<!-- 此文件用于标准登录方式 -->
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
                                 http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">

    <http security="none" pattern="/get_contract_image"/>
    <http security="none" pattern="/post_sign"/>
    <http security="none" pattern="/sign_keyword_locations"/>
    <http security="none" pattern="/aes/encrypt"/>
    <http security="none" pattern="/aes/decrypt"/>
    <http security="none" pattern="/hls_file/**"/>

    <http security="none" pattern="/resources/**"/>
    <http security="none" pattern="/leafresource/**"/>
    <http security="none" pattern="/lib/**"/>
    <http security="none" pattern="/timeout"/>
    <http security="none" pattern="/verifiCode"/>
    <http security="none" pattern="/resource/**"/>

    <!--leaf-->
    <http security="none" pattern="/css/**"/>
    <http security="none" pattern="/sys/office/open/* "/>
    <http security="none" pattern="/images/**"/>
    <http security="none" pattern="/javascripts/**"/>
    <http security="none" pattern="/kindeditor/**"/>
    <http security="none" pattern="/office_edit_online/**"/>
    <http security="none" pattern="/modules/zjwfl/javascripts/**"/>
    <http security="none" pattern="/modules/doodream/doodream_response.lsc"/>
    <http security="none" pattern="/modules/sys/SYS404/ds_sys_sms_send.lsc"/>
    <http security="none" pattern="/modules/interface/INTERFACE_EAI/hls_sap_eai_EtPayment.lsc"/>
    <http security="none" pattern="/modules/interface/INTERFACE_EAI/hls_sap_eai_MoAccount.lsc"/>
    <http security="none" pattern="/modules/interface/INTERFACE_EAI/hls_sap_eai_CrAccount_job.lsc"/>
    <http security="none" pattern="/modules/interface/INTERFACE_EAI/hls_sap_eai_ReAccount_job.lsc"/>
    <http security="none" pattern="/modules/interface/INTERFACE_WX/wx_update_company_Info.lsc"/>
    <http security="none" pattern="/modules/interface/INTERFACE_WX/wx_update_trailer_result.lsc"/>
    <http security="none" pattern="/modules/interface/INTERFACE_WX/get_wx_trailer_Info.lsc"/>
    <http security="none" pattern="/modules/interface/INTERFACE_WX/get_wx_usedcar_Info.lsc"/>
    <http security="none" pattern="/contract/signature/**"/>
    <http security="none" pattern="/jacob/**"/>
    <!--<http security="none" pattern="/**/*.lsc"/>-->
    <!--<http security="none" pattern="/**/*.lview"/>-->

    <http access-decision-manager-ref="accessDecisionManager" entry-point-ref="loginEntryPoint">
        <csrf request-matcher-ref="csrfSecurityRequestMatcher"/>
        <!--<csrf disabled="true"/>-->

        <intercept-url pattern="/**/*.lsc" access="permitAll"/>
        <intercept-url pattern="/**/*.lview" access="permitAll"/>
        <intercept-url pattern="/autocrud/**" access="permitAll"/>
        <intercept-url pattern="/sys/office/**" access="permitAll" />
        <intercept-url pattern="/login" access="permitAll"/>
        <intercept-url pattern="/login.html" access="permitAll"/>
        <!--       <intercept-url pattern="/common/**" access="permitAll" />-->
        <intercept-url pattern="/websocket/**" access="permitAll"/>
        <intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
        <access-denied-handler error-page="/access-denied"/>
        <session-management invalid-session-url="/timeout"/>

        <!--<form-login login-page='/login' authentication-success-handler-ref="successHandler"
                    authentication-failure-handler-ref="loginFailureHandler"/>-->
        <!--authentication-failure-url="/login?error=true"/>-->
        <!-- 验证码拦截器 -->
        <custom-filter ref="captchaVerifierFilter" before="FORM_LOGIN_FILTER"/>
        <custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER" />

        <logout logout-url="/logout" success-handler-ref="logoutHandler"/>

        <headers defaults-disabled="true">
            <!--    <xss-protection enabled="true"></xss-protection>-->
            <cache-control/>
        </headers>
    </http>

    <beans:bean id="loginFailureHandler" class="com.hand.hap.security.LoginFailureHandler"/>
    <beans:bean class="com.hand.hap.security.UserLoginInfoCollectionLisenter"></beans:bean>

    <!-- 认证管理器,确定用户,角色及相应的权限 -->
    <beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
        <!-- 投票器 -->
        <beans:constructor-arg>
            <beans:list>
                <beans:bean class="com.hand.hap.security.CustomWebExpressionVoter"/>
                <beans:bean class="org.springframework.security.access.vote.RoleVoter"/>
                <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
                <beans:bean class="com.hand.hls.security.LeafResourceVoter"/>
            </beans:list>
        </beans:constructor-arg>
    </beans:bean>

    <!-- 扩展UsernamePasswordAuthenticationFilter并替代<login-form> -->
    <beans:bean id="authenticationFilter" class="com.hand.hap.security.filter.UsernamePasswordAuthenticationExtendFilter" >
        <beans:property name="authenticationManager" ref="authenticationManager"/>
        <beans:property name="authenticationSuccessHandler" ref="successHandler" />
        <beans:property name="authenticationFailureHandler" ref="loginFailureHandler"/>
    </beans:bean>

    <beans:bean id="loginEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <beans:constructor-arg value="/login" />
    </beans:bean>

    <!--<beans:import resource="standardSecurity-LDAP.xml"/>-->
    <authentication-manager  alias="authenticationManager">
        <!--Ldap验证-->
        <!-- <authentication-provider ref="ldapAuthProvider" />-->
        <!--标准登录验证-->
        <!--生成开发此处不同 add chenlingfeng for ds-->
        <!--<authentication-provider user-service-ref="customUserDetailsService">-->
        <authentication-provider user-service-ref="leafUserDetailsService">
            <password-encoder ref="passwordManager"/>
        </authentication-provider>
    </authentication-manager>

    <beans:bean id="captchaVerifierFilter" class="com.hand.hap.security.CaptchaVerifierFilter">
        <beans:property name="captchaField" value="verifiCode"/>
    </beans:bean>

    <beans:bean id="successHandler" class="com.hand.hap.security.CustomAuthenticationSuccessHandler"/>

    <beans:bean id="logoutHandler" class="com.hand.hap.security.CustomLogoutSuccessHandler"/>

    <beans:bean id="csrfSecurityRequestMatcher" class="com.hand.hls.security.LeafCsrfSecurityRequestMatcher">
        <beans:property name="excludeUrls">
            <beans:list>
                <beans:value>/login</beans:value>
                <beans:value>/websocket/**</beans:value>
                <beans:value>/autocrud/**</beans:value>
                <beans:value>/sys/office/**</beans:value>
                <beans:value>/atm_upload.lsc;**</beans:value>
            </beans:list>
        </beans:property>
    </beans:bean>

</beans:beans>