Spring Security learns from the configuration primer. The source of all evil------------web.

This period of time, work idle down, contact with spring Security, for me a poor foundation of people, is undoubtedly a challenge ah.

After a period of groping, finally have a point, here, to special thanks to http://blog.csdn.net/u012367513/article/details/38866465 Two of the blog to my help. My code has been compiled on his basis, but has added some of his own insights. Thanks again for his help.

My foundation is very weak, but the two-headed blog post has been explained is very clear, but I still hope I can go through.

This article is suitable for readers: The Spring Foundation is weak, and like me, the configuration file is white people. Hope that the experts have left valuable comments.

Don't say much nonsense, open the code!

I hope that after reading this article we can solve the problem:

First of all, what does Spring Security do for you?

Again, how does Security work?

Finally, why should we use security.

--------------------------------------------------------------------------

I'll start by saying the security workflow in general:

Spring Security's support for Web security relies heavily on servlet filters. These filters intercept incoming requests and do some security processing before the application processes the request. Spring Security provides a number of filters that can intercept servlet requests and pass them on to authentication and Access Decision manager processing for enhanced security. Depending on your needs, you can use several of the filters listed in table 7.4 to protect your application. Http://baike.baidu.com/link?url=LhguUpz1g7MnakDzFDFRK9D7n6u6wFffzSbJ7Zkcq3QMDNy741SpXMVGAb4jfz_　　GAA5J0ORKYVKEGYOD2BIQSA for the concept, Baidu encyclopedia on the said very clear. Before we access a resource, it is intercepted by Authenticationprocessingfilter (which we will rewrite), and then it calls Securitymetadatasource to get the set of permissions for the resource being accessed. Then call Accessdecisionmanager to confirm that our user has permission to access this resource. ---------------------------have said so much, haven't seen the code yet. -------------------------------the access entry for each project is Web. XML, we'll look at his code:

<?XML version= "1.0" encoding= "UTF-8"?><Web-appXmlns:xsi= "Http://www.w3.org/2001/XMLSchema-instance"xmlns= "Http://java.sun.com/xml/ns/javaee"Xmlns:web= "Http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"xsi:schemalocation= "Http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"ID= "webapp_id"version= "2.5">  <Display-name>Springsecuritydemo</Display-name>  <welcome-file-list>    <Welcome-file>index.jsp</Welcome-file>  </welcome-file-list>    <!--Why do I need to configure this file to load the spring security XML configuration file?!! Because Baidu!  What is security? is to rely on a special filter (Delegatingfilterproxy, what does he do?!)      ), relying on him to delegate a bean in the spring context to complete the work.   And this bean, plainly speaking, is a filter.  -  <Context-param>        <Param-name>Contextconfiglocation</Param-name>        <Param-value>/web-inf/securityconfig.xml</Param-value>    </Context-param>          <!--Spring Container Monitoring, what is this Nima? Listener.      Oh, it's a listener.        Look at his source. public void Contextinitialized (Servletcontextevent event) {Contextloader = Createcontextloader ();        if (Contextloader = = null) Contextloader = this;    Contextloader.initwebapplicationcontext (Event.getservletcontext ()); Did you read it? Load the Securityconfig.xml file configured above -  <Listener>      <Listener-class>Org.springframework.web.context.ContextLoaderListener</Listener-class>  </Listener>    <!-- See, this is to see a special filter, let go of the shopkeeper, what he did, why should we configure him? Let's take a peek at his skin,//This is his DoFilter method public void DoFilter (ServletRequest request, servletresponse response, Filterch        Ain Filterchain) throws Servletexception, IOException {Filter delegatetouse = null; Synchronized (delegatemonitor) {if (_flddelegate = = null)//If the Bean is empty {WebApp  Licationcontext WAC = Findwebapplicationcontext (); Get me the config file if (WAC = = null)//shrimp?  The configuration file is empty?! Damn, throw an exception to Lao Zi!                    You give me the configuration of monitoring to eat?!                throw new IllegalStateException ("No webapplicationcontext found:no contextloaderlistener registered?");   _flddelegate = Initdelegate (WAC); What is it?            Guess all out, in the configuration file call Bean (emotional profile is the talent market, the shopkeeper's recruit of the staff.) } delegatetouse = _flddelegate; The recruit ran out, just you ... Poor, what about the three parties?  The salary?        You just graduated from the fucking school ....} Invokedelegate (Delegatetouse, request, response, Filterchain);  Why did you go after the handyman? Work! , do it for me!    Do!    }//This is initdeletegateProtected filter initdelegate (Webapplicationcontext WAC) throws servletexception {Filter delegate = (Fil        ter) Wac.getbean (Gettargetbeanname (), javax/servlet/filter);        if (Istargetfilterlifecycle ()) Delegate.init (Getfilterconfig ());    return delegate; }//This is invokedelegate protected void invokedelegate (Filter delegate, ServletRequest request, servletresponse response , Filterchain Filterchain) throws Servletexception, IOException {delegate.dofilter (Request, Response, FI    Lterchain); Hey  No, what if the handyman is going to rebel?     You don't do anything without a good boss? Yes, I'm just not doing anything? Lao Tzu is so capricious.       When I summon you, I give you the value of your existence (the Delegatingfilterproxy do is to act as a proxy filter to get beans from the application context. This allows the bean to obtain the life-cycle support of the Spring Web application context, making the configuration lighter.  You are contented! Alas...    Newcomers, who have not been the boss of the pit .... -      <Filter>        <Filter-name>Springsecurityfilterchain</Filter-name>        <Filter-class>Org.springframework.web.filter.DelegatingFilterProxy</Filter-class>    </Filter>    <filter-mapping>        <Filter-name>Springsecurityfilterchain</Filter-name>        <Url-pattern>/*</Url-pattern>    </filter-mapping></Web-app>

View Code 　　

Spring Security learns from the configuration primer. The source of all evil------------web.