吐槽spring security 3.2 框架
在实际应用中觉得spring security的命名空间缺少两个元素:<!--[endif]-->
form-login 没有Post-only属性的配置,而UsernamePasswordAuthenticationFilter 源码中post默认为true
public class UsernamePasswordAuthenticationFilter extends
AbstractAuthenticationProcessingFilter {
public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "j_username";
public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "j_password";
@Deprecated
public static final String SPRING_SECURITY_LAST_USERNAME_KEY = "SPRING_SECURITY_LAST_USERNAME";
private String usernameParameter = "j_username";
private String passwordParameter = "j_password";
private boolean postOnly = true;
why http 中提供了FilterSecurityInterceptor的accessDecisionManager和authenticationManager的配置,而不提供FilterInvocationSecurityMetadataSource的配置??