Overview  Package   Class  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

org.springframework.security.access.prepost
Class PreInvocationAuthorizationAdviceVoter

java.lang.Object
  extended by org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter
All Implemented Interfaces:
AccessDecisionVoter<org.aopalliance.intercept.MethodInvocation>
public class PreInvocationAuthorizationAdviceVoter
extends Object
implements AccessDecisionVoter<org.aopalliance.intercept.MethodInvocation>

Voter which performs the actions using a PreInvocationAuthorizationAdvice implementation generated from @PreFilter and @PreAuthorize annotations.

In practice, if these annotations are being used, they will normally contain all the necessary access control logic, so a voter-based system is not really necessary and a single AccessDecisionManager which contained the same logic would suffice. However, this class fits in readily with the traditional voter-based AccessDecisionManager implementations used by Spring Security.

Since:
3.0

Field Summary
protected  org.apache.commons.logging.Log logger
           
 
Fields inherited from interface org.springframework.security.access.AccessDecisionVoter
ACCESS_ABSTAIN, ACCESS_DENIED, ACCESS_GRANTED
 
Constructor Summary
PreInvocationAuthorizationAdviceVoter(PreInvocationAuthorizationAdvice pre)
           
 
Method Summary
 boolean supports(Class<?> clazz)
          Indicates whether the AccessDecisionVoter implementation is able to provide access control votes for the indicated secured object type.
 boolean supports(ConfigAttribute attribute)
          Indicates whether this AccessDecisionVoter is able to vote on the passed ConfigAttribute.
 int vote(Authentication authentication, org.aopalliance.intercept.MethodInvocation method, Collection<ConfigAttribute> attributes)
          Indicates whether or not access is granted.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

logger

protected final org.apache.commons.logging.Log logger
Constructor Detail

PreInvocationAuthorizationAdviceVoter

public PreInvocationAuthorizationAdviceVoter(PreInvocationAuthorizationAdvice pre)
Method Detail

supports

public boolean supports(ConfigAttribute attribute)
Description copied from interface: AccessDecisionVoter
Indicates whether this AccessDecisionVoter is able to vote on the passed ConfigAttribute.

This allows the AbstractSecurityInterceptor to check every configuration attribute can be consumed by the configured AccessDecisionManager and/or RunAsManager and/or AfterInvocationManager.

Specified by:
supports in interface AccessDecisionVoter<org.aopalliance.intercept.MethodInvocation>
Parameters:
attribute - a configuration attribute that has been configured against the AbstractSecurityInterceptor
Returns:
true if this AccessDecisionVoter can support the passed configuration attribute

supports

public boolean supports(Class<?> clazz)
Description copied from interface: AccessDecisionVoter
Indicates whether the AccessDecisionVoter implementation is able to provide access control votes for the indicated secured object type.

Specified by:
supports in interface AccessDecisionVoter<org.aopalliance.intercept.MethodInvocation>
Parameters:
clazz - the class that is being queried
Returns:
true if the implementation can process the indicated class

vote

public int vote(Authentication authentication,
                org.aopalliance.intercept.MethodInvocation method,
                Collection<ConfigAttribute> attributes)
Description copied from interface: AccessDecisionVoter
Indicates whether or not access is granted.

The decision must be affirmative (ACCESS_GRANTED), negative (ACCESS_DENIED) or the AccessDecisionVoter can abstain (ACCESS_ABSTAIN) from voting. Under no circumstances should implementing classes return any other value. If a weighting of results is desired, this should be handled in a custom AccessDecisionManager instead.

Unless an AccessDecisionVoter is specifically intended to vote on an access control decision due to a passed method invocation or configuration attribute parameter, it must return ACCESS_ABSTAIN. This prevents the coordinating AccessDecisionManager from counting votes from those AccessDecisionVoters without a legitimate interest in the access control decision.

Whilst the secured object (such as a MethodInvocation) is passed as a parameter to maximise flexibility in making access control decisions, implementing classes should not modify it or cause the represented invocation to take place (for example, by calling MethodInvocation.proceed()).

Specified by:
vote in interface AccessDecisionVoter<org.aopalliance.intercept.MethodInvocation>
Parameters:
authentication - the caller making the invocation
method - the secured object being invoked
attributes - the configuration attributes associated with the secured object
Returns:
either AccessDecisionVoter.ACCESS_GRANTED, AccessDecisionVoter.ACCESS_ABSTAIN or AccessDecisionVoter.ACCESS_DENIED
Overview  Package   Class  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD