用户发出订单修改页面的请求,Access Decision Manager进行拦截,然后对比用户的授权和次页面需要的授权是不是有重合的部分,如果有重合的部分,那面页面就授权成功,如果失败就通知用户。

We can see that a component called the access decision manager is responsible for determining whether a principal has the appropriate level of access, based on the match between the authority possessed by the principal and the authority requested by the resource.

Adding the Spring DelegatingFilterProxy to your web.xml file

The o.s.web.filter.DelegatingFilterProxy is a servlet filter that allows Spring Security to wrap all application requests and ensure that they are appropriately secured.

Comprehending the overall flow of web requests and how they move through the chain of responsibility is crucial to our success with advanced topics in Spring Security. Keep in mind the basic concepts of authentication and authorization as they fit into the overall architecture of our protected system.

How requests are processed?

The Spring Security architecture relies heavily on the use of delegates and servlet filters to provide layers of functionality around the context of a web application request.

Servlet Filters (classes that implement the javax.servlet.Filter interface) are used to intercept user requests and perform pre-or post-processing, or redirect the request altogether, depending on the function of the servlet filter. The final destination servlet is the Spring MVC dispatcher servlet, in the case of the JBCP Pets online store, but in theory, it could represent any web servlet. The following

diagram illustrates how a servlet filter wraps a user's web request:

The automatic configuration attribute in the Spring Security XML configuration file sets up a series of ten servlet filters, which are applied in a sequence through the use of a Java EE servlet filter chain. The filter chain is a Java EE Servlet API concept specified by the javax.servlet.FilterChain interface that allows a web application to direct that a chain of servlet filters should apply to any given request.

Similar to a physical chain made from metal links, each servlet filter represents a link in the chain of method calls used to process the user's request. Requests travel along the chain, being processed by each filter in turn.

The automatic configuration option sets up 10 Spring Security filters for you. Understanding what these default filters do, and where and how they are configured, is critical to advanced work with Spring Security.

These filters, and the order in which they are applied, are described in the following table. Most of these filters will be described again as we proceed through our work on the JBCP Pets online store, so don't worry if you don't understand exactly what they do now.



You may wonder how the DelegatingFilterProxy is able to locate the filter chain that's configured by Spring Security. Recall that we needed to give the DelegatingFilterProxy a filter name in the web.xml file:

springSecurityFilterChain 
    
        org.springframework.web.filter.DelegatingFilterProxy

The name of this filter is no coincidence, and in fact is expected for Spring Security to wire itself to the DelegatingFilterProxy appropriately. Unless explicitly configured, the DelegatingFilterProxy will look for a configured bean in the Spring WebApplicationContext of the same name (as specified in the filter-name element). More detail on the configurability of the DelegatingFilterProxy is available in the Javadoc for the class.

spring security原理图及其解释的更多相关文章

  1. Spring Security笔记:Hello World

    本文演示了Spring Security的最最基本用法,二个页面(或理解成二个url),一个需要登录认证后才能访问(比如:../admin/),一个可匿名访问(比如:../welcome) 注:以下内 ...

  2. Spring Security笔记:登录尝试次数限制

    今天在前面一节的基础之上,再增加一点新内容,默认情况下Spring Security不会对登录错误的尝试次数做限制,也就是说允许暴力尝试,这显然不够安全,下面的内容将带着大家一起学习如何限制登录尝试次 ...

  3. Spring Security笔记:自定义登录页

    以下内容参考了 http://www.mkyong.com/spring-security/spring-security-form-login-example/ 接上回,在前面的Hello Worl ...

  4. 【JavaEE】SSH+Spring Security自定义Security的部分处理策略

    本文建立在 SSH与Spring Security整合 一文的基础上,从这篇文章的example上做修改,或者从 配置了AOP 的example上做修改皆可.这里主要补充我在实际使用Spring Se ...

  5. spring security之httpSecurity使用示例

    如果在HttpSecurity中配置需要authenticate(),则如果没有登陆,或没有相关权限,则会无法访问 2017-01-02 23:39:32.027 DEBUG 10396 --- [n ...

  6. SpringMVC 3.1集成Spring Security 3.1

    这篇算是一个入门文章,昨天看见有网友提问,spring mvc集成spring security 的时候出错,揣测了一下问题木有解决.我就帮忙给搭建了一个集成框架他说可以,他告诉我这样的文章网上少.今 ...

  7. Spring security oauth2最简单入门环境搭建

    关于OAuth2的一些简介,见我的上篇blog:http://wwwcomy.iteye.com/blog/2229889 PS:貌似内容太水直接被鹳狸猿干沉.. 友情提示 学习曲线:spring+s ...

  8. Spring Security(14)——权限鉴定基础

    目录 1.1     Spring Security的AOP Advice思想 1.2     AbstractSecurityInterceptor 1.2.1    ConfigAttribute ...

  9. spring security 3 自定义认证,授权示例

    1,建一个web project,并导入所有需要的lib. 2,配置web.xml,使用Spring的机制装载: <?xml version="1.0" encoding=& ...

随机推荐

  1. Shell中各种括号的作用

    一.小括号,圆括号() 1.单小括号 () ① 命令组.括号中的命令将会新开一个子shell顺序执行,所以括号中的变量不能够被脚本余下的部分使用.括号中多个命令之间用分号隔开,最后一个命令可以没有分号 ...

  2. 【http】【转发】HTTP访问控制(CORS)

    当一个资源从与该资源本身所在的服务器不同的域或端口请求一个资源时,资源会发起一个跨域 HTTP 请求.   比如,站点 http://domain-a.com 的某 HTML 页面通过 <img ...

  3. docker:安装redis

    文章来源:https://www.cnblogs.com/hello-tl/p/9239474.html 1.添加镜像 # docker pull redis:4.0 2.在/data下新建文件夹re ...

  4. Day07 数据类型(列表,元组,字典,集合)常用操作和内置方法

    数据类型 列表list: 用途:记录多个值(同种属性) 定义方式:[]用逗号分隔开多个任意类型的值 list()造出来的是列表,参数是可迭代对像,也就是可以使用for循环的对像 传入字典,出来的列表元 ...

  5. 自定义View画一条线

    #import "PublishContextView.h" @implementation PublishContextView -(void)drawRect:(CGRect) ...

  6. LeetCode(39) Combination Sum

    题目 Given a set of candidate numbers (C) and a target number (T), find all unique combinations in C w ...

  7. 项目-开发手机app

    一.  安装Hbuilder,和夜神安卓模拟器 注:夜神模拟器,如过windows中安装了hyper-v,需要卸载,不然会死机 二. Hbuilder简介 官网:http://www.dcloud.i ...

  8. UI测试点

    UI测试点 1.界面是否美观 2.元素大小 3.界面元素是否对齐方式统一 4.界面字体属性是否正确 5.界面链接及触发动作 6.元素内容是否显示正确.易懂.友好 7.所有输入框进行输入判断测试 8.所 ...

  9. php官方微信接口大全

    微信入口绑定,微信事件处理,微信API全部操作包含在这些文件中.内容有:微信摇一摇接口/微信多客服接口/微信支付接口/微信红包接口/微信卡券接口/微信小店接口/JSAPI <?php class ...

  10. Relay Race (DP)

    Furik and Rubik take part in a relay race. The race will be set up on a large square with the side o ...