|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object org.springframework.security.access.vote.RoleVoter
public class RoleVoter
Votes if any ConfigAttribute.getAttribute()
starts with a prefix
indicating that it is a role. The default prefix string is ROLE_
,
but this may be overridden to any value. It may also be set to empty, which
means that essentially any attribute will be voted on. As described further
below, the effect of an empty prefix may not be quite desirable.
Abstains from voting if no configuration attribute commences with the role
prefix. Votes to grant access if there is an exact matching
GrantedAuthority
to a ConfigAttribute
starting with the role prefix. Votes to deny access if there is no exact
matching GrantedAuthority
to a ConfigAttribute
starting with the role prefix.
An empty role prefix means that the voter will vote for every
ConfigAttribute. When there are different categories of ConfigAttributes
used, this will not be optimal since the voter will be voting for attributes
which do not represent roles. However, this option may be of some use when
using pre-existing role names without a prefix, and no ability exists to
prefix them with a role prefix on reading them in, such as provided for
example in JdbcDaoImpl
.
All comparisons and prefixes are case sensitive.
Field Summary |
---|
Fields inherited from interface org.springframework.security.access.AccessDecisionVoter |
---|
ACCESS_ABSTAIN, ACCESS_DENIED, ACCESS_GRANTED |
Constructor Summary | |
---|---|
RoleVoter()
|
Method Summary | |
---|---|
String |
getRolePrefix()
|
void |
setRolePrefix(String rolePrefix)
Allows the default role prefix of ROLE_ to be overridden. |
boolean |
supports(Class<?> clazz)
This implementation supports any type of class, because it does not query the presented secure object. |
boolean |
supports(ConfigAttribute attribute)
Indicates whether this AccessDecisionVoter is able to vote on the passed
ConfigAttribute . |
int |
vote(Authentication authentication,
Object object,
Collection<ConfigAttribute> attributes)
Indicates whether or not access is granted. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
---|
public RoleVoter()
Method Detail |
---|
public String getRolePrefix()
public void setRolePrefix(String rolePrefix)
ROLE_
to be overridden.
May be set to an empty value, although this is usually not desirable.
rolePrefix
- the new prefixpublic boolean supports(ConfigAttribute attribute)
AccessDecisionVoter
AccessDecisionVoter
is able to vote on the passed
ConfigAttribute
.This allows the AbstractSecurityInterceptor
to check every
configuration attribute can be consumed by the configured AccessDecisionManager
and/or
RunAsManager
and/or AfterInvocationManager
.
supports
in interface AccessDecisionVoter
attribute
- a configuration attribute that has been configured against the
AbstractSecurityInterceptor
AccessDecisionVoter
can support the passed configuration attributepublic boolean supports(Class<?> clazz)
supports
in interface AccessDecisionVoter
clazz
- the secure object
true
public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes)
AccessDecisionVoter
The decision must be affirmative (ACCESS_GRANTED
), negative (ACCESS_DENIED
)
or the AccessDecisionVoter
can abstain (ACCESS_ABSTAIN
) from voting.
Under no circumstances should implementing classes return any other value. If a weighting of results is desired,
this should be handled in a custom AccessDecisionManager
instead.
Unless an AccessDecisionVoter
is specifically intended to vote on an access control
decision due to a passed method invocation or configuration attribute parameter, it must return
ACCESS_ABSTAIN
. This prevents the coordinating AccessDecisionManager
from counting
votes from those AccessDecisionVoter
s without a legitimate interest in the access control
decision.
Whilst the method invocation is passed as a parameter to maximise flexibility in making access
control decisions, implementing classes must never modify the behaviour of the method invocation (such as
calling MethodInvocation.proceed()
).
vote
in interface AccessDecisionVoter
authentication
- the caller invoking the methodobject
- the secured objectattributes
- the configuration attributes associated with the method being invoked
AccessDecisionVoter.ACCESS_GRANTED
, AccessDecisionVoter.ACCESS_ABSTAIN
or AccessDecisionVoter.ACCESS_DENIED
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |