|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
public interface AccessDecisionVoter
Indicates a class is responsible for voting on authorization decisions.
The coordination of voting (ie polling AccessDecisionVoter
s,
tallying their responses, and making the final authorization decision) is
performed by an AccessDecisionManager
.
Field Summary | |
---|---|
static int |
ACCESS_ABSTAIN
|
static int |
ACCESS_DENIED
|
static int |
ACCESS_GRANTED
|
Method Summary | |
---|---|
boolean |
supports(Class<?> clazz)
Indicates whether the AccessDecisionVoter implementation is able to provide access control
votes for the indicated secured object type. |
boolean |
supports(ConfigAttribute attribute)
Indicates whether this AccessDecisionVoter is able to vote on the passed
ConfigAttribute . |
int |
vote(Authentication authentication,
Object object,
Collection<ConfigAttribute> attributes)
Indicates whether or not access is granted. |
Field Detail |
---|
static final int ACCESS_GRANTED
static final int ACCESS_ABSTAIN
static final int ACCESS_DENIED
Method Detail |
---|
boolean supports(ConfigAttribute attribute)
AccessDecisionVoter
is able to vote on the passed
ConfigAttribute
.This allows the AbstractSecurityInterceptor
to check every
configuration attribute can be consumed by the configured AccessDecisionManager
and/or
RunAsManager
and/or AfterInvocationManager
.
attribute
- a configuration attribute that has been configured against the
AbstractSecurityInterceptor
AccessDecisionVoter
can support the passed configuration attributeboolean supports(Class<?> clazz)
AccessDecisionVoter
implementation is able to provide access control
votes for the indicated secured object type.
clazz
- the class that is being queried
int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes)
The decision must be affirmative (ACCESS_GRANTED
), negative (ACCESS_DENIED
)
or the AccessDecisionVoter
can abstain (ACCESS_ABSTAIN
) from voting.
Under no circumstances should implementing classes return any other value. If a weighting of results is desired,
this should be handled in a custom AccessDecisionManager
instead.
Unless an AccessDecisionVoter
is specifically intended to vote on an access control
decision due to a passed method invocation or configuration attribute parameter, it must return
ACCESS_ABSTAIN
. This prevents the coordinating AccessDecisionManager
from counting
votes from those AccessDecisionVoter
s without a legitimate interest in the access control
decision.
Whilst the method invocation is passed as a parameter to maximise flexibility in making access
control decisions, implementing classes must never modify the behaviour of the method invocation (such as
calling MethodInvocation.proceed()
).
authentication
- the caller invoking the methodobject
- the secured objectattributes
- the configuration attributes associated with the method being invoked
ACCESS_GRANTED
, ACCESS_ABSTAIN
or ACCESS_DENIED
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |