ACEGI Security 提供了一系列 Web 层权限管理过滤器,包括认证、授权等功能。为了确保正确的执行流程,这些过滤器在 web.xml 中的声明顺序至关重要。推荐使用 DelegatingFilterProxy 和 FilterChainProxy 来配置过滤器。
acegi security为web层的权限管理提供了一些Filter。这些Filter主要是对权限管理过程中的Authentication(认证)、Authorization(授权)以及其它所需要的功能进行了WEB包装。如果在web.xml使用这些Filter,应该按照以下列出的顺序来声明这些Filter的<filter-mapping>。值得注意的一点是,用<url-pattern>声明的<filter-mapping>中的Filter比用<servlet-name>声明的[b]所有[/b]Filter要排在前面。值得注意的是,如果一个<filter-mapping>中既有<servlet-name>声明,也有<url-pattern>声明,那么这个Filter有可能会被加入filter chain两次。
所以一般来讲,并不推荐直接在web.xml里声明acegi security的这些Filter,而是通过DelegatingFilterProxy(在web.xml中)和FilterChainProxy(在applicationContext.xml中),将它们定义在applicationContext.xml中。
[list=1]
[*]ChannelProcessingFilter 该Filter可以用于redirect到别的协议,比如把一个http请求redirect到https请求
[*]ConcurrentSessionFilter, because it doesn't use any SecurityContextHolder functionality but
needs to update the SessionRegistry to reflect ongoing requests from the principal
[*]HttpSessionContextIntegrationFilter, so a SecurityContext can be setup in the
SecurityContextHolder at the beginning of a web request, and any changes to the
SecurityContext can be copied to the HttpSession when the web request ends (ready for use with
the next web request)
[*]Authentication processing mechanisms - AuthenticationProcessingFilter, CasProcessingFilter,
BasicProcessingFilter, HttpRequestIntegrationFilter, JbossIntegrationFilter etc - so that the
SecurityContextHolder can be modified to contain a valid Authentication request token
[*]The SecurityContextHolderAwareRequestFilter, if you are using it to install an Acegi Security
aware HttpServletRequestWrapper into your servlet container
[*]RememberMeProcessingFilter, so that if no earlier authentication processing mechanism updated
the SecurityContextHolder, and the request presents a cookie that enables remember-me
services to take place, a suitable remembered Authentication object will be put there
[*]AnonymousProcessingFilter, so that if no earlier authentication processing mechanism updated
the SecurityContextHolder, an anonymous Authentication object will be put there
[*]ExceptionTranslationFilter, to catch any Acegi Security exceptions so that either an HTTP
error response can be returned or an appropriate AuthenticationEntryPoint can be launched
[*]FilterSecurityInterceptor, to protect web URIs
[/list]
参考
[list]
[*] Acegi Security Reference Documentation [url]http://acegisecurity.org/guide/springsecurity.html[/url]
[/list]
所以一般来讲,并不推荐直接在web.xml里声明acegi security的这些Filter,而是通过DelegatingFilterProxy(在web.xml中)和FilterChainProxy(在applicationContext.xml中),将它们定义在applicationContext.xml中。
[list=1]
[*]ChannelProcessingFilter 该Filter可以用于redirect到别的协议,比如把一个http请求redirect到https请求
[*]ConcurrentSessionFilter, because it doesn't use any SecurityContextHolder functionality but
needs to update the SessionRegistry to reflect ongoing requests from the principal
[*]HttpSessionContextIntegrationFilter, so a SecurityContext can be setup in the
SecurityContextHolder at the beginning of a web request, and any changes to the
SecurityContext can be copied to the HttpSession when the web request ends (ready for use with
the next web request)
[*]Authentication processing mechanisms - AuthenticationProcessingFilter, CasProcessingFilter,
BasicProcessingFilter, HttpRequestIntegrationFilter, JbossIntegrationFilter etc - so that the
SecurityContextHolder can be modified to contain a valid Authentication request token
[*]The SecurityContextHolderAwareRequestFilter, if you are using it to install an Acegi Security
aware HttpServletRequestWrapper into your servlet container
[*]RememberMeProcessingFilter, so that if no earlier authentication processing mechanism updated
the SecurityContextHolder, and the request presents a cookie that enables remember-me
services to take place, a suitable remembered Authentication object will be put there
[*]AnonymousProcessingFilter, so that if no earlier authentication processing mechanism updated
the SecurityContextHolder, an anonymous Authentication object will be put there
[*]ExceptionTranslationFilter, to catch any Acegi Security exceptions so that either an HTTP
error response can be returned or an appropriate AuthenticationEntryPoint can be launched
[*]FilterSecurityInterceptor, to protect web URIs
[/list]
参考
[list]
[*] Acegi Security Reference Documentation [url]http://acegisecurity.org/guide/springsecurity.html[/url]
[/list]
扫一扫
3352
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
