org.springframework.security.access.intercept
Class RunAsManagerImpl

java.lang.Object
  extended by org.springframework.security.access.intercept.RunAsManagerImpl
All Implemented Interfaces:
InitializingBean, RunAsManager

public class RunAsManagerImpl
extends Object
implements RunAsManager, InitializingBean

Basic concrete implementation of a RunAsManager.

Is activated if any ConfigAttribute.getAttribute() is prefixed with RUN_AS_. If found, it generates a new RunAsUserToken containing the same principal, credentials and granted authorities as the original Authentication object, along with GrantedAuthorityImpls for each RUN_AS_ indicated. The created GrantedAuthorityImpls will be prefixed with a special prefix indicating that it is a role (default prefix value is ROLE_), and then the remainder of the RUN_AS_ keyword. For example, RUN_AS_FOO will result in the creation of a granted authority of ROLE_RUN_AS_FOO.

The role prefix may be overridden from the default, to match that used elsewhere, for example when using an existing role database with another prefix. An empty role prefix may also be specified. Note however that there are potential issues with using an empty role prefix since different categories of ConfigAttribute can not be properly discerned based on the prefix, with possible consequences when performing voting and other actions. However, this option may be of some use when using pre-existing role names without a prefix, and no ability exists to prefix them with a role prefix on reading them in, such as provided for example in JdbcDaoImpl.


Constructor Summary
RunAsManagerImpl()
           
 
Method Summary
 void afterPropertiesSet()
           
 Authentication buildRunAs(Authentication authentication, Object object, Collection<ConfigAttribute> attributes)
          Returns a replacement Authentication object for the current secure object invocation, or null if replacement not required.
 String getKey()
           
 String getRolePrefix()
           
 void setKey(String key)
           
 void setRolePrefix(String rolePrefix)
          Allows the default role prefix of ROLE_ to be overridden.
 boolean supports(Class<?> clazz)
          This implementation supports any type of class, because it does not query the presented secure object.
 boolean supports(ConfigAttribute attribute)
          Indicates whether this RunAsManager is able to process the passed ConfigAttribute.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

RunAsManagerImpl

public RunAsManagerImpl()
Method Detail

afterPropertiesSet

public void afterPropertiesSet()
                        throws Exception
Specified by:
afterPropertiesSet in interface InitializingBean
Throws:
Exception

buildRunAs

public Authentication buildRunAs(Authentication authentication,
                                 Object object,
                                 Collection<ConfigAttribute> attributes)
Description copied from interface: RunAsManager
Returns a replacement Authentication object for the current secure object invocation, or null if replacement not required.

Specified by:
buildRunAs in interface RunAsManager
Parameters:
authentication - the caller invoking the secure object
object - the secured object being called
attributes - the configuration attributes associated with the secure object being invoked
Returns:
a replacement object to be used for duration of the secure object invocation, or null if the Authentication should be left as is

getKey

public String getKey()

getRolePrefix

public String getRolePrefix()

setKey

public void setKey(String key)

setRolePrefix

public void setRolePrefix(String rolePrefix)
Allows the default role prefix of ROLE_ to be overridden. May be set to an empty value, although this is usually not desirable.

Parameters:
rolePrefix - the new prefix

supports

public boolean supports(ConfigAttribute attribute)
Description copied from interface: RunAsManager
Indicates whether this RunAsManager is able to process the passed ConfigAttribute.

This allows the AbstractSecurityInterceptor to check every configuration attribute can be consumed by the configured AccessDecisionManager and/or RunAsManager and/or AfterInvocationManager.

Specified by:
supports in interface RunAsManager
Parameters:
attribute - a configuration attribute that has been configured against the AbstractSecurityInterceptor
Returns:
true if this RunAsManager can support the passed configuration attribute

supports

public boolean supports(Class<?> clazz)
This implementation supports any type of class, because it does not query the presented secure object.

Specified by:
supports in interface RunAsManager
Parameters:
clazz - the secure object
Returns:
always true