Class UserRoleAuthorizationInterceptor
java.lang.Object
org.springframework.web.servlet.handler.UserRoleAuthorizationInterceptor
- All Implemented Interfaces:
HandlerInterceptor
Interceptor that checks the authorization of the current user via the
user's roles, as evaluated by HttpServletRequest's isUserInRole method.
- Since:
- 20.06.2003
- Author:
- Juergen Hoeller
- See Also:
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected void
handleNotAuthorized
(HttpServletRequest request, HttpServletResponse response, Object handler) Handle a request that is not authorized according to this interceptor.final boolean
preHandle
(HttpServletRequest request, HttpServletResponse response, Object handler) Interception point before the execution of a handler.final void
setAuthorizedRoles
(String... authorizedRoles) Set the roles that this interceptor should treat as authorized.Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.springframework.web.servlet.HandlerInterceptor
afterCompletion, postHandle
-
Constructor Details
-
UserRoleAuthorizationInterceptor
public UserRoleAuthorizationInterceptor()
-
-
Method Details
-
setAuthorizedRoles
Set the roles that this interceptor should treat as authorized.- Parameters:
authorizedRoles
- array of role names
-
preHandle
public final boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws ServletException, IOException Description copied from interface:HandlerInterceptor
Interception point before the execution of a handler. Called after HandlerMapping determined an appropriate handler object, but before HandlerAdapter invokes the handler.DispatcherServlet processes a handler in an execution chain, consisting of any number of interceptors, with the handler itself at the end. With this method, each interceptor can decide to abort the execution chain, typically sending an HTTP error or writing a custom response.
Note: special considerations apply for asynchronous request processing. For more details see
AsyncHandlerInterceptor
.The default implementation returns
true
.- Specified by:
preHandle
in interfaceHandlerInterceptor
- Parameters:
request
- current HTTP requestresponse
- current HTTP responsehandler
- chosen handler to execute, for type and/or instance evaluation- Returns:
true
if the execution chain should proceed with the next interceptor or the handler itself. Else, DispatcherServlet assumes that this interceptor has already dealt with the response itself.- Throws:
ServletException
IOException
-
handleNotAuthorized
protected void handleNotAuthorized(HttpServletRequest request, HttpServletResponse response, Object handler) throws ServletException, IOException Handle a request that is not authorized according to this interceptor. Default implementation sends HTTP status code 403 ("forbidden").This method can be overridden to write a custom message, forward or redirect to some error page or login page, or throw a ServletException.
- Parameters:
request
- current HTTP requestresponse
- current HTTP responsehandler
- chosen handler to execute, for type and/or instance evaluation- Throws:
ServletException
- if there is an internal errorIOException
- in case of an I/O error when writing the response
-