Spring security custom decision Manager
First, introduce the decision manager of spring. Its interface is accessdecisionmanager and its abstract class is abstractaccessdecisionmanager. If we want to customize the decision manager, we usually inherit the abstract class instead of directly implementing the interface.
The concept of access decision voter is introduced into spring. The final decision of whether or not to have access is determined by the voter. The most common voter is rolevoter. The prefix of permission is defined in rolevoter. First, let's see how spring handles authorization in rolevoter.
Authentication contains the user and user permission information, and attributes is the permission required to access the resource. Then it circularly judges whether the user has the permission required to access the resource. If so, it returns access_ Grant, in popular terms, has authority.
Spring provides three decision managers. For how these three managers work, please check the spring security source code
Confirmed based one vote, access is allowed as long as one voter passes
More than half of the voters in consensusbased are allowed to access resources only after they pass
Unanimousbased allows access only if all voters pass
Let's implement a simple custom decision manager that does not use a voter
The decision method does not have any return value and needs to throw an accessdeniedexception when authorization is not passed.
If you need to have two or more permissions to access a resource at the same time, you need to customize the accessdecisionvoter. This is also very simple and will not be repeated here. If you want to use expressions such as hasrole () in the page, you need to inject webexpressionvoter. Customizing permission prefixes in spring security
The prefix of permission is role_bydefault, Many examples on the Internet say that you can add the following configuration directly to the configuration file.
The pro test doesn't work. I think it's not my configuration problem, but spring has initialized the accessdecisionmanager after we configured HTTP auto config = "true", even before it is configured, because spring completes the initialization itself, and it doesn't inject your configured rolevoter into the accessdecisionmanager. Let's manually inject the accessdecision manager.
There is an access decision manager ref attribute in the HTTP configuration, which enables us to manually inject the accessdecisionmanager. The following is the detailed configuration
Here, we don't need the custom access decision manager, but directly use spring's confirmativebased, because these decision managers provided by spring itself are already very powerful.
The configuration is very simple. To modify the prefix of permissions, you only need to modify the roleprefix in rolevoter. If you don't want the prefix, let it be "".
Authenticated voter is to support is_ Authenticated this kind of authentication. There are three kinds of authentication provided by authenticated voter, which are
IS_ AUTHENTICATED_ Anonymously allows anonymous users to enter
IS_ AUTHENTICATED_ Fully allows logged in users to enter
IS_ AUTHENTICATED_ Remembered allows login users and rememberme users to enter
summary
The above is the spring security custom decision manager introduced by Xiaobian. I hope it will help you. If you have any questions, please leave me a message, and Xiaobian will reply to you in time. Thank you very much for your support for the programming tips website!