Package org.springframework.security.web.access

Interface WebInvocationPrivilegeEvaluator

All Known Implementing Classes:
AuthorizationManagerWebInvocationPrivilegeEvaluator, DefaultWebInvocationPrivilegeEvaluator, RequestMatcherDelegatingWebInvocationPrivilegeEvaluator
public interface WebInvocationPrivilegeEvaluator
Allows users to determine whether they have privileges for a given web URI.
Since:
3.0

  • Method Summary

    Modifier and Type
    Method
    Description
    boolean
    isAllowed(String uri, @Nullable Authentication authentication)
    Determines whether the user represented by the supplied Authentication object is allowed to invoke the supplied URI.
    boolean
    isAllowed(String contextPath, String uri, @Nullable String method, @Nullable Authentication authentication)
    Determines whether the user represented by the supplied Authentication object is allowed to invoke the supplied URI, with the given parameters.

  • Method Details

    • isAllowed

      boolean isAllowed(String uri, @Nullable Authentication authentication)
      Determines whether the user represented by the supplied Authentication object is allowed to invoke the supplied URI.

      Note this will only match authorization rules that don't require a certain HttpMethod.

      Parameters:
      uri - the URI excluding the context path (a default context path setting will be used)

    • isAllowed

      boolean isAllowed(String contextPath, String uri, @Nullable String method, @Nullable Authentication authentication)
      Determines whether the user represented by the supplied Authentication object is allowed to invoke the supplied URI, with the given parameters.

      Note:

      • The default implementation of FilterInvocationSecurityMetadataSource disregards the contextPath when evaluating which secure object metadata applies to a given request URI, so generally the contextPath is unimportant unless you are using a custom FilterInvocationSecurityMetadataSource.
      • this will only match authorization rules that don't require a certain HttpMethod.
      Parameters:
      uri - the URI excluding the context path
      contextPath - the context path (may be null).
      method - the HTTP method (or null, for any method)
      authentication - the Authentication instance whose authorities should be used in evaluation whether access should be granted.
      Returns:
      true if access is allowed, false if denied