Java SpringWeb应用程序中的授权：自定义筛选器vs Servelt筛选器vs AccessDecisionVoter_Java_Spring_Web Applications_Spring Security_Servlet Filters

Java SpringWeb应用程序中的授权：自定义筛选器vs Servelt筛选器vs AccessDecisionVoter

java spring web-applications spring-security

Java SpringWeb应用程序中的授权：自定义筛选器vs Servelt筛选器vs AccessDecisionVoter,java,spring,web-applications,spring-security,servlet-filters,Java,Spring,Web Applications,Spring Security,Servlet Filters,我试图用Spring保护我的应用程序的web资源，并注意到有多种方法可以做到这一点。所有这些工作都按照我的预期完成了但是我想知道它们之间有什么区别，哪一个是在SpringWeb应用中进行授权的最佳实践。我在春天找不到区别（如果有更好的方法，我愿意学习。） 1-Servelt过滤器：javax.servlet.Filter+springDelegatingFilterProxy在web.xml中： <filter> <filter-class>org.spring

我试图用Spring保护我的应用程序的web资源，并注意到有多种方法可以做到这一点。所有这些工作都按照我的预期完成了

但是我想知道它们之间有什么区别，哪一个是在SpringWeb应用中进行授权的最佳实践。我在春天找不到区别（如果有更好的方法，我愿意学习。）

1-Servelt过滤器：

javax.servlet.Filter

+spring

DelegatingFilterProxy

在

web.xml

中：

<filter>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param>
        <param-name>targetBeanName</param-name>
        <param-value>testFilter</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>TestFilter</filter-name>
    <url-pattern>/api/*</url-pattern>
</filter-mapping>

<http pattern="/**" auto-config="true" use-expressions="true" access-decision-manager-ref="accessDecisionManager" >
        ...
</http>

<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
    <beans:constructor-arg>
        <beans:list>
            <beans:bean
                class="org.springframework.security.web.access.expression.WebExpressionVoter" />
            <beans:bean
                class="org.springframework.security.access.vote.AuthenticatedVoter" />
            <beans:ref bean="roleVoter" />
            <beans:bean
                class="org.myapp.api.auth.TestDecisionVoter" />
            <beans:bean
    </beans:constructor-arg>
</beans:bean>

TestFilter.java

public class TestFilter implements Filter {
    ...
    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {
    if(someCondition())
        chain.doFilter(req, res);
    else
        ((HttpServletResponse) res).sendError(HttpServletResponse.SC_UNAUTHORIZED, "unauthorized!");
    }
    ...
}

web.xml

：

<filter>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param>
        <param-name>targetBeanName</param-name>
        <param-value>testFilter</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>TestFilter</filter-name>
    <url-pattern>/api/*</url-pattern>
</filter-mapping>

<http pattern="/**" auto-config="true" use-expressions="true" access-decision-manager-ref="accessDecisionManager" >
        ...
</http>

<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
    <beans:constructor-arg>
        <beans:list>
            <beans:bean
                class="org.springframework.security.web.access.expression.WebExpressionVoter" />
            <beans:bean
                class="org.springframework.security.access.vote.AuthenticatedVoter" />
            <beans:ref bean="roleVoter" />
            <beans:bean
                class="org.myapp.api.auth.TestDecisionVoter" />
            <beans:bean
    </beans:constructor-arg>
</beans:bean>

3-访问决策投票人：

public class TestDecisionVoter implements AccessDecisionVoter<Object> {
    ...
    @Override
    public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
        if(someCondition())
            return ACCESS_GRANTED;
        else
            return ACCESS_DENIED;
    }
    ...
}