Package org.springframework.security.web.access

Class AuthorizationManagerWebInvocationPrivilegeEvaluator

java.lang.Object
org.springframework.security.web.access.AuthorizationManagerWebInvocationPrivilegeEvaluator
All Implemented Interfaces:
org.springframework.beans.factory.Aware, WebInvocationPrivilegeEvaluator, org.springframework.web.context.ServletContextAware
public final class AuthorizationManagerWebInvocationPrivilegeEvaluator extends Object implements WebInvocationPrivilegeEvaluator, org.springframework.web.context.ServletContextAware
An implementation of WebInvocationPrivilegeEvaluator which delegates the checks to an instance of AuthorizationManager
Since:
5.5.5

  • Constructor Details

    • AuthorizationManagerWebInvocationPrivilegeEvaluator

      public AuthorizationManagerWebInvocationPrivilegeEvaluator(AuthorizationManager<jakarta.servlet.http.HttpServletRequest> authorizationManager)

  • Method Details

    • isAllowed

      public boolean isAllowed(String uri, @Nullable Authentication authentication)
      Description copied from interface: WebInvocationPrivilegeEvaluator
      Determines whether the user represented by the supplied Authentication object is allowed to invoke the supplied URI.

      Note this will only match authorization rules that don't require a certain HttpMethod.

      Specified by:
      isAllowed in interface WebInvocationPrivilegeEvaluator
      Parameters:
      uri - the URI excluding the context path (a default context path setting will be used)

    • isAllowed

      public boolean isAllowed(@Nullable String contextPath, String uri, @Nullable String method, @Nullable Authentication authentication)
      Description copied from interface: WebInvocationPrivilegeEvaluator
      Determines whether the user represented by the supplied Authentication object is allowed to invoke the supplied URI, with the given parameters.

      Note:

      • The default implementation of FilterInvocationSecurityMetadataSource disregards the contextPath when evaluating which secure object metadata applies to a given request URI, so generally the contextPath is unimportant unless you are using a custom FilterInvocationSecurityMetadataSource.
      • this will only match authorization rules that don't require a certain HttpMethod.
      Specified by:
      isAllowed in interface WebInvocationPrivilegeEvaluator
      Parameters:
      contextPath - the context path (may be null).
      uri - the URI excluding the context path
      method - the HTTP method (or null, for any method)
      authentication - the Authentication instance whose authorities should be used in evaluation whether access should be granted.
      Returns:
      true if access is allowed, false if denied

    • setServletContext

      public void setServletContext(jakarta.servlet.ServletContext servletContext)
      Specified by:
      setServletContext in interface org.springframework.web.context.ServletContextAware

    • setRequestTransformer

      public void setRequestTransformer(AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer requestTransformer)
      Set a AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer to be used prior to passing to the AuthorizationManager.
      Parameters:
      requestTransformer - the AuthorizationManagerWebInvocationPrivilegeEvaluator.HttpServletRequestTransformer to use.