org.springframework.security.access.vote
Class LabelBasedAclVoter

java.lang.Object
  extended by org.springframework.security.access.vote.AbstractAclVoter
      extended by org.springframework.security.access.vote.LabelBasedAclVoter
All Implemented Interfaces:
AccessDecisionVoter

Deprecated. Use new spring-security-acl module instead

public class LabelBasedAclVoter
extends AbstractAclVoter

This Acl voter will evaluate methods based on labels applied to incoming arguments. It will only check methods that have been properly tagged in the MethodSecurityInterceptor with the value stored in attributeIndicatingLabeledOperation. If a method has been tagged, then it examines each argument, and if the argument implements LabeledData, then it will asses if the user's list of granted authorities matches.

By default, if none of the arguments are labeled, then the access will be granted. This can be overridden by setting allowAccessIfNoAttributesAreLabeled to false in the Spring context file.

In many situations, different values are linked together to define a common label, it is necessary to define a map in the application context that links user-assigned label access to domain object labels. This is done by setting up the labelMap in the application context.

See Also:
MethodSecurityInterceptor

Field Summary
 
Fields inherited from interface org.springframework.security.access.AccessDecisionVoter
ACCESS_ABSTAIN, ACCESS_DENIED, ACCESS_GRANTED
 
Constructor Summary
LabelBasedAclVoter()
          Deprecated.  
 
Method Summary
 void setAllowAccessIfNoAttributesAreLabeled(boolean allowAccessIfNoAttributesAreLabeled)
          Deprecated. Set whether or not to allow the user to run methods in which none of the incoming arguments are labeled.
 void setAttributeIndicatingLabeledOperation(String attributeIndicatingLabeledOperation)
          Deprecated. Each method intended for evaluation by this voter must include this tag name in the definition of the MethodSecurityInterceptor, indicating if this voter should evaluate the arguments and compare them against the label map.
 void setLabelMap(Map<String,List<String>> labelMap)
          Deprecated. Set the map that correlate a user's assigned label against domain object values that are considered data labels.
 boolean supports(ConfigAttribute attribute)
          Deprecated. This acl voter will only evaluate labeled methods if they are marked in the security interceptor's configuration with the attribute stored in attributeIndicatingLabeledOperation.
 int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes)
          Deprecated. Vote on whether or not the user has all the labels necessary to match the method argument's labeled data.
 
Methods inherited from class org.springframework.security.access.vote.AbstractAclVoter
getDomainObjectInstance, getProcessDomainObjectClass, setProcessDomainObjectClass, supports
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

LabelBasedAclVoter

public LabelBasedAclVoter()
Deprecated. 
Method Detail

setAllowAccessIfNoAttributesAreLabeled

public void setAllowAccessIfNoAttributesAreLabeled(boolean allowAccessIfNoAttributesAreLabeled)
Deprecated. 
Set whether or not to allow the user to run methods in which none of the incoming arguments are labeled.

Default value: true, users can run such methods.

Parameters:
allowAccessIfNoAttributesAreLabeled - boolean

setAttributeIndicatingLabeledOperation

public void setAttributeIndicatingLabeledOperation(String attributeIndicatingLabeledOperation)
Deprecated. 
Each method intended for evaluation by this voter must include this tag name in the definition of the MethodSecurityInterceptor, indicating if this voter should evaluate the arguments and compare them against the label map.

Parameters:
attributeIndicatingLabeledOperation - string

setLabelMap

public void setLabelMap(Map<String,List<String>> labelMap)
Deprecated. 
Set the map that correlate a user's assigned label against domain object values that are considered data labels. An example application context configuration of a labelMap:
 <bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased">
     <property name="allowIfAllAbstainDecisions"><value>false</value></property>
     <property name="decisionVoters">
       <list>
         <bean class="org.springframework.security.access.vote.RoleVoter"/>
         <bean class="org.springframework.security.access.vote.LabelBasedAclVoter">
           <property name="attributeIndicatingLabeledOperation">
             <value>LABELED_OPERATION</value>
           </property>
           <property name="labelMap">
             <map>
               <entry key="DATA_LABEL_BLUE">
                 <list>
                   <value>blue</value>
                   <value>indigo</value>
                   <value>purple</value>
                 </list>
               </entry>
               <entry key="LABEL_ORANGE">
                 <list>
                   <value>orange</value>
                   <value>sunshine</value>
                   <value>amber</value>
                 </list>
               </entry>
               <entry key="LABEL_ADMIN">
                 <list>
                   <value>blue</value>
                   <value>indigo</value>
                   <value>purple</value>
                   <value>orange</value>
                   <value>sunshine</value>
                   <value>amber</value>
                 </list>
               </entry>
             </map>
           </property>
         </bean>
       </list>
     </property>
   </bean>
 

Parameters:
labelMap - a map structured as in the above example.

supports

public boolean supports(ConfigAttribute attribute)
Deprecated. 
This acl voter will only evaluate labeled methods if they are marked in the security interceptor's configuration with the attribute stored in attributeIndicatingLabeledOperation.

Parameters:
attribute - a configuration attribute that has been configured against the AbstractSecurityInterceptor
Returns:
true if this AccessDecisionVoter can support the passed configuration attribute
See Also:
AbstractAclVoter, MethodSecurityInterceptor

vote

public int vote(Authentication authentication,
                Object object,
                Collection<ConfigAttribute> attributes)
Deprecated. 
Vote on whether or not the user has all the labels necessary to match the method argument's labeled data.

Parameters:
authentication - the caller invoking the method
object - the secured object
attributes - the configuration attributes associated with the method being invoked
Returns:
ACCESS_ABSTAIN, ACCESS_GRANTED, or ACCESS_DENIED.