Package org.springframework.security.web.access

Class AuthorizationManagerWebInvocationPrivilegeEvaluator

java.lang.Object

org.springframework.security.web.access.AuthorizationManagerWebInvocationPrivilegeEvaluator

All Implemented Interfaces:

org.springframework.beans.factory.Aware, WebInvocationPrivilegeEvaluator, org.springframework.web.context.ServletContextAware

public final class AuthorizationManagerWebInvocationPrivilegeEvaluator
extends Object
implements WebInvocationPrivilegeEvaluator, org.springframework.web.context.ServletContextAware

An implementation of WebInvocationPrivilegeEvaluator which delegates the checks to an instance of AuthorizationManager

Since:

5.5.5

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static interface	AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer	Used to transform the HttpServletRequest prior to passing it into the AuthorizationManager.

Constructor Summary

Constructors

Constructor	Description
AuthorizationManagerWebInvocationPrivilegeEvaluator(AuthorizationManager<jakarta.servlet.http.HttpServletRequest> authorizationManager)

Method Summary

Modifier and Type	Method	Description
boolean	isAllowed(String contextPath, String uri, String method, Authentication authentication)	Determines whether the user represented by the supplied Authentication object is allowed to invoke the supplied URI, with the given parameters.
boolean	isAllowed(String uri, Authentication authentication)	Determines whether the user represented by the supplied Authentication object is allowed to invoke the supplied URI.
void	setRequestTransformer(AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer requestTransformer)	Set a AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer to be used prior to passing to the AuthorizationManager.
void	setServletContext(jakarta.servlet.ServletContext servletContext)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

AuthorizationManagerWebInvocationPrivilegeEvaluator

public AuthorizationManagerWebInvocationPrivilegeEvaluator(AuthorizationManager<jakarta.servlet.http.HttpServletRequest> authorizationManager)

Method Details

isAllowed

public boolean isAllowed(String uri,
 Authentication authentication)

Description copied from interface: WebInvocationPrivilegeEvaluator

Determines whether the user represented by the supplied Authentication object is allowed to invoke the supplied URI.

Note this will only match authorization rules that don't require a certain HttpMethod.

Specified by:

isAllowed in interface WebInvocationPrivilegeEvaluator

Parameters:

uri - the URI excluding the context path (a default context path setting will be used)

isAllowed

public boolean isAllowed(String contextPath,
 String uri,
 String method,
 Authentication authentication)

Description copied from interface: WebInvocationPrivilegeEvaluator

Determines whether the user represented by the supplied Authentication object is allowed to invoke the supplied URI, with the given parameters.

Note:

• The default implementation of FilterInvocationSecurityMetadataSource disregards the contextPath when evaluating which secure object metadata applies to a given request URI, so generally the contextPath is unimportant unless you are using a custom FilterInvocationSecurityMetadataSource.
• this will only match authorization rules that don't require a certain HttpMethod.

Specified by:

isAllowed in interface WebInvocationPrivilegeEvaluator

Parameters:

contextPath - the context path (may be null).

uri - the URI excluding the context path

method - the HTTP method (or null, for any method)

authentication - the Authentication instance whose authorities should be used in evaluation whether access should be granted.

Returns:

true if access is allowed, false if denied

setServletContext

public void setServletContext(jakarta.servlet.ServletContext servletContext)

Specified by:

setServletContext in interface org.springframework.web.context.ServletContextAware

setRequestTransformer

public void setRequestTransformer(AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer requestTransformer)

Set a AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer to be used prior to passing to the AuthorizationManager.

Parameters:

requestTransformer - the AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer to use.