Spring Security, I see the merits of (a)
Spring Security see the merits of the
I have read posts related to Spring Security and Spring Security reference documentation. I understand Spring Security now write down and share.
purpose of this paper is from the Spring Security can provide functions, and basic principles of perspective, not in-depth how to encode. Then, in turn, need to review our software system which access control. Then review the applicability of Spring Security.
This paper seeks to text a simple, simple concept. Spring Security how to control the permissions
summary
Spring formed using the Filter Chain to determine the permissions. As shown below:
Spring predefined many out-of-boxed filter for the developers directly.
Under normal circumstances each Filter (Filter is the abstract of some), and configuration files are an element of (some cases may be attributes) correspond.
For example: AUTHENTICATION_PROCESSING_FILTER, corresponding to the configuration file inside: http / form-login element.
If Spring Filter function can not meet the system authority, developers can customize the Filter, and then put a Filter on the Filter Chain of a location. You can replace the original Filter Chain of a Filter, you can put a Filter before or after.
In short, Spring Security Filter Chain model used to determine access, Spring provides a number of Filter, also supports the developer custom Filter. and WEB system integration
use of Java EE Filter (non-Spring Filter) mechanism, will need permission to determine the url, “traction” to Spring Filter Chain can be.
Under normal circumstances, would have to introduce all of the url Filter Chain. Of course, you can access in the web.xml configuration needed to determine the url (configuration filter-mapping/url-pattern). Spring configuration file also supports filtering out unwanted privileges determine the url (the configuration http / intercept-url element). control content
Spring Security provides the following controls:
1.url;
2.bean method ;
3.http session.
url: can be divided into the required permissions to determine the url, without authority to determine the url, the login form url. Spring-related post by my reading and reference documents, you need permission to determine the url. The role of judge is limited to doing, that is to determine whether the current user has the specified role.
bean method: Spring support for the Service layer method to determine the permissions to do. Spring-related post by my reading and reference documents, the role of judge is limited to do. Configuration there are two kinds:
1. Written in the Java source code inside, such as: @ Secured (“ROLE_TELLER”) (This method only has the TELLER role of users to access, or throw an exception);
2. written in the config file, such as: (all the set methods of the bean, only the user with ADMIN role can access, Otherwise, throw an exception).
http session: control whether a repeat user login name, and repeat log-ins, not the number of password retries.
In addition, Spring Security provides the following features:
1.remember me, remember me;
2.form-login Login control;
3. multiple authentication functions;
4. user password encryption and “salt” function;
5.http protocol control ;
6. access port control;
7.Pre-Invocation