Spring-securety和shiro的比較：
Spring-securety與springMVC結(jié)合使用起來方便，shiro可用與非springMVC框架。
Spring-securety比shiro功能強(qiáng)大。

<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>

spring-security.xml

<http pattern="/.html" security="none"/>
<http pattern="/css/" security="none"/>
<http pattern="/img/" security="none"/>
<http pattern="/js/" security="none"/>
<http pattern="/plugins/*" security="none"/>
<http pattern="/seller/add.do" security="none"/>

<http use-expressions="false"> 
    <!-擁有 USER角色的可以任意訪問 -->         

<intercept-url pattern="/**" access="ROLE_SELLER"/>
<!-表單登錄信息 -->

<form-login login-page="/shoplogin.html" default-targeturl="/admin/index.html"
authentication-failure-url="/shoplogin.html" always-usedefault-target="true"/>

    <!-禁止跨站請求偽造校驗(yàn) -->         

<csrf disabled="true"/>

    <!-如果使用了 iframe等框架，希望跳轉(zhuǎn)也是在框架內(nèi)跳轉(zhuǎn)的話 --> 

<headers>
<frame-options policy="SAMEORIGIN"/>
</headers>

<logout/>
</http>
</beans:beans>

web.xml
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter
class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/</url-pattern>
</filter-mapping>
<listener>
<listener
class>org.springframework.web.context.ContextLoaderListener</listener
class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring/spring-.xml</param-value>
</context-param>