The access decision managers implement the AccessDecisionManager interface. In this
case, I am using the AffirmativeBased access decision manager. This access decision
manager is controlled by a list of voters. It is similar to voting in an election. These voters
decide whether a user can actually access a particular protected resource. The access
decision manager will poll each voter for a vote. The possible values are ACCESS_DENIED ,
ACCESS_GRANTED , and ACCESS_ABSTAIN (when the voter is unsure). Once the voting is done,
the AffirmativeBased access decision manager executes a simple algorithm to arrive at
the result. If any of the voters vote with ACCESS_GRANTED , the user is granted access.
The access decision manager supplies each voter with the Authentication object and
the objectDefinitionSource to make their decisions. The RoleVoter scans through the list
of URL pattern to role mappings. For the matched URL, it will check the roles. It will
vote if it finds a role starting with the prefix ROLE . You can alter this value by setting the
rolePrefix property. If it finds a matching role, it votes ACCESS_GRANTED ; otherwise, it votes
ACCESS_DENIED . The AuthenticatedVoter will vote if it finds a predefined role in any of the
matched URL to role mapping. One such predefined value is IS_AUTHENTICATED_
ANONYMOUSLY . It will probe the Authentication object to determine whether the user has
been authenticated anonymously. A positive finding will result in ACCESS_GRANTED being
• Spring Security can be enabled and altered by mere configuration.
• Only users with valid identities are allowed access to the system.