spring security原理图及其解释（五）

Access configuration using spring expression language

An alternative method to the standard role-based voting mechanism implemented by RoleVoter is the use of Spring Expression Language (SpEL) expressions to define arbitrarily complex rules for voting. The straightforward way to implement this feature is to add the use-expressions attribute to the <http> configuration element:

对于实现了标准role-based投票机制的RoleVoter，它可以选择使用Spring Expression Language表达式来表达任意的复杂投票规则。最直接实现这个特性的方法是在<http>中添加use-expressions元素。

<http auto-config="true" use-expressions="true">

This addition will modify the behavior of the access attribute on the URL intercept rule declarations to expect an SpEL expression. SpEL expressions allow for the use of expression language specifications of access criteria. Instead of simple strings such as ROLE_USER, the configuration file can specify expressions that invoke method calls, reference system properties, compute values, and much more.

An important point to note is that if you enable the SpEL expression-based access specifications by setting the use-expressions attribute, you will disable the automatic configuration of the RoleVoter, which understands declarations of roles, like we saw in our simple configuration:

重要的一点是如果你使用了SpEL表达式，那么自动的RoleVoter配置就会被废弃，比如了解roles的声明等，就下下面这样：(就是如果这么声明了，那么程序就看不懂下面的代码了)

<intercept-url pattern="/*" access="ROLE_USER"/>

This means that your access declarations must change if you want to filter access solely by role. Fortunately, this was anticipated, and an SpEL-bound method hasRole is available to check roles. If we rewrote our sample configuration file to use expressions, it would look like this:

它的意思就是如果你想继续使用就必须修改声明。幸运的是，和期望的一样SpEL-bound方法hasRole是可以使用的。如果我们重写上面的例子，那么我们可以像下面的声明一样：

<http auto-config="true" use-expressions="true">
     <intercept-url pattern="/*" access="hasRole('ROLE_USER')"/>
</http>

As you might expect, the SpEL handling is supplied by a different Voter implementation, o.s.s.web.access.expression.WebExpressionVoter, which understands how to evaluate the SpEL expressions. The WebExpressionVoter relies on an implementation of the o.s.s.web.access.expression.WebSecurityExpressionHandler interface for this purpose. The WebSecurityExpressionHandler is responsible both for evaluating the expressions, as well as supplying the security-specific methods that are referenced in the expressions. The default implementation of this interface exposes methods defined in the o.s.s.web.access.expression.WebSecurityExpressionRoot class.

正像你猜测的一样，SpEl处理的支持是由另一个Voter实现的——o.s.s.web.access.expression.WebExpressionVoter，它知道如何解析SpEl表达式。 WebExpressionVoter依赖于实现WebSecurityExpressionHandler接口。WebSecurityExpressionHandler负责解析表达式和提供表达式引用的security-specific方法。这个接口的默认的实现是由WebSecurityExpressionRoot提供的。

The flow and relationship between these classes is shown in the following diagram:


Methods and pseudo-properties for SpEL access expressions are declared by the public methods provided by the WebSecurityExpessionRoot class, and its superclasses.

The available SpEL methods and pseudo-properties which ship with Spring Security 3 are shown in the following tables. Note that methods and properties not marked as "web only" are available for use when securing other types of resources that utilize SpEL, such as method calls. The examples provided illustrate the use of the method or property in an <intercept-url> access declaration.




In addition to the methods in the previous table, a series of methods are provided that can act as properties in the SpEL expressions. These do not require parentheses or method arguments.






Remember that voter implementations must return a voting decision (grant, deny, or abstain) based on the context of the request. You may note that hasRole sounds like it returns a Boolean response, and in fact this is true. SpEL-based access declarations must consist only of expressions which return a Boolean result. A true result means that the voter grants access, and a false result means that the voter denies access.

If you try to return an expression that doesn't evaluate to a Boolean, you'll
get an unfriendly exception with a message like this:

org.springframework.expression.spel.SpelException: EL1001E:Type conversion problem, cannot convert from class java.lang.Integer to java.lang.Boolean