web.xml配置如：

<filter><filter-name>springSecurityFilterChain</filter-name><filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class></filter><filter-mapping><filter-name>springSecurityFilterChain</filter-name><url-pattern>/*</url-pattern></filter-mapping>

通常在spring-security.xml的配置：

<!--设置匹配管理员用户url，登录页面和所拥的权限，以及引用adminAuthManager验证管理 --><http auto-config="true" pattern="/admin/**" use-expressions="true" authentication-manager-ref="adminAuthManager"><form-login login-processing-url="/admin/j_spring_security_check" login-page="/admin_login.html" authentication-failure-url="/common/login/usernameCheckFailed"  default-target-url="/admin/login/adminCheckSuccess"always-use-default-target="true"/><!-- <logout logout-url="/module/j_spring_security_logout" logout-success-url="/" /> --><!-- 自定义退出过滤器 --><custom-filter ref="userLogoutFilter" position="LOGOUT_FILTER" /><intercept-url pattern="/admin/department/**" access="hasRole('ROLE_ADMIN_DEPARTMENT')" /><intercept-url pattern="/admin/processdefinition/**" access="hasRole('ROLE_ADMIN_PROCESSDEFINITION')" /><intercept-url pattern="/admin/roleManage/**" access="hasRole('ROLE_ADMIN_ROLEMANAGE')" /><intercept-url pattern="/admin/moduleManage/**" access="hasRole('ROLE_ADMIN_MODULEMANAGE')" /><intercept-url pattern="/admin/parentModuleManage/**" access="hasRole('ROLE_ADMIN_PARENTMODULEMANAGE')" /><intercept-url pattern="/admin/manageUserAccount/**" access="hasRole('ROLE_ADMIN_MANAGEUSERACCOUNT')" /><intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" /></http><!-- 不需要进行认证的资源，3.0之后才改为这样配置 --><!-- <http security="none" pattern="/**/index" /> --><http security="none" pattern="/**/*login.html" /><http security="none" pattern="/**/*.jpg" /><http security="none" pattern="/**/*.png" /><http security="none" pattern="/**/*.gif" /><http security="none" pattern="/**/*.css" /><http security="none" pattern="/**/*.js" /><http security="none" pattern="/*.ico" /><http security="none" pattern="/*.jpg" /><!--后台管理用户验证管理bean --><authentication-manager id="adminAuthManager"><authentication-provider user-service-ref="adminDetailService"><password-encoder hash="md5"></password-encoder></authentication-provider></authentication-manager><!-- 普通用户退出的过滤器配置 --><beans:bean id="userLogoutFilter" class="com.bluedon.cb.util.filter.UserLogoutFilter"><!-- 处理退出的虚拟url --><beans:property name="filterProcessesUrl" value="/module/logout" /><!-- 退出处理成功后的默认显示url --><beans:constructor-arg index="0" value="/" /><beans:constructor-arg index="1"><!-- 退出成功后的handler列表 --><beans:array><!-- 加入了开发人员自定义的退出成功处理 --><beans:bean id="userLogoutSuccessHandler" class="com.bluedon.cb.util.filter.UserLogoutHandler" /></beans:array></beans:constructor-arg></beans:bean>

说明：

lowercase-comparisons：表示URL比较前先转为小写。 
  path-type：表示使用Apache Ant的匹配模式。 
  access-denied-page：访问拒绝时转向的页面。 
  access-decision-manager-ref：指定了自定义的访问策略管理器。当系统角色名的前缀不是默认的ROLE_时，需要自定义访问策略管理器。 
  login-page：指定登录页面。 
  login-processing-url：指定了客户在登录页面中按下 Sign In 按钮时要访问的 URL。与登录页面form的action一致。其默认值为：/j_spring_security_check。 
  authentication-failure-url：指定了身份验证失败时跳转到的页面。 
  default-target-url：指定了成功进行身份验证和授权后默认呈现给用户的页面。 
  always-use-default-target：指定了是否在身份验证通过后总是跳转到default-target-url属性指定的URL。 
  logout-url：指定了用于响应退出系统请求的URL。其默认值为：/j_spring_security_logout。 
  logout-success-url：退出系统后转向的URL。 
  invalidate-session：指定在退出系统时是否要销毁Session。 
  max-sessions:允许用户帐号登录的次数。范例限制用户只能登录一次。 
  exception-if-maximum-exceeded: 默认为false，此值表示：用户第二次登录时，前一次的登录信息都被清空。 
  当exception-if-maximum-exceeded="true"时系统会拒绝第二次登录。

下面是security，用户退出的session处理（可以不写）:

package com.bluedon.cb.util.filter;import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;/*** * * Description:退出过滤器* * Time:2016年3月2日下午5:38:04* @version 1.0* @since 1.0*/
public class UserLogoutFilter extends LogoutFilter{public UserLogoutFilter(String logoutSuccessUrl, LogoutHandler[] handlers) {super(logoutSuccessUrl, handlers);}public UserLogoutFilter(LogoutSuccessHandler logoutSuccessHandler,LogoutHandler[] handlers) {super(logoutSuccessHandler, handlers);}}

package com.bluedon.cb.util.filter;import java.util.Date;import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.BeansException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.logout.LogoutHandler;import com.bluedon.cb.common.entity.LoginLog;
import com.bluedon.cb.common.service.CommonLogService;
import com.bluedon.cb.util.SpringContextUtil;
import com.bluedon.cb.util.constants.Constants;/*** * * Description:退出成功处理器* * Time:2016年3月2日下午5:38:29* @version 1.0* @since 1.0*/
public class UserLogoutHandler implements LogoutHandler {private Logger log = LoggerFactory.getLogger(UserLogoutHandler.class);public UserLogoutHandler() {}@Overridepublic void logout(HttpServletRequest req, HttpServletResponse arg1, Authentication arg2) {// TODO Auto-generated method stub//modify by qinguidong 添加try catch 为了防止session超时，而取到的loginLog为空，报错。不能返回到登录页面try {HttpSession session = req.getSession();LoginLog loginLog =  (LoginLog)session.getAttribute(Constants.LOGIN_LOG);CommonLogService commonLogService = (CommonLogService)SpringContextUtil.getBean("commonLogServiceImpl");loginLog.setLoloLogoutDate(new Date());//退出时间//清除sessionif (session != null) {  session.invalidate();  }  SecurityContextHolder.clearContext();  //入库int count = commonLogService.updateLoginLog(loginLog);if(count != Constants.SUCCESS){log.error("记录登录日志失败了："+loginLog.getLoloUsroName());}} catch (BeansException e) {// TODO Auto-generated catch blocke.printStackTrace();}}}