|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object org.springframework.security.access.vote.AbstractAclVoter org.springframework.security.access.vote.LabelBasedAclVoter
public class LabelBasedAclVoter
This Acl voter will evaluate methods based on labels applied to incoming arguments. It will only check
methods that have been properly tagged in the MethodSecurityInterceptor with the value stored in
attributeIndicatingLabeledOperation. If a method has been tagged, then it examines each argument, and if the
argument implements LabeledData
, then it will asses if the user's list of granted authorities matches.
By default, if none of the arguments are labeled, then the access will be granted. This can be overridden by setting allowAccessIfNoAttributesAreLabeled to false in the Spring context file.
In many situations, different values are linked together to define a common label, it is necessary to define a map in the application context that links user-assigned label access to domain object labels. This is done by setting up the labelMap in the application context.
MethodSecurityInterceptor
Field Summary |
---|
Fields inherited from interface org.springframework.security.access.AccessDecisionVoter |
---|
ACCESS_ABSTAIN, ACCESS_DENIED, ACCESS_GRANTED |
Constructor Summary | |
---|---|
LabelBasedAclVoter()
Deprecated. |
Method Summary | |
---|---|
void |
setAllowAccessIfNoAttributesAreLabeled(boolean allowAccessIfNoAttributesAreLabeled)
Deprecated. Set whether or not to allow the user to run methods in which none of the incoming arguments are labeled. |
void |
setAttributeIndicatingLabeledOperation(String attributeIndicatingLabeledOperation)
Deprecated. Each method intended for evaluation by this voter must include this tag name in the definition of the MethodSecurityInterceptor, indicating if this voter should evaluate the arguments and compare them against the label map. |
void |
setLabelMap(Map<String,List<String>> labelMap)
Deprecated. Set the map that correlate a user's assigned label against domain object values that are considered data labels. |
boolean |
supports(ConfigAttribute attribute)
Deprecated. This acl voter will only evaluate labeled methods if they are marked in the security interceptor's configuration with the attribute stored in attributeIndicatingLabeledOperation. |
int |
vote(Authentication authentication,
Object object,
Collection<ConfigAttribute> attributes)
Deprecated. Vote on whether or not the user has all the labels necessary to match the method argument's labeled data. |
Methods inherited from class org.springframework.security.access.vote.AbstractAclVoter |
---|
getDomainObjectInstance, getProcessDomainObjectClass, setProcessDomainObjectClass, supports |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
---|
public LabelBasedAclVoter()
Method Detail |
---|
public void setAllowAccessIfNoAttributesAreLabeled(boolean allowAccessIfNoAttributesAreLabeled)
Default value: true, users can run such methods.
allowAccessIfNoAttributesAreLabeled
- booleanpublic void setAttributeIndicatingLabeledOperation(String attributeIndicatingLabeledOperation)
attributeIndicatingLabeledOperation
- stringpublic void setLabelMap(Map<String,List<String>> labelMap)
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"> <property name="allowIfAllAbstainDecisions"><value>false</value></property> <property name="decisionVoters"> <list> <bean class="org.springframework.security.access.vote.RoleVoter"/> <bean class="org.springframework.security.access.vote.LabelBasedAclVoter"> <property name="attributeIndicatingLabeledOperation"> <value>LABELED_OPERATION</value> </property> <property name="labelMap"> <map> <entry key="DATA_LABEL_BLUE"> <list> <value>blue</value> <value>indigo</value> <value>purple</value> </list> </entry> <entry key="LABEL_ORANGE"> <list> <value>orange</value> <value>sunshine</value> <value>amber</value> </list> </entry> <entry key="LABEL_ADMIN"> <list> <value>blue</value> <value>indigo</value> <value>purple</value> <value>orange</value> <value>sunshine</value> <value>amber</value> </list> </entry> </map> </property> </bean> </list> </property> </bean>
labelMap
- a map structured as in the above example.public boolean supports(ConfigAttribute attribute)
attribute
- a configuration attribute that has been configured against the
AbstractSecurityInterceptor
AccessDecisionVoter
can support the passed configuration attributeAbstractAclVoter
,
MethodSecurityInterceptor
public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes)
authentication
- the caller invoking the methodobject
- the secured objectattributes
- the configuration attributes associated with the method being invoked
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |