静态资源不需要权限过滤器验证

``
<security:http pattern="/resources/**" security="none" />

HTTP安全设置

设置auto-config =true时，会配置默认的过滤器
use-expressions="true" 代表启用强大的SPEL表达式，例如：permitAll、hasRole('ROLE_USER')等

<security:http auto-config="true" use-expressions="true"> <security:port-mappings><security:port-mapping http="8080" https="8443"/> </security:port-mappings> <security:intercept-url pattern="/login.jsp*" access="permitAll" requires-channel="https" /> <security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=true" default-target-url="/index.jsp" /> <security:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" requires-channel="any" /> <security:intercept-url pattern="/user/**" access="hasRole('ROLE_USER')" /> <security:csrf /> <security:session-management session-fixation-protection="none" invalid-session-url="/timeout.jsp" > <security:concurrency-control max-sessions="1" error-if-maximum-exceeded="false" /> </security:session-management> <security:logout logout-success-url="/login.jsp" invalidate-session="true" /> <security:remember-me services-ref="ipTokenBasedRememberMeServices" /> <security:access-denied-handler ref="accessDeniedHandler"/> <security:headers> <security:frame-options policy="SAMEORIGIN" /> </security:headers></security:http>