Spring mvc + Spring Security 拦截 Restful格式的URL并进行验证，支持Remember me token数据库存储

有段时间没更新puma代码了，最近看到群里有很多朋友都在问关于3.1+版本spring security的问题，所以干脆我做了个3.1的demo，把常用配置用法列举在里面，供有需要的人参考一下，毕竟，没有很多人能耐心看完spring security那么so long的文档。

在进入正题前，我要强烈介绍一个网站：http://www.mossle.com/，作者很讲究，把官方文档都翻译了一遍，而且自己还写了个权限管理手册，并且带demo，应该能出书了，强烈建议大家看看这个网站里面的内容，能更好的理解spring security。

我需要用spring security实现下面的功能：

演示系统有两个界面：

1. /login  GET 不拦截

2. /main GET 拦截，需要权限

实现功能：

1. 自定义登录请求的url为：/login

2. 一个url同时支持支持ajax认证请求和普通表单认证

3. 无权限用户访问main.html，自动跳转至login.html。登录成功后，返回跳转前页面:main.html

4. 实现Remember me功能。

5 .实现将Remember Me Token存在数据库

6. 实现权限自定义，而不是在配置文件中直接access="ROLE_*****"。

7. 实现对restful url的拦截。

由于内容较多，估计分次编写，首先贴出security配置文件，详细内容慢慢再写：

<?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.org/schema/beans"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"xsi:schemaLocation="http://www.springframework.org/schema/beans        http://www.springframework.org/schema/beans/spring-beans-3.2.xsd    http://www.springframework.org/schema/security     http://www.springframework.org/schema/security/spring-security-3.1.xsd"><!-- <security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" proxy-target-class = "true"/> --><security:http pattern="/resources/**" security="none" /><security:http pattern="/**/login.html" security="none" /><security:http auto-config="false" entry-point-ref="pumaLoginUrlEntryPoint" ><security:anonymous enabled='false'/><security:access-denied-handler ref="pumaAccessDeniedHandler" /><security:custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="pumaFilter"/><security:custom-filter position="FORM_LOGIN_FILTER" ref="pumaLoginFilter" /><security:custom-filter position="LOGOUT_FILTER" ref="pumaLogoutFilter"/><security:remember-me key="PUMA_REMEMBER_ME_KEY" services-ref="rememberMeServices" /><security:session-management>             <security:concurrency-control expired-url="/login.html?status=123" session-registry-ref="sessionRegistry" max-sessions="1"/>        </security:session-management></security:http><bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">    <constructor-arg name="sessionRegistry" ref="sessionRegistry" /></bean>  <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />  <security:authentication-manager alias="pumaAuthenticationManager"><security:authentication-provider user-service-ref="security.memberdetailsservice"><security:password-encoder hash="sha"><security:salt-source user-property="id" /></security:password-encoder></security:authentication-provider></security:authentication-manager><bean id="pumaFilter" class="com.puma.core.security.PumaFilterSecurityInterceptor"><property name="authenticationManager" ref="pumaAuthenticationManager" /><property name="accessDecisionManager" ref="pumaAccessDecisionManagerBean" /><property name="securityMetadataSource" ref="pumaSecurityMetadataSource" /></bean><!-- 访问决策器，决定某个用户具有的角色，是否有足够的权限去访问某个资源 --><bean id="pumaAccessDecisionManagerBean" class="com.puma.core.security.PumaAccessDecisionManager" /><!-- 资源源数据定义，将所有的资源和权限对应关系建立起来，即定义某一资源可以被哪些角色访问 --><bean id="pumaSecurityMetadataSource" class="com.puma.core.security.PumaInvocationSecurityMetadataSourceService"/><bean id="pumaAccessDeniedHandler" class="com.puma.core.security.PumaAccessDeniedHandler"><property name="accessDeniedUrl" value="/login.html?status=403" /></bean><bean id="pumaLoginUrlEntryPoint" class="com.puma.core.security.PumaLoginUrlEntryPoint"><property name="loginFormUrl" value="/login.html" /></bean><bean id="pumaLoginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"><property name="rememberMeServices" ref="rememberMeServices"/><property name="sessionAuthenticationStrategy" ref="sas" />        <property name="authenticationManager" ref="pumaAuthenticationManager"/>        <property name="authenticationFailureHandler" ref="pumaLoginFailureHandler"/>        <property name="authenticationSuccessHandler" ref="pumaLoginSuccessHandler"/>        <property name="filterProcessesUrl" value="/login"/>         <property name="usernameParameter" value="username"/>         <property name="passwordParameter" value="password"/>      </bean>    <bean id="pumaLoginFailureHandler" class="com.puma.core.security.PumaLoginFailureHandler">    <property name="defaultFailureUrl" value="/loginfailed.html"/>    </bean>    <bean id="pumaLoginSuccessHandler" class="com.puma.core.security.PumaLoginSuccessHandler">    <property name="useReferer" value="true"/>    </bean>        <bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/><bean id="pumaLogoutSuccessHandler" class="com.puma.core.security.PumaLogoutSuccessHandler"><property name="useReferer" value="true"/> </bean><bean id="pumaLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">    <property name="filterProcessesUrl" value="/logout"/>    <constructor-arg index="0" ref="pumaLogoutSuccessHandler"/>     <constructor-arg index="1">        <list>            <ref bean="securityContextLogoutHandler"/>            <ref bean="rememberMeServices"/>        </list>    </constructor-arg></bean> <!-- <bean id="rememberMeServices"  class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">  <constructor-arg value="PUMA_REMEMBER_ME_KEY"/>      <constructor-arg ref="security.memberdetailsservice"/>  <property name="cookieName" value="PUMA_REMEMBER_ME_COOKIE" />  <property name="alwaysRemember" value="false"/>  <property name="tokenValiditySeconds" value="300"/>  <property name="parameter" value="rememberme"/> </bean> --><bean id="rememberMeServices"  class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">  <constructor-arg value="PUMA_REMEMBER_ME_KEY"/>      <constructor-arg ref="security.memberdetailsservice"/>      <constructor-arg ref="jdbcTokenRepositoryImpl"/>  <property name="cookieName" value="PUMA_REMEMBER_ME_COOKIE" />  <property name="alwaysRemember" value="false"/>  <property name="tokenValiditySeconds" value="30"/>  <property name="parameter" value="rememberme"/> </bean> <bean id="jdbcTokenRepositoryImpl" class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl"> <property name="createTableOnStartup" value="false"/> <property name="dataSource" ref="dataSource"/> </bean></beans>