<!-- 此文件用于标准登录方式 -->
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
                                 http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">

    <!--leaf-->
    <http security="none" pattern="/css/**"/>
    <http security="none" pattern="/images/**"/>
    <http security="none" pattern="/javascripts/**"/>
    <http security="none" pattern="/kindeditor/**"/>
    <http security="none" pattern="/office_edit_online/**"/>
    <http security="none" pattern="/modules/zjwfl/javascripts/**"/>
    <http security="none" pattern="/sys/office/open/* "/>
    <http security="none" pattern="/**/*.lsc"/>
    <http security="none" pattern="/**/*.lview"/>
    <http security="none" pattern="/**/*.js"/>
    <http security="none" pattern="/**/*.css"/>
    <http security="none" pattern="/jacob/**"/>
    <http security="none" pattern="/get_contract_image"/>
    <http security="none" pattern="/post_sign"/>
    <http security="none" pattern="/aes/encrypt"/>
    <http security="none" pattern="/aes/decrypt"/>

    <!--end leaf-->
    <http security="none" pattern="/resources/**"/>
    <http security="none" pattern="/resource/**"/>
    <http security="none" pattern="/lib/**"/>

    <http access-decision-manager-ref="accessDecisionManager"  entry-point-ref="loginEntryPoint" >
        <csrf request-matcher-ref="csrfSecurityRequestMatcher"/>
        <!--<csrf disabled="true"/>-->
        <intercept-url pattern="/login" access="permitAll"/>
        <intercept-url pattern="/timeout" access="permitAll"/>
        <intercept-url pattern="/login.html" access="permitAll"/>
        <intercept-url pattern="/verifiCode" access="permitAll"/>
        <intercept-url pattern="/sys/office/**" access="permitAll" />
        <intercept-url pattern="/common/**" access="permitAll"/>
        <intercept-url pattern="/websocket/**" access="permitAll"/>
        <intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
        <access-denied-handler error-page="/access-denied"/>
        <session-management invalid-session-url="/timeout"/>

        <!--<form-login login-page='/login' authentication-success-handler-ref="successHandler"
                    authentication-failure-handler-ref="loginFailureHandler"/>-->
        <!--authentication-failure-url="/login?error=true"/>-->
        <!-- 验证码拦截器 -->
        <custom-filter ref="captchaVerifierFilter" before="FORM_LOGIN_FILTER"/>
        <!-- 替换默认的<form-login>认证 -->
        <custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER" />
        <logout logout-url="/logout" success-handler-ref="logoutHandler"/>

        <headers defaults-disabled="true">
            <cache-control/>
        </headers>
    </http>

    <!-- 替换<form-login>拦截需要配置登录入口点 -->
    <beans:bean id="loginEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <!-- 默认登录页的url -->
        <beans:constructor-arg value="/login" />
    </beans:bean>

    <beans:bean id="loginFailureHandler" class="com.hand.hap.security.LoginFailureHandler"/>


    <!-- 认证管理器,确定用户,角色及相应的权限 -->
    <beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
        <!-- 投票器 -->
        <beans:constructor-arg>
            <beans:list>
                <beans:bean class="com.hand.hap.security.CustomWebExpressionVoter"/>
                <beans:bean class="org.springframework.security.access.vote.RoleVoter"/>
                <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
                <beans:bean class="com.hand.hap.security.PermissionVoter"/>
            </beans:list>
        </beans:constructor-arg>
    </beans:bean>

    <!-- 扩展UsernamePasswordAuthenticationFilter并替代<login-form> -->
    <beans:bean id="authenticationFilter" class="com.hand.hap.security.filter.UsernamePasswordAuthenticationExtendFilter" >
        <beans:property name="authenticationManager" ref="authenticationManager"/>
        <beans:property name="authenticationSuccessHandler" ref="successHandler" />
        <beans:property name="authenticationFailureHandler" ref="loginFailureHandler"/>
    </beans:bean>

    <!--<beans:import resource="standardSecurity-LDAP.xml"/>-->
    <authentication-manager  alias="authenticationManager">
        <!--Ldap验证-->
        <!-- <authentication-provider ref="ldapAuthProvider" />-->
        <!--标准登录验证-->
        <authentication-provider user-service-ref="customUserDetailsService">
            <password-encoder hash="md5">
            </password-encoder>
        </authentication-provider>
    </authentication-manager>

    <beans:bean id="captchaVerifierFilter" class="com.hand.hap.security.CaptchaVerifierFilter">
        <beans:property name="captchaField" value="verifiCode"/>
    </beans:bean>

    <beans:bean id="successHandler" class="com.hand.hap.security.CustomAuthenticationSuccessHandler">
        <!-- <beans:property name="defaultTargetUrl" value="/index"/>-->
    </beans:bean>


    <beans:bean id="logoutHandler" class="com.hand.hap.security.CustomLogoutSuccessHandler"></beans:bean>

    <beans:bean id="csrfSecurityRequestMatcher" class="com.hand.hap.security.CsrfSecurityRequestMatcher">
        <beans:property name="excludeUrls">
            <beans:list>
                <beans:value>/login</beans:value>
                <beans:value>/websocket/**</beans:value>
                <beans:value>/autocrud/**</beans:value>
                <beans:value>/**/*.svc</beans:value>
                <beans:value>/**/*.screen</beans:value>
                <beans:value>/sys/office/**</beans:value>
            </beans:list>
        </beans:property>
    </beans:bean>

</beans:beans>