Java Reference
In-Depth Information
<property name="objectDefinitionSource">
The first property that I will focus on with the FSI is objectDefinitionSource . In Spring
Security, secured resources are called object definitions . The name is generic because
Spring Security can be applied to method invocation and object creation in addition to
web applications. The objectDefinitionSource is composed of directives and URL pattern
to role mapping. The directives are same as the ones used for the filter chain proxy in
Listing 6-3.
A user with ROLE_ADMIN has access to all URLs starting with /secure/admin . Only
authenticated users are allowed entry into all URLs starting with /secure . All other URLs
can be accessed anonymously or if the user is already authenticated. Note that the URL
mappings will be processed in the same order as they are defined. Also, you are free to
define any role that you want for your application.
The property authenticationManager uses the same Spring bean that I used with the
APF. It can be used to reauthenticate a request. This can hurt application performance, so
you need to set it carefully, and you can control this by setting the alwaysReauthenticate
property of the FSI to false . The property accessDecisionManager works like authentica-
tion managers and is responsible for making the actual authorization decision. The
access decision manager is wired up as shown in Listing 6-16.
Listing 6-16. applicationContext-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<!—Other beans -->
Search WWH ::

Custom Search