Comprehensive Authorization Services: Powerful EL-Based Syntax: Spring Security 3.0 focuses on the use of expression-language as an alternative to the older voter-based mechanism. The latter is still fully supported which allows security access rules to be easily defined in terms of the current invocation context without the use of custom code. By using this approach one can define access constraints using multiple factors like user identity, time of day, authorities held, method being invoked, method arguments and specific properties on method arguments or any other syntax supported by Spring-EL.
HTTP Requests Authorization: No longer is it necessary to rely on web.xml security constraints. Spring Security allows securing of static URLs defined using a choice of regular expressions or Apache Ant paths, along with pluggable authentication, access-control and run-as replacement managers.
<!– Filter required by concurrent session handling package The ConcurrentSessionFilter requires two properties, sessionRegistry, which generally points to an instance of SessionRegistryImpl, and expiredUrl, which points to the page to display when a session has expired. –>
<!– Defines a concrete concurrent control strategy Checks whether the user should be allowed to proceed, by comparing the number of sessions they already have active with the configured maximumSessions value. The SessionRegistry is used as the source of data on authenticated users and session data. –>