spring security

authentication 认证 确认你是否是你声称的那个东东
Authorization  授权 通过认证后 授予访问权限

使用自定义访问控制
<http access-decision-manager-ref="myAccessDecisionManagerBean">
    ...
</http>



相关信息存储在安全上下文中

获取主体对象SecurityContextHolder.getContext().getAuthentication().getPrincipal();

当成功通过验证时  UserDetails 会被用来建立Authentication对象， 保存在
SecurityContextHolder 里


除了主体，另一个Authentication 提供的重要方法是getAuthorities()。这个方法提供
了GrantedAuthority 对象数组。毫无疑问，GrantedAuthority 是赋予到主体的权限。
这些权限通常使用角色表示， 比如ROLE_ADMINISTRATOR 或
ROLE_HR_SUPERVISOR。这些角色会在后面，对web 验证，方法验证和领域对象验证
进行配置。Spring Security 的其他部分用来拦截这些权限，期望他们被表现出现。
GrantedAuthority 对象通常使用UserDetailsService 读取的

all Authentication implementations store a list of GrantedAuthority objects. These represent the authorities that have been granted to the principal. The GrantedAuthority objects are inserted into the Authentication object by the AuthenticationManager and are later read by AccessDecisionManagers when making authorization decisions.


AccessDecisionManager 
   基于投票的方式 使用一系列的AccessDecisionVoter 进行投票决定。最常用的是RoleVoter，通过对 GrantedAuthority与 ConfigAttributes 进行比对。


标签使用
<sec:authorize access="hasRole('supervisor')">
This content will only be visible to users who have
the "supervisor" authority in their list of <tt>GrantedAuthority</tt>s.
</sec:authorize>


配置
web安全
<http>
     名为"springSecurityFilterChain"  的FilterChainProxy bean会被创建，内部配置信息用来创建过滤器链。所有过滤器需要的AuthenticationManager 会被自动注入。
SecurityContextPersistenceFilter  ExceptionTranslationFilter  FilterSecurityInterceptor 会被创建。

access-decision-manager-ref
access-denied-page  Deprecated in favour of the access-denied-handler element.
authentication-manager-ref
auto-config  默认 to "false".
create-session
    always 
    ifRequired  (default value).
    never 
    stateless 
disable-url-rewriting default is false
entry-point-ref  customized AuthenticationEntryPoint bean which will start the authentication process.
pattern 需要过滤的匹配模式
request-matcher  ant , regex and ciRegex
request-matcher-ref
security  none 表示不启用安全
servlet-api-provision 默认true 为HttpServletRequest 增加安全方法
use-expressions  启用EL-expressions in the access attribute

子元素
access-denied-handler
    error-page 无权限是转到此页面
    ref AccessDeniedHandler 的引用
anonymous  enabled 默认启用 granted-authority 默认ROLE_ANONYMOUS username 默认anonymousUser
custom-filter after before position ref
expression-handler ref SecurityExpressionHandler引用

form-login 定义UsernamePasswordAuthenticationFilter 和LoginUrlAuthenticationEntryPoint
always-use-default-target
authentication-details-source-ref
authentication-failure-handler-ref
authentication-failure-url
authentication-success-handler-ref
default-target-url
login-page
login-processing-url
password-parameter 默认j_password
username-parameter 默认j_username

  
http-basic BasicAuthenticationFilter and BasicAuthenticationEntryPoint
authentication-details-source-ref
entry-point-ref

http-firewall
ref HttpFirewall 引用

intercept-url 被FilterSecurityInterceptor用来创建FilterInvocationSecurityMetadataSource
可作为filter-invocation-definition-source filter-security-metadata-source http的子元素
access filters只能为none method http提交方法 pattern url匹配 requires-channel http或者https


jee J2eePreAuthenticatedProcessingFilter 集成容器认证
logout LogoutFilter
delete-cookies 退出时需要删除的cookies
invalidate-session true 退出时销毁session
logout-success-url 默认 “/”

openid-login 类似<form-login> 具有相同属性

port-mappings
port-mapping
  http thhps

remember-me
request-cache ref RequestCache
session-management SessionManagementFilter


认证服务

<authentication-manager alias erase-credentials
id>