Spring安全控制-优快云博客

本文介绍了一个使用Spring Security框架进行权限配置的例子。通过定义不同的URL拦截规则和访问权限，实现了基本的身份验证和授权功能。此外，还展示了如何自定义SecurityContextRepository。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://repo.alibaba-inc.com/schema/roma/security"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
	xsi:schemaLocation="
	http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
	http://repo.alibaba-inc.com/schema/roma/security http://repo.alibaba-inc.com/schema/roma/roma-security-2.0.xsd">
	<http entry-point-ref="casAuthenticationFilterEntryPoint"
		access-denied-page="/permission_denied.htm"
		access-decision-manager-ref="accessDecisionManager">
		<intercept-url pattern="/common/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/admin/**"  access="ROLE_ADMIN" />
		<intercept-url pattern="/**"        access="ROLE_USER"  />
		<intercept-url pattern="/login.htm" filters="none"/>
		
		<anonymous granted-authority="IS_AUTHENTICATED_ANONYMOUSLY"
			username="anonymous" />
		<security-context-repository ref="mySecurityContextRepository" />
		<httponly-cookie default-httponly="true" not-httponly-cookies="departmentTree"/>
	</http>
        <beans:bean id="accessDecisionManager"
                </span>class="org.springframework.security.vote.AffirmativeBased">
		</span><beans:property name="allowIfAllAbstainDecisions"
			</span>value="false" />
		</span><beans:property name="decisionVoters">
			</span><beans:list>
				</span><beans:bean class="org.springframework.security.vote.RoleVoter" />
				</span><beans:bean class="org.springframework.security.vote.AuthenticatedVoter" />
			</span></beans:list>
		</span></beans:property>
	</span></beans:bean>
        <beans:bean name="mySecurityContextRepository"
		</span>class="my.MyBasedSecurityContextRepository">
	</span></beans:bean>
</beans:beans>

accessDecisionManager作为主入口，进行全新判断。其下有若干Voter，一起投票进行表决

securityContextRepository做用户权限信息的主要类，通过实现接口SecurityContextRepository.loadContext返回SecurityContext，通过SecurityContext.getAuthentication().getAuthorities()，得到GrantedAuthority[]数组，表示用户拥有的权限列表。从而到decisionManager中进行权限投票。