Once configured, using the channel security filter is very easy.
Simply request pages without regard to the protocol (ie HTTP or HTTPS)
or port (eg 80, 8080, 443, 8443 etc). Obviously you'll still need a
way of making the initial request (probably via the
web.xml
<welcome-file>
or
a well-known home page URL), but once this is done the filter will
perform redirects as defined by your application context.
You can also add your own ChannelProcessor
implementations to the ChannelDecisionManagerImpl
.
For example, you might set a HttpSession
attribute
when a human user is detected via a "enter the contents of this
graphic" procedure. Your ChannelProcessor
would
respond to say REQUIRES_HUMAN_USER
configuration
attributes and redirect to an appropriate entry point to start the
human user validation process if the HttpSession
attribute is not currently set.
To decide whether a security check belongs in a
ChannelProcessor
or an
AccessDecisionVoter
, remember that the former is
designed to handle unauthenticated requests, whilst the latter is
designed to handle authenticated requests. The latter therefore has
access to the granted authorities of the authenticated principal. In
addition, problems detected by a ChannelProcessor
will generally cause an HTTP/HTTPS redirection so its requirements can
be met, whilst problems detected by an
AccessDecisionVoter
will ultimately result in an
AccessDeniedException
(depending on the governing
AccessDecisionManager
).