FilterSecurityInterceptor执行详情

一、FilterSecurityInterceptor
在invoke方法中调用InterceptorStatusToken的beforeInvocation(Object object) 方法。

1. beforeInvocation(Object object) 方法中获取访问路径需要的权限：

Collection<ConfigAttribute> attributes = this.obtainSecurityMetadataSource()
				.getAttributes(object);

this.obtainSecurityMetadataSource() 会得到DefaultFilterInvocationSecurityMetadataSource实例执行getAttributes(object) 方法，当路径都不匹配时返回WebExpressionConfigAttribute(authenticated)。

2. beforeInvocation(Object object) 方法中验证权限是否放行资源：

try {
	this.accessDecisionManager.decide(authenticated, object, attributes);
}

this.accessDecisionManager取得AffirmativeBased实例执行decide(authenticated, object, attributes) 方法。

标签：object,FilterSecurityInterceptor,Object,authenticated,详情,attributes,beforeInvoca
来源： https://blog.csdn.net/qq_36440298/article/details/89307171