用户发出订单修改页面的请求,Access Decision Manager进行拦截,然后对比用户的授权和次页面需要的授权是不是有重合的部分,如果有重合的部分,那面页面就授权成功,如果失败就通知用户。
We can see that a component called the access decision manager is responsible for determining whether a principal has the appropriate level of access, based on the match between the authority possessed by the principal and the authority requested by the resource.
Adding the Spring DelegatingFilterProxy to your web.xml file
The o.s.web.filter.DelegatingFilterProxy is a servlet filter that allows Spring Security to wrap all application requests and ensure that they are appropriately secured.
Comprehending the overall flow of web requests and how they move through the chain of responsibility is crucial to our success with advanced topics in Spring Security. Keep in mind the basic concepts of authentication and authorization as they fit into the overall architecture of our protected system.
How requests are processed?
The Spring Security architecture relies heavily on the use of delegates and servlet filters to provide layers of functionality around the context of a web application request.
Servlet Filters (classes that implement the javax.servlet.Filter interface) are used to intercept user requests and perform pre-or post-processing, or redirect the request altogether, depending on the function of the servlet filter. The final destination servlet is the Spring MVC dispatcher servlet, in the case of the JBCP Pets online store, but in theory, it could represent any web servlet. The following
diagram illustrates how a servlet filter wraps a user's web request:
The automatic configuration attribute in the Spring Security XML configuration file sets up a series of ten servlet filters, which are applied in a sequence through the use of a Java EE servlet filter chain. The filter chain is a Java EE Servlet API concept specified by the javax.servlet.FilterChain interface that allows a web application to direct that a chain of servlet filters should apply to any given request.
Similar to a physical chain made from metal links, each servlet filter represents a link in the chain of method calls used to process the user's request. Requests travel along the chain, being processed by each filter in turn.
The automatic configuration option sets up 10 Spring Security filters for you. Understanding what these default filters do, and where and how they are configured, is critical to advanced work with Spring Security.
These filters, and the order in which they are applied, are described in the following table. Most of these filters will be described again as we proceed through our work on the JBCP Pets online store, so don't worry if you don't understand exactly what they do now.
You may wonder how the DelegatingFilterProxy is able to locate the filter chain that's configured by Spring Security. Recall that we needed to give the DelegatingFilterProxy a filter name in the web.xml file:
springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
The name of this filter is no coincidence, and in fact is expected for Spring Security to wire itself to the DelegatingFilterProxy appropriately. Unless explicitly configured, the DelegatingFilterProxy will look for a configured bean in the Spring WebApplicationContext of the same name (as specified in the filter-name element). More detail on the configurability of the DelegatingFilterProxy is available in the Javadoc for the class.