Package org.springframework.security.web.access

Interface WebInvocationPrivilegeEvaluator

All Known Implementing Classes:
AuthorizationManagerWebInvocationPrivilegeEvaluator, DefaultWebInvocationPrivilegeEvaluator, RequestMatcherDelegatingWebInvocationPrivilegeEvaluator
public interface WebInvocationPrivilegeEvaluator
Allows users to determine whether they have privileges for a given web URI.
Since:
3.0

  • Method Summary

    Modifier and Type
    Method
    Description
    boolean
    isAllowed(String contextPath, String uri, String method, Authentication authentication)
    Determines whether the user represented by the supplied Authentication object is allowed to invoke the supplied URI, with the given parameters.
    boolean
    isAllowed(String uri, Authentication authentication)
    Determines whether the user represented by the supplied Authentication object is allowed to invoke the supplied URI.

  • Method Details

    • isAllowed

      boolean isAllowed(String uri, Authentication authentication)
      Determines whether the user represented by the supplied Authentication object is allowed to invoke the supplied URI.

      Note this will only match authorization rules that don't require a certain HttpMethod.

      Parameters:
      uri - the URI excluding the context path (a default context path setting will be used)

    • isAllowed

      boolean isAllowed(String contextPath, String uri, String method, Authentication authentication)
      Determines whether the user represented by the supplied Authentication object is allowed to invoke the supplied URI, with the given parameters.

      Note:

      • The default implementation of FilterInvocationSecurityMetadataSource disregards the contextPath when evaluating which secure object metadata applies to a given request URI, so generally the contextPath is unimportant unless you are using a custom FilterInvocationSecurityMetadataSource.
      • this will only match authorization rules that don't require a certain HttpMethod.
      Parameters:
      uri - the URI excluding the context path
      contextPath - the context path (may be null).
      method - the HTTP method (or null, for any method)
      authentication - the Authentication instance whose authorities should be used in evaluation whether access should be granted.
      Returns:
      true if access is allowed, false if denied