Java Reference
In-Depth Information
<bean name="accessDecisionManager"
class="org.springframework.security.vote.AffirmativeBased">
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.vote.RoleVoter"/>
<bean class="org.springframework.security.vote.AuthenticatedVoter"/>
</list>
</property>
</bean>
</beans>
The access decision managers implement the
AccessDecisionManager
interface. In this
case, I am using the
AffirmativeBased
access decision manager. This access decision
manager is controlled by a list of voters. It is similar to voting in an election. These voters
decide whether a user can actually access a particular protected resource. The access
decision manager will poll each voter for a vote. The possible values are
ACCESS_DENIED
,
ACCESS_GRANTED
, and
ACCESS_ABSTAIN
(when the voter is unsure). Once the voting is done,
the
AffirmativeBased
access decision manager executes a simple algorithm to arrive at
the result. If any of the voters vote with
ACCESS_GRANTED
, the user is granted access.
The access decision manager supplies each voter with the
Authentication
object and
the
objectDefinitionSource
to make their decisions. The
RoleVoter
scans through the list
of URL pattern to role mappings. For the matched URL, it will check the roles. It will
vote if it finds a role starting with the prefix
ROLE
. You can alter this value by setting the
rolePrefix
property. If it finds a matching role, it votes
ACCESS_GRANTED
; otherwise, it votes
ACCESS_DENIED
. The
AuthenticatedVoter
will vote if it finds a predefined role in any of the
matched URL to role mapping. One such predefined value is
IS_AUTHENTICATED_
ANONYMOUSLY
. It will probe the
Authentication
object to determine whether the user has
been authenticated anonymously. A positive finding will result in
ACCESS_GRANTED
being
voted.
Consequences
Benefits
• Spring Security can be enabled and altered by mere configuration.
• Only users with valid identities are allowed access to the system.
