Minor rewording of "child web context" FAQ.

2011-03-13 20:45:22 +00:00 · 2011-03-13 20:45:22 +00:00 · 3a3b2df1c5
parent bb3b8e4683
commit 3a3b2df1c5
1 changed files with 17 additions and 8 deletions
--- a/docs/faq/src/docbook/faq.xml
+++ b/docs/faq/src/docbook/faq.xml
@ -326,14 +326,23 @@
                    element to my application context but if I add security annotations to my
                    Spring MVC controller beans (Struts actions etc.) then they don't seem to
                    have an effect.</para></question>
-                <answer><para> The application context which holds the Spring MVC beans for the
-                    dispatcher servlet is a child application context of the main application
-                    context which is loaded using the
-                    <classname>ContextLoaderListener</classname> you define in your
-                    <filename>web.xml</filename>. The beans in the child context are not
-                    visible in the parent context so you need to either move the
-                    &lt;global-method-security&gt; declaration to the web context or moved the
-                    beans you want secured into the main application context.
+                <answer><para> In a Spring web application, the application context which
+                    holds the Spring MVC beans for the dispatcher servlet is often separate from the main
+                    application context. It is often defined in a file called
+                    <literal>myapp-servlet.xml</literal>, where <quote>myapp</quote> is the name
+                    assigned to the Spring <classname>DispatcherServlet</classname> in <filename>web.xml</filename>.
+                    An application can have multiple <classname>DispatcherServlet</classname>s, each with its own
+                    isolated application context. The beans in these <quote>child</quote> contexts are not
+                    visible to the rest of the application. The <quote>parent</quote> application context is
+                    loaded by the <classname>ContextLoaderListener</classname> you define in your
+                    <filename>web.xml</filename> and is visible to all the child contexts. This parent context is
+                    usually where you define your security configuration, including the
+                    <literal>&lt;global-method-security&gt;</literal> element). As a result
+                    any security constraints applied to methods in these web beans will not be enforced,
+                    since the beans cannot be seen from the <classname>DispatcherServlet</classname> context.
+                    You need to either move the <literal>&lt;global-method-security&gt;</literal>
+                    declaration to the web context or moved the beans you want secured into the main
+                    application context.
                </para><para>Generally we would recommend applying method security at the
                    service layer rather than on individual web controllers.</para></answer>
            </qandaentry>