ACEGI @ AnonymousprocessingFilter

This is the core code from Anonymousprocessingfilter's method "doFilter":
 if (applyAnonymousForThisRequest(request)) {
            if (SecurityContextHolder.getContext().getAuthentication() == null) {
                SecurityContextHolder.getContext().setAuthentication(createAuthentication(request));
                addedToken = true;

                if (logger.isDebugEnabled()) {
                    logger.debug("Populated SecurityContextHolder with anonymous token: '"
                        + SecurityContextHolder.getContext().getAuthentication() + "'");
                }
            } else {
                if (logger.isDebugEnabled()) {
                    logger.debug("SecurityContextHolder not populated with anonymous token, as it already contained: '"
                        + SecurityContextHolder.getContext().getAuthentication() + "'");
                }
            }
        }

the applyAnonymousForThisRequest(request) always return true,so if u difined this filter in the fiter chain,the following code will do.it first check weather the SecurityContext is null,if so,it will create an anonymous userdetails(u all konw what it is).see the code
AnonymousAuthenticationToken auth = new AnonymousAuthenticationToken(key, userAttribute.getPassword(),
                userAttribute.getAuthorities());
        auth.setDetails(authenticationDetailsSource.buildDetails((HttpServletRequest) request));

the key is for create the keyhash for something, the username and roles(Authorities) is defined in the userAttribute.
 <bean id="anonymousProcessingFilter"
          class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
        <property name="key" value="changeThis"/>
        <property name="userAttribute"
                  value="anonymousUser,ROLE_ANONYMOUS"/>
    </bean>


This AnonymousAuthenticationToken  will then  be used in the FilterSecurityInterceptor to filter the url or function.

also notice that:
try {
            chain.doFilter(request, response);
        } finally {
            if (addedToken && removeAfterRequest
                && createAuthentication(request).equals(SecurityContextHolder.getContext().getAuthentication())) {
                SecurityContextHolder.getContext().setAuthentication(null);
            }
        }

the AnonymousAuthenticationToken  all be cleared at end.

你可能感兴趣的:(Acegi)