Spring Security Authorized Accessdecisionmanager
Blog Category:
In the previous blog there is a configuration:
XML code
- <http auto-config="false" disable-url-rewriting="true" use-expressions="true" entry-point-ref="Dtauth"
- create-session="never">
- <!--<session-management session-authentication-strategy-ref= "dtsession"/> --
- <intercept-url pattern="/unread/get" access="isauthenticated ()"/>
- <intercept-url pattern="/authtest.xhtm" access="Hasrole (' working ')"/>
- <intercept-url pattern="/authtest1.xhtm" access="hasrole (' trac ')"/>
- <intercept-url pattern="/cmmt/uc" access="isauthenticated ()"/>
- <intercept-url pattern="/favicon.ico" access="Denyall"/>
- <intercept-url pattern="/**" access="Permitall"/>
- <custom-filter position="Pre_auth_filter" ref="dtsessionmgr"/>
- </http>
Pattern means that url,access represents the permission for a URL, but where does this isauthenticated () be executed exactly? The original spring provides an authorization mechanism, which is implemented by the Org.springframework.security.access.AccessDecisionManager interface.
This interface defines this method:
Java code
- Void decide (authentication authentication, Object object, Collection<configattribute> configattributes)
- throws Accessdeniedexception, insufficientauthenticationexception;
Corresponds to the above configuration: object is Url,configattributes is an access. The common implementation class is affirmativebased
Spring Security Authorized Accessdecisionmanager