Spring security is based on URL pattern, each URL pattern has an associated chain of interceptors that handles various aspect of security
Eg. <security:http pattern="/_ui/**" security="none" /> no security control
<security:http disable-url-rewriting="true" pattern="/checkout/**" use-expressions="true">
<security:anonymous username="anonymous" granted-authority="ROLE_ANONYMOUS" />
<security:access-denied-handler error-page="/login"/>
<security:session-management session-authentication-strategy-ref="fixation" />
.....
</security:http> requires security control
Security:anonymous :
Still assign a user name and role for urls that does not require security control. Managed by AnonymousAuthenticationFilter and AnonymousAuthenticationProvider. An AnonymousAuthenticationToken is added into SecurityContextHolder. An AnonymousAuthenticationFilter is associated with an AnonymousAuthenticationProvider by a key/value pair.
AuthenticationTrustResolver used by the auth exception handler to distinguish between anonymous user, remember me user and normal user. The exception handler redirects to authentication entry point for anonymous user. Also used by authentication voter
Security:access-denied-handler:
Return to an error page if access is denied, usually redirects to login page
Security:intercept-url
Performs security control based on role or allowed channel (http, https etc)
Security:session-management
SessionManagementFilter checks whether user has been authenticated by retrieving SecurityContextHolder from SecurityContextRepository. If a valid SecurityContextHolder exists, it invokes SessionAuthenticationStrategy. Otherwise, it invokes InvalidSessionStrategy, which usually just performs redirection (SimpleRedirectInvalidSessionStrategy)
Fixation protection: SessionFixationProtectionStrategy, create a new session and copy all attributes, this prevents session hijacking.
ConcurrentSessionControlAuthenticationStrategy: check number of sessions created by user, throw exception or invalidate existing session on exceed
Security:form-login
Login-processing-url: (default /j_spring_security_check) specifies the url pattern of the filter that handles authentication request. Handled by UsernamePasswordAuthenticationFilter and delegates to authenticationManager to perform actual authentication. See CoreAuthenticationProvider and CoreUserDetailService for basic authentication logic. See AcceleratorAuthenticationProvider which adds additional check on brutal force attack and shopping cart ownership
login-page: the login page
authentication-failure-handler-ref: handles authentication failure. See LoginAuthenticationFailureHandler: This performs redirect
authentication-success-handler-ref: See GUIDAuthenticationSuccessHandler: set the cookie, reset brutal force attack counter and handles cart creation. By default, spring security performs redirection on previously remembered resource url if any. See SavedRequestAwareAuthenticationSuccessHandler
Security:request-cache
Used to remember previously accessed url before login page shows, see also SavedRequestAwareAuthenticationSuccessHandler
原文地址:http://shadowisper.blog.51cto.com/3189863/1630147
