org.springframework.security.web.access.intercept
Class FilterSecurityInterceptor

java.lang.Object
  org.springframework.security.access.intercept.AbstractSecurityInterceptor
      org.springframework.security.web.access.intercept.FilterSecurityInterceptor

All Implemented Interfaces:

javax.servlet.Filter, InitializingBean, ApplicationEventPublisherAware, MessageSourceAware

public class FilterSecurityInterceptor
extends AbstractSecurityInterceptor
implements javax.servlet.Filter

Performs security handling of HTTP resources via a filter implementation.

The SecurityMetadataSource required by this security interceptor is of type FilterInvocationSecurityMetadataSource.

Refer to AbstractSecurityInterceptor for details on the workflow.

Field Summary

Fields inherited from class org.springframework.security.access.intercept.AbstractSecurityInterceptor

logger, messages

Constructor Summary

FilterSecurityInterceptor()

Method Summary

void	destroy() Not used (we rely on IoC container lifecycle services instead)
void	doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain) Method that is actually called by the filter chain.
Class<?>	getSecureObjectClass() Indicates the type of secure objects the subclass will be presenting to the abstract parent for processing.
FilterInvocationSecurityMetadataSource	getSecurityMetadataSource()
void	init(javax.servlet.FilterConfig arg0) Not used (we rely on IoC container lifecycle services instead)
void	invoke(FilterInvocation fi)
boolean	isObserveOncePerRequest() Indicates whether once-per-request handling will be observed.
SecurityMetadataSource	obtainSecurityMetadataSource()
void	setObserveOncePerRequest(boolean observeOncePerRequest)
void	setSecurityMetadataSource(FilterInvocationSecurityMetadataSource newSource)

Methods inherited from class org.springframework.security.access.intercept.AbstractSecurityInterceptor

afterInvocation, afterPropertiesSet, beforeInvocation, finallyInvocation, getAccessDecisionManager, getAfterInvocationManager, getAuthenticationManager, getRunAsManager, isAlwaysReauthenticate, isRejectPublicInvocations, isValidateConfigAttributes, setAccessDecisionManager, setAfterInvocationManager, setAlwaysReauthenticate, setApplicationEventPublisher, setAuthenticationManager, setMessageSource, setPublishAuthorizationSuccess, setRejectPublicInvocations, setRunAsManager, setValidateConfigAttributes

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

FilterSecurityInterceptor

public FilterSecurityInterceptor()

Method Detail

init

public void init(javax.servlet.FilterConfig arg0)
          throws javax.servlet.ServletException

Not used (we rely on IoC container lifecycle services instead)

Specified by:

init in interface javax.servlet.Filter

Parameters:

arg0 - ignored

Throws:

javax.servlet.ServletException - never thrown

destroy

public void destroy()

Not used (we rely on IoC container lifecycle services instead)

Specified by:

destroy in interface javax.servlet.Filter

doFilter

public void doFilter(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException

Method that is actually called by the filter chain. Simply delegates to the invoke(FilterInvocation) method.

Specified by:

doFilter in interface javax.servlet.Filter

Parameters:

request - the servlet request

response - the servlet response

chain - the filter chain

Throws:

IOException - if the filter chain fails

javax.servlet.ServletException - if the filter chain fails

getSecurityMetadataSource

public FilterInvocationSecurityMetadataSource getSecurityMetadataSource()

obtainSecurityMetadataSource

public SecurityMetadataSource obtainSecurityMetadataSource()

Specified by:

obtainSecurityMetadataSource in class AbstractSecurityInterceptor

setSecurityMetadataSource

public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource newSource)

getSecureObjectClass

public Class<?> getSecureObjectClass()

Description copied from class: AbstractSecurityInterceptor

Indicates the type of secure objects the subclass will be presenting to the abstract parent for processing. This is used to ensure collaborators wired to the AbstractSecurityInterceptor all support the indicated secure object class.

Specified by:

getSecureObjectClass in class AbstractSecurityInterceptor

Returns:

the type of secure object the subclass provides services for

invoke

public void invoke(FilterInvocation fi)
            throws IOException,
                   javax.servlet.ServletException

Throws:

IOException

javax.servlet.ServletException

isObserveOncePerRequest

public boolean isObserveOncePerRequest()

Indicates whether once-per-request handling will be observed. By default this is true, meaning the FilterSecurityInterceptor will only execute once-per-request. Sometimes users may wish it to execute more than once per request, such as when JSP forwards are being used and filter security is desired on each included fragment of the HTTP request.

Returns:

true (the default) if once-per-request is honoured, otherwise false if FilterSecurityInterceptor will enforce authorizations for each and every fragment of the HTTP request.

setObserveOncePerRequest

public void setObserveOncePerRequest(boolean observeOncePerRequest)