一、FilterSecurityInterceptor
在invoke方法中调用InterceptorStatusToken的beforeInvocation(Object object) 方法。
- beforeInvocation(Object object) 方法中获取访问路径需要的权限:
Collection<ConfigAttribute> attributes = this.obtainSecurityMetadataSource()
.getAttributes(object);
this.obtainSecurityMetadataSource() 会得到DefaultFilterInvocationSecurityMetadataSource实例执行getAttributes(object) 方法,当路径都不匹配时返回WebExpressionConfigAttribute(authenticated)。
2. beforeInvocation(Object object) 方法中验证权限是否放行资源:
try {
this.accessDecisionManager.decide(authenticated, object, attributes);
}
this.accessDecisionManager取得AffirmativeBased实例执行decide(authenticated, object, attributes) 方法。