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <security:intercept-url pattern="/logoutSuccess*" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <security:intercept-url pattern="/css/main.css" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <security:intercept-url pattern="/**" access="ROLE_USER" /> <!-- Override default login and logout pages --> <security:form-login login-page="/login.html" login-processing-url="/loginProcess" default-target-url="/index.jsp" authentication-failure-url="/login.html?login_error=1" /> <security:logout logout-url="/logout" logout-success-url="/logoutSuccess.html" /> </security:http> <security:authentication-provider> <security:jdbc-user-service data-source-ref="dataSource" /> <!-- david:newyork alex:newjersey tim:illinois --> <!-- <security:password-encoder hash="md5" /> <security:user-service> <security:user name="david" password="369389d19e24204b4927e30dd7c39efc" authorities="ROLE_USER,ROLE_ADMIN" /> <security:user name="alex" password="847c6f184197dc1545d9891d42814a7d" authorities="ROLE_USER" /> <security:user name="tim" password="0513111ff330e25c631b5d3e9c0a4aae" authorities="ROLE_USER" /> </security:user-service> --> </security:authentication-provider> </beans>