Spring Security XML 配置

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="https://www.springframework.org/schema/security"
    xmlns:beans="https://www.springframework.org/schema/beans"
    xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="https://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        https://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security-3.1.xsd">
	
	<!-- 全局方法保护，权限设置访问 -->
	<global-method-security>
		<protect-pointcut access="ROLE_ADMIN" expression="execution(* com.security.action.*.*(..))"/>
		<protect-pointcut access="ROLE_USER" expression="execution(* com.security.action.*.*list*(..))"/>
	</global-method-security>
	
	<!-- http请求映射配置 -->
	<http auto-config="true">
		<!-- 匿名访问 -->
		<intercept-url pattern="/*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
		<intercept-url pattern="/app/user*" access="ROLE_USER"/>
		<intercept-url pattern="/*/list*" access="ROLE_USER"/>
		<intercept-url pattern="/**" access="ROLE_ADMIN"/>
		<!-- 会话管理，一个用户异地多次登录 -->
		<session-management session-fixation-protection="none">
			<concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
		</session-management>
		<!-- 自定义登录页面 -->
 		<form-login login-page="/login.html" 
 					authentication-failure-url="/login.html?error=true" 
 					login-processing-url="/user/login"
 					username-parameter="username"
 					password-parameter="password"/> 
 		<!-- 注销登录 -->
 		<logout invalidate-session="true" logout-url="/logout" logout-success-url="/login.html"/>
	</http>
	
	<!-- 数据源 -->
	<beans:bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
		<beans:property name="driverClassName" value="com.mysql.jdbc.Driver"/>
		<beans:property name="url" value="jdbc:mysql:///privilege"/>
		<beans:property name="username" value="root"/>
		<beans:property name="password" value="admin"/>
	</beans:bean>
	<!-- 错误消息国际化-->
	<beans:bean id="messageSource"
		class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
		<beans:property name="basename" value="classpath:org/springframework/security/messages" />
	</beans:bean>
	<!-- 配置数据库权限信息获取实现类 -->
	<beans:bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
		<!-- 禁用基本的查询权限 -->
		<beans:property name="enableAuthorities" value="false"/>
		<!-- 启用分组权限 -->
		<beans:property name="enableGroups" value="true"/>
		<!-- 数据源 -->
		<beans:property name="dataSource" ref="dataSource"/>
	</beans:bean>
	
	<!-- 权限认证管理 -->
    <authentication-manager>
        <authentication-provider user-service-ref="userDetailsService">
        	<!-- 使用md5加密 -->
        	<password-encoder hash="md5"/>
        	<!-- 权限从数据库中查询出来，需要数据源 -->
<!--         	
			自定义数据表权限，必须字段 users表：username,password,enabled 
			自定义数据表权限，必须字段 authorities表：username,authority
-->
<!--         	<jdbc-user-service data-source-ref="dataSource"  -->
<!--         	users-by-username-query= -->
<!--         	"select -->
<!--         		username,password,enabled -->
<!--         	from -->
<!--         		users -->
<!--         	where  -->
<!--         		username = ?"  -->
<!--         	authorities-by-username-query= -->
<!--         	"select  -->
<!--         		u.username,r.authority  -->
<!--         	from  -->
<!--         		users as u -->
<!-- 			inner  -->
<!-- 			join  -->
<!-- 				role as r  -->
<!-- 			inner  -->
<!-- 			join  -->
<!-- 				user_role as ur  -->
<!-- 			where  -->
<!-- 				u.user_id = ur.user_id  -->
<!-- 			and  -->
<!-- 				r.role_id = ur.role_id -->
<!-- 			and  -->
<!-- 				username = ?" -->
<!--         	/> -->
        	
        </authentication-provider>
    </authentication-manager>
</beans:beans>
<?xml version="1.0" encoding="UTF-8"?>
<beans:be