Class UserRoleAuthorizationInterceptor

java.lang.Object
org.springframework.web.servlet.handler.UserRoleAuthorizationInterceptor
All Implemented Interfaces:
HandlerInterceptor

public class UserRoleAuthorizationInterceptor extends Object implements HandlerInterceptor
Interceptor that checks the authorization of the current user via the user's roles, as evaluated by HttpServletRequest's isUserInRole method.
Since:
20.06.2003
Author:
Juergen Hoeller
See Also:
  • Constructor Details

    • UserRoleAuthorizationInterceptor

      public UserRoleAuthorizationInterceptor()
  • Method Details

    • setAuthorizedRoles

      public final void setAuthorizedRoles(String... authorizedRoles)
      Set the roles that this interceptor should treat as authorized.
      Parameters:
      authorizedRoles - array of role names
    • preHandle

      public final boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws ServletException, IOException
      Description copied from interface: HandlerInterceptor
      Interception point before the execution of a handler. Called after HandlerMapping determined an appropriate handler object, but before HandlerAdapter invokes the handler.

      DispatcherServlet processes a handler in an execution chain, consisting of any number of interceptors, with the handler itself at the end. With this method, each interceptor can decide to abort the execution chain, typically sending an HTTP error or writing a custom response.

      Note: special considerations apply for asynchronous request processing. For more details see AsyncHandlerInterceptor.

      The default implementation returns true.

      Specified by:
      preHandle in interface HandlerInterceptor
      Parameters:
      request - current HTTP request
      response - current HTTP response
      handler - chosen handler to execute, for type and/or instance evaluation
      Returns:
      true if the execution chain should proceed with the next interceptor or the handler itself. Else, DispatcherServlet assumes that this interceptor has already dealt with the response itself.
      Throws:
      ServletException
      IOException
    • handleNotAuthorized

      protected void handleNotAuthorized(HttpServletRequest request, HttpServletResponse response, Object handler) throws ServletException, IOException
      Handle a request that is not authorized according to this interceptor. Default implementation sends HTTP status code 403 ("forbidden").

      This method can be overridden to write a custom message, forward or redirect to some error page or login page, or throw a ServletException.

      Parameters:
      request - current HTTP request
      response - current HTTP response
      handler - chosen handler to execute, for type and/or instance evaluation
      Throws:
      ServletException - if there is an internal error
      IOException - in case of an I/O error when writing the response