用户发出订单修改页面的请求,Access Decision Manager进行拦截,然后对比用户的授权和次页面需要的授权是不是有重合的部分,如果有重合的部分,那面页面就授权成功,如果失败就通知用户。

We can see that a component called the access decision manager is responsible for determining whether a principal has the appropriate level of access, based on the match between the authority possessed by the principal and the authority requested by the resource.

Adding the Spring DelegatingFilterProxy to your web.xml file

The o.s.web.filter.DelegatingFilterProxy is a servlet filter that allows Spring Security to wrap all application requests and ensure that they are appropriately secured.

Comprehending the overall flow of web requests and how they move through the chain of responsibility is crucial to our success with advanced topics in Spring Security. Keep in mind the basic concepts of authentication and authorization as they fit into the overall architecture of our protected system.

How requests are processed?

The Spring Security architecture relies heavily on the use of delegates and servlet filters to provide layers of functionality around the context of a web application request.

Servlet Filters (classes that implement the javax.servlet.Filter interface) are used to intercept user requests and perform pre-or post-processing, or redirect the request altogether, depending on the function of the servlet filter. The final destination servlet is the Spring MVC dispatcher servlet, in the case of the JBCP Pets online store, but in theory, it could represent any web servlet. The following

diagram illustrates how a servlet filter wraps a user's web request:

The automatic configuration attribute in the Spring Security XML configuration file sets up a series of ten servlet filters, which are applied in a sequence through the use of a Java EE servlet filter chain. The filter chain is a Java EE Servlet API concept specified by the javax.servlet.FilterChain interface that allows a web application to direct that a chain of servlet filters should apply to any given request.

Similar to a physical chain made from metal links, each servlet filter represents a link in the chain of method calls used to process the user's request. Requests travel along the chain, being processed by each filter in turn.

The automatic configuration option sets up 10 Spring Security filters for you. Understanding what these default filters do, and where and how they are configured, is critical to advanced work with Spring Security.

These filters, and the order in which they are applied, are described in the following table. Most of these filters will be described again as we proceed through our work on the JBCP Pets online store, so don't worry if you don't understand exactly what they do now.



You may wonder how the DelegatingFilterProxy is able to locate the filter chain that's configured by Spring Security. Recall that we needed to give the DelegatingFilterProxy a filter name in the web.xml file:

springSecurityFilterChain 
    
        org.springframework.web.filter.DelegatingFilterProxy

The name of this filter is no coincidence, and in fact is expected for Spring Security to wire itself to the DelegatingFilterProxy appropriately. Unless explicitly configured, the DelegatingFilterProxy will look for a configured bean in the Spring WebApplicationContext of the same name (as specified in the filter-name element). More detail on the configurability of the DelegatingFilterProxy is available in the Javadoc for the class.

spring security原理图及其解释的更多相关文章

  1. Spring Security笔记:Hello World

    本文演示了Spring Security的最最基本用法,二个页面(或理解成二个url),一个需要登录认证后才能访问(比如:../admin/),一个可匿名访问(比如:../welcome) 注:以下内 ...

  2. Spring Security笔记:登录尝试次数限制

    今天在前面一节的基础之上,再增加一点新内容,默认情况下Spring Security不会对登录错误的尝试次数做限制,也就是说允许暴力尝试,这显然不够安全,下面的内容将带着大家一起学习如何限制登录尝试次 ...

  3. Spring Security笔记:自定义登录页

    以下内容参考了 http://www.mkyong.com/spring-security/spring-security-form-login-example/ 接上回,在前面的Hello Worl ...

  4. 【JavaEE】SSH+Spring Security自定义Security的部分处理策略

    本文建立在 SSH与Spring Security整合 一文的基础上,从这篇文章的example上做修改,或者从 配置了AOP 的example上做修改皆可.这里主要补充我在实际使用Spring Se ...

  5. spring security之httpSecurity使用示例

    如果在HttpSecurity中配置需要authenticate(),则如果没有登陆,或没有相关权限,则会无法访问 2017-01-02 23:39:32.027 DEBUG 10396 --- [n ...

  6. SpringMVC 3.1集成Spring Security 3.1

    这篇算是一个入门文章,昨天看见有网友提问,spring mvc集成spring security 的时候出错,揣测了一下问题木有解决.我就帮忙给搭建了一个集成框架他说可以,他告诉我这样的文章网上少.今 ...

  7. Spring security oauth2最简单入门环境搭建

    关于OAuth2的一些简介,见我的上篇blog:http://wwwcomy.iteye.com/blog/2229889 PS:貌似内容太水直接被鹳狸猿干沉.. 友情提示 学习曲线:spring+s ...

  8. Spring Security(14)——权限鉴定基础

    目录 1.1     Spring Security的AOP Advice思想 1.2     AbstractSecurityInterceptor 1.2.1    ConfigAttribute ...

  9. spring security 3 自定义认证,授权示例

    1,建一个web project,并导入所有需要的lib. 2,配置web.xml,使用Spring的机制装载: <?xml version="1.0" encoding=& ...

随机推荐

  1. 漫谈使用Kafka作为MQ中间件

    哪些场景适合使用Kafka线上系统会实时产生数以万计的日志信息,服务器运行状态,用户行为记录,业务消息 等信息,这些信息需要用于多个不同的目的,比如审计.安全.数据挖掘等,因此需要以分类的方式将这些信 ...

  2. 介绍几款移动的WebAPP框架

    如果是 Angular 那就选 Ionic (一对好 CP)如果是 Vue 那就选 Vux (基于 WeUI)如果是 jQuery 那就选 Framework7 (iOS 和 Android 双皮肤) ...

  3. python爬虫基础06-常见加密算法

    Python与常见加密方式 前言 数据加密与解密通常是为了保证数据在传输过程中的安全性,自古以来就一直存在,古代主要应用在战争领域,战争中会有很多情报信息要传递,这些重要的信息都会经过加密,在发送到对 ...

  4. 使用POI循环写入数据时发现只有最后一列有数据

    直接说重点: 一般出现在多重(一般是两重)循环,再多几重效率就很低了. 检查调用createRow() 是否在外层循环调用的,如果是在内层循环调用就会出现这个问题,因为程序会不停的重新创建行,直至最后 ...

  5. Linux服务器硬件设备信息查看

    一.cpu信息 cpu信息存储在/proc文件系统的cpuinfo(/proc/cpuinfo)文件里,可以直接查看这个文件以获得cpu信息,所列字段解释如下: processor : 核心编号,如: ...

  6. poj--2139

    Description The cows have been making movies lately, so they are ready to play a variant of the famo ...

  7. PAT Basic 1028

    1028 人口普查 某城镇进行人口普查,得到了全体居民的生日.现请你写个程序,找出镇上最年长和最年轻的人. 这里确保每个输入的日期都是合法的,但不一定是合理的——假设已知镇上没有超过200岁的老人,而 ...

  8. [WPF自定义控件库]使用WindowChrome的问题

    1. 前言 上一篇文章介绍了使用WindowChrome自定义Window,实际使用下来总有各种各样的问题,这些问题大部分都不影响使用,可能正是因为不影响使用所以一直没得到修复(也有可能别人根本不觉得 ...

  9. 00036_private

    1.私有private 描述人.Person: 属性:年龄: 行为:说话:说出自己的年龄. class Person { int age; String name; public void show( ...

  10. Wp检查手机网络状态

    /// <summary> /// 检查网络状态 /// </summary> private void CheckNetworkState() { if (DeviceNet ...