Java Reference
In-Depth Information
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/secure/admin/**=ROLE_ADMIN
/secure/**=IS_AUTHENTICATED_REMEMBERED
/**=IS_AUTHENTICATED_ANONYMOUSLY
</value>
</property>
</bean>
</beans>
The first property that I will focus on with the FSI is
objectDefinitionSource
. In Spring
Security, secured resources are called
object definitions
. The name is generic because
Spring Security can be applied to method invocation and object creation in addition to
web applications. The
objectDefinitionSource
is composed of directives and URL pattern
to role mapping. The directives are same as the ones used for the filter chain proxy in
Listing 6-3.
A user with
ROLE_ADMIN
has access to all URLs starting with
/secure/admin
. Only
authenticated users are allowed entry into all URLs starting with
/secure
. All other URLs
can be accessed anonymously or if the user is already authenticated. Note that the URL
mappings will be processed in the same order as they are defined. Also, you are free to
define any role that you want for your application.
The property
authenticationManager
uses the same Spring bean that I used with the
APF. It can be used to reauthenticate a request. This can hurt application performance, so
you need to set it carefully, and you can control this by setting the
alwaysReauthenticate
property of the FSI to
false
. The property
accessDecisionManager
works like authentica-
tion managers and is responsible for making the actual authorization decision. The
access decision manager is wired up as shown in Listing 6-16.
Listing 6-16.
applicationContext-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
<beans>
<!—Other beans -->
