<http auto-config="false" disable-url-rewriting="true" use-expressions="true" entry-point-ref="dtAuth" create-session="never"> <!-- <session-management session-authentication-strategy-ref="dtsession"/> --> <intercept-url pattern="/unread/get" access="isAuthenticated()"/> <intercept-url pattern="/authtest.xhtm" access="hasRole('working')"/> <intercept-url pattern="/authtest1.xhtm" access="hasRole('trac')"/> <intercept-url pattern="/cmmt/uc" access="isAuthenticated()"/> <intercept-url pattern="/favicon.ico" access="denyAll"/> <intercept-url pattern="/**" access="permitAll"/> <custom-filter position="PRE_AUTH_FILTER" ref="dtSessionMgr"/> </http>
pattern表示url,access表示url的权限,但这个isAuthenticated()具体在哪里执行呢?原来Spring提供授权机制,由org.springframework.security.access.AccessDecisionManager这个接口来实现。
这个接口定义了这个方法:
void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException;
对应上面的配置:object就是url,configAttributes就是一个access。常用的实现类是AffirmativeBased