public interface AccessDecisionVoter<S>
The coordination of voting (ie polling AccessDecisionVoter
s,
tallying their responses, and making the final authorization decision) is
performed by an AccessDecisionManager
.
Modifier and Type | Field and Description |
---|---|
static int |
ACCESS_ABSTAIN |
static int |
ACCESS_DENIED |
static int |
ACCESS_GRANTED |
Modifier and Type | Method and Description |
---|---|
boolean |
supports(Class<?> clazz)
Indicates whether the
AccessDecisionVoter implementation is able to provide access control
votes for the indicated secured object type. |
boolean |
supports(ConfigAttribute attribute)
Indicates whether this
AccessDecisionVoter is able to vote on the passed ConfigAttribute . |
int |
vote(Authentication authentication,
S object,
Collection<ConfigAttribute> attributes)
Indicates whether or not access is granted.
|
static final int ACCESS_GRANTED
static final int ACCESS_ABSTAIN
static final int ACCESS_DENIED
boolean supports(ConfigAttribute attribute)
AccessDecisionVoter
is able to vote on the passed ConfigAttribute
.
This allows the AbstractSecurityInterceptor
to check every configuration attribute can be consumed by
the configured AccessDecisionManager
and/or RunAsManager
and/or AfterInvocationManager
.
attribute
- a configuration attribute that has been configured against the
AbstractSecurityInterceptor
AccessDecisionVoter
can support the passed configuration attributeboolean supports(Class<?> clazz)
AccessDecisionVoter
implementation is able to provide access control
votes for the indicated secured object type.clazz
- the class that is being queriedint vote(Authentication authentication, S object, Collection<ConfigAttribute> attributes)
The decision must be affirmative (ACCESS_GRANTED
), negative (ACCESS_DENIED
)
or the AccessDecisionVoter
can abstain (ACCESS_ABSTAIN
) from voting.
Under no circumstances should implementing classes return any other value. If a weighting of results is desired,
this should be handled in a custom AccessDecisionManager
instead.
Unless an AccessDecisionVoter
is specifically intended to vote on an access control
decision due to a passed method invocation or configuration attribute parameter, it must return
ACCESS_ABSTAIN
. This prevents the coordinating AccessDecisionManager
from counting
votes from those AccessDecisionVoter
s without a legitimate interest in the access control
decision.
Whilst the secured object (such as a MethodInvocation
) is passed as a parameter to maximise flexibility
in making access control decisions, implementing classes should not modify it or cause the represented invocation
to take place (for example, by calling MethodInvocation.proceed()
).
authentication
- the caller making the invocationobject
- the secured object being invokedattributes
- the configuration attributes associated with the secured objectACCESS_GRANTED
, ACCESS_ABSTAIN
or ACCESS_DENIED