|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object org.springframework.security.access.intercept.AbstractSecurityInterceptor
public abstract class AbstractSecurityInterceptor
Abstract class that implements security interception for secure objects.
The AbstractSecurityInterceptor
will ensure the proper startup configuration of the security
interceptor. It will also implement the proper handling of secure object invocations, namely:
Authentication
object from the SecurityContextHolder
.SecurityMetadataSource
.ConfigAttribute
s for the secure
object invocation):
Authentication.isAuthenticated()
returns false
, or the alwaysReauthenticate
is
true
, authenticate the request against the configured AuthenticationManager
.
When authenticated, replace the Authentication
object on the
SecurityContextHolder
with the returned value.AccessDecisionManager
.RunAsManager
.InterceptorStatusToken
is returned so that after the subclass has finished proceeding with
execution of the object, its finally clause can ensure the AbstractSecurityInterceptor
is re-called and tidies up correctly using finallyInvocation(InterceptorStatusToken)
.AbstractSecurityInterceptor
via the
afterInvocation(InterceptorStatusToken, Object)
method.RunAsManager
replaced the Authentication
object, return the
SecurityContextHolder
to the object that existed after the call to
AuthenticationManager
.AfterInvocationManager
is defined, invoke the
invocation manager and allow it to replace the object due to be returned to
the caller.ConfigAttribute
s for the secure object
invocation):
InterceptorStatusToken
which is
subsequently re-presented to the AbstractSecurityInterceptor
after the secure object has been executed.
The AbstractSecurityInterceptor
will take no further action when its
afterInvocation(InterceptorStatusToken, Object)
is called.Object
that should be returned to
the caller. The subclass will then return that result or exception to the original caller.
Field Summary | |
---|---|
protected org.apache.commons.logging.Log |
logger
|
protected MessageSourceAccessor |
messages
|
Constructor Summary | |
---|---|
AbstractSecurityInterceptor()
|
Method Summary | |
---|---|
protected Object |
afterInvocation(InterceptorStatusToken token,
Object returnedObject)
Completes the work of the AbstractSecurityInterceptor after the secure object invocation has been completed. |
void |
afterPropertiesSet()
|
protected InterceptorStatusToken |
beforeInvocation(Object object)
|
protected void |
finallyInvocation(InterceptorStatusToken token)
Cleans up the work of the AbstractSecurityInterceptor after the secure object invocation has been completed. |
AccessDecisionManager |
getAccessDecisionManager()
|
AfterInvocationManager |
getAfterInvocationManager()
|
AuthenticationManager |
getAuthenticationManager()
|
RunAsManager |
getRunAsManager()
|
abstract Class<?> |
getSecureObjectClass()
Indicates the type of secure objects the subclass will be presenting to the abstract parent for processing. |
boolean |
isAlwaysReauthenticate()
|
boolean |
isRejectPublicInvocations()
|
boolean |
isValidateConfigAttributes()
|
abstract SecurityMetadataSource |
obtainSecurityMetadataSource()
|
void |
setAccessDecisionManager(AccessDecisionManager accessDecisionManager)
|
void |
setAfterInvocationManager(AfterInvocationManager afterInvocationManager)
|
void |
setAlwaysReauthenticate(boolean alwaysReauthenticate)
Indicates whether the AbstractSecurityInterceptor should
ignore the Authentication.isAuthenticated() property. |
void |
setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher)
|
void |
setAuthenticationManager(AuthenticationManager newManager)
|
void |
setMessageSource(MessageSource messageSource)
|
void |
setPublishAuthorizationSuccess(boolean publishAuthorizationSuccess)
Only AuthorizationFailureEvent will be published. |
void |
setRejectPublicInvocations(boolean rejectPublicInvocations)
By rejecting public invocations (and setting this property to true), essentially you are ensuring that every secure object invocation advised by AbstractSecurityInterceptor has a configuration
attribute defined. |
void |
setRunAsManager(RunAsManager runAsManager)
|
void |
setValidateConfigAttributes(boolean validateConfigAttributes)
|
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
protected final org.apache.commons.logging.Log logger
protected MessageSourceAccessor messages
Constructor Detail |
---|
public AbstractSecurityInterceptor()
Method Detail |
---|
public void afterPropertiesSet() throws Exception
afterPropertiesSet
in interface InitializingBean
Exception
protected InterceptorStatusToken beforeInvocation(Object object)
protected void finallyInvocation(InterceptorStatusToken token)
token
- as returned by the beforeInvocation(Object)
methodprotected Object afterInvocation(InterceptorStatusToken token, Object returnedObject)
token
- as returned by the beforeInvocation(Object)
} methodreturnedObject
- any object returned from the secure object invocation (may be null)
public AccessDecisionManager getAccessDecisionManager()
public AfterInvocationManager getAfterInvocationManager()
public AuthenticationManager getAuthenticationManager()
public RunAsManager getRunAsManager()
public abstract Class<?> getSecureObjectClass()
AbstractSecurityInterceptor
all support the
indicated secure object class.
public boolean isAlwaysReauthenticate()
public boolean isRejectPublicInvocations()
public boolean isValidateConfigAttributes()
public abstract SecurityMetadataSource obtainSecurityMetadataSource()
public void setAccessDecisionManager(AccessDecisionManager accessDecisionManager)
public void setAfterInvocationManager(AfterInvocationManager afterInvocationManager)
public void setAlwaysReauthenticate(boolean alwaysReauthenticate)
AbstractSecurityInterceptor
should
ignore the Authentication.isAuthenticated()
property. Defaults to
false
, meaning by default the
Authentication.isAuthenticated()
property is trusted and
re-authentication will not occur if the principal has already been
authenticated.
alwaysReauthenticate
- true
to force AbstractSecurityInterceptor
to
disregard the value of Authentication.isAuthenticated()
and always re-authenticate the request
(defaults to false
).public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher)
setApplicationEventPublisher
in interface ApplicationEventPublisherAware
public void setAuthenticationManager(AuthenticationManager newManager)
public void setMessageSource(MessageSource messageSource)
setMessageSource
in interface MessageSourceAware
public void setPublishAuthorizationSuccess(boolean publishAuthorizationSuccess)
AuthorizationFailureEvent
will be published.
If you set this property to true
, AuthorizedEvent
s will also be published.
publishAuthorizationSuccess
- default value is false
public void setRejectPublicInvocations(boolean rejectPublicInvocations)
AbstractSecurityInterceptor
has a configuration
attribute defined. This is useful to ensure a "fail safe" mode where undeclared secure objects will be rejected
and configuration omissions detected early. An IllegalArgumentException will be thrown by the
AbstractSecurityInterceptor if you set this property to true and an attempt is made to invoke
a secure object that has no configuration attributes.
rejectPublicInvocations
- set to true
to reject invocations of secure objects that have no
configuration attributes (by default it is false
which treats undeclared secure objects
as "public" or unauthorized).public void setRunAsManager(RunAsManager runAsManager)
public void setValidateConfigAttributes(boolean validateConfigAttributes)
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |