Java SpringWeb应用程序中的授权:自定义筛选器vs Servelt筛选器vs AccessDecisionVoter
我试图用Spring保护我的应用程序的web资源,并注意到有多种方法可以做到这一点。所有这些工作都按照我的预期完成了 但是我想知道它们之间有什么区别,哪一个是在SpringWeb应用中进行授权的最佳实践。我在春天找不到区别(如果有更好的方法,我愿意学习。) 1-Servelt过滤器:Java SpringWeb应用程序中的授权:自定义筛选器vs Servelt筛选器vs AccessDecisionVoter,java,spring,web-applications,spring-security,servlet-filters,Java,Spring,Web Applications,Spring Security,Servlet Filters,我试图用Spring保护我的应用程序的web资源,并注意到有多种方法可以做到这一点。所有这些工作都按照我的预期完成了 但是我想知道它们之间有什么区别,哪一个是在SpringWeb应用中进行授权的最佳实践。我在春天找不到区别(如果有更好的方法,我愿意学习。) 1-Servelt过滤器:javax.servlet.Filter+springDelegatingFilterProxy在web.xml中: <filter> <filter-class>org.spring
javax.servlet.Filter
+springDelegatingFilterProxy
在web.xml
中:
<filter>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetBeanName</param-name>
<param-value>testFilter</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>TestFilter</filter-name>
<url-pattern>/api/*</url-pattern>
</filter-mapping>
<http pattern="/**" auto-config="true" use-expressions="true" access-decision-manager-ref="accessDecisionManager" >
...
</http>
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<beans:constructor-arg>
<beans:list>
<beans:bean
class="org.springframework.security.web.access.expression.WebExpressionVoter" />
<beans:bean
class="org.springframework.security.access.vote.AuthenticatedVoter" />
<beans:ref bean="roleVoter" />
<beans:bean
class="org.myapp.api.auth.TestDecisionVoter" />
<beans:bean
</beans:constructor-arg>
</beans:bean>
TestFilter.java
public class TestFilter implements Filter {
...
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
if(someCondition())
chain.doFilter(req, res);
else
((HttpServletResponse) res).sendError(HttpServletResponse.SC_UNAUTHORIZED, "unauthorized!");
}
...
}
web.xml
:
<filter>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetBeanName</param-name>
<param-value>testFilter</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>TestFilter</filter-name>
<url-pattern>/api/*</url-pattern>
</filter-mapping>
<http pattern="/**" auto-config="true" use-expressions="true" access-decision-manager-ref="accessDecisionManager" >
...
</http>
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
<beans:constructor-arg>
<beans:list>
<beans:bean
class="org.springframework.security.web.access.expression.WebExpressionVoter" />
<beans:bean
class="org.springframework.security.access.vote.AuthenticatedVoter" />
<beans:ref bean="roleVoter" />
<beans:bean
class="org.myapp.api.auth.TestDecisionVoter" />
<beans:bean
</beans:constructor-arg>
</beans:bean>
3-访问决策投票人:
public class TestDecisionVoter implements AccessDecisionVoter<Object> {
...
@Override
public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
if(someCondition())
return ACCESS_GRANTED;
else
return ACCESS_DENIED;
}
...
}