Overview  Package   Class  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

org.springframework.security.access.vote
Class RoleVoter

java.lang.Object
  extended by org.springframework.security.access.vote.RoleVoter
All Implemented Interfaces:
AccessDecisionVoter<Object>
Direct Known Subclasses:
RoleHierarchyVoter
public class RoleVoter
extends Object
implements AccessDecisionVoter<Object>

Votes if any ConfigAttribute.getAttribute() starts with a prefix indicating that it is a role. The default prefix string is ROLE_, but this may be overridden to any value. It may also be set to empty, which means that essentially any attribute will be voted on. As described further below, the effect of an empty prefix may not be quite desirable.

Abstains from voting if no configuration attribute commences with the role prefix. Votes to grant access if there is an exact matching GrantedAuthority to a ConfigAttribute starting with the role prefix. Votes to deny access if there is no exact matching GrantedAuthority to a ConfigAttribute starting with the role prefix.

An empty role prefix means that the voter will vote for every ConfigAttribute. When there are different categories of ConfigAttributes used, this will not be optimal since the voter will be voting for attributes which do not represent roles. However, this option may be of some use when using pre-existing role names without a prefix, and no ability exists to prefix them with a role prefix on reading them in, such as provided for example in JdbcDaoImpl.

All comparisons and prefixes are case sensitive.

Field Summary
 
Fields inherited from interface org.springframework.security.access.AccessDecisionVoter
ACCESS_ABSTAIN, ACCESS_DENIED, ACCESS_GRANTED
 
Constructor Summary
RoleVoter()
           
 
Method Summary
 String getRolePrefix()
           
 void setRolePrefix(String rolePrefix)
          Allows the default role prefix of ROLE_ to be overridden.
 boolean supports(Class<?> clazz)
          This implementation supports any type of class, because it does not query the presented secure object.
 boolean supports(ConfigAttribute attribute)
          Indicates whether this AccessDecisionVoter is able to vote on the passed ConfigAttribute.
 int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes)
          Indicates whether or not access is granted.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

RoleVoter

public RoleVoter()
Method Detail

getRolePrefix

public String getRolePrefix()

setRolePrefix

public void setRolePrefix(String rolePrefix)
Allows the default role prefix of ROLE_ to be overridden. May be set to an empty value, although this is usually not desirable.

Parameters:
rolePrefix - the new prefix

supports

public boolean supports(ConfigAttribute attribute)
Description copied from interface: AccessDecisionVoter
Indicates whether this AccessDecisionVoter is able to vote on the passed ConfigAttribute.

This allows the AbstractSecurityInterceptor to check every configuration attribute can be consumed by the configured AccessDecisionManager and/or RunAsManager and/or AfterInvocationManager.

Specified by:
supports in interface AccessDecisionVoter<Object>
Parameters:
attribute - a configuration attribute that has been configured against the AbstractSecurityInterceptor
Returns:
true if this AccessDecisionVoter can support the passed configuration attribute

supports

public boolean supports(Class<?> clazz)
This implementation supports any type of class, because it does not query the presented secure object.

Specified by:
supports in interface AccessDecisionVoter<Object>
Parameters:
clazz - the secure object
Returns:
always true

vote

public int vote(Authentication authentication,
                Object object,
                Collection<ConfigAttribute> attributes)
Description copied from interface: AccessDecisionVoter
Indicates whether or not access is granted.

The decision must be affirmative (ACCESS_GRANTED), negative (ACCESS_DENIED) or the AccessDecisionVoter can abstain (ACCESS_ABSTAIN) from voting. Under no circumstances should implementing classes return any other value. If a weighting of results is desired, this should be handled in a custom AccessDecisionManager instead.

Unless an AccessDecisionVoter is specifically intended to vote on an access control decision due to a passed method invocation or configuration attribute parameter, it must return ACCESS_ABSTAIN. This prevents the coordinating AccessDecisionManager from counting votes from those AccessDecisionVoters without a legitimate interest in the access control decision.

Whilst the secured object (such as a MethodInvocation) is passed as a parameter to maximise flexibility in making access control decisions, implementing classes should not modify it or cause the represented invocation to take place (for example, by calling MethodInvocation.proceed()).

Specified by:
vote in interface AccessDecisionVoter<Object>
Parameters:
authentication - the caller making the invocation
object - the secured object being invoked
attributes - the configuration attributes associated with the secured object
Returns:
either AccessDecisionVoter.ACCESS_GRANTED, AccessDecisionVoter.ACCESS_ABSTAIN or AccessDecisionVoter.ACCESS_DENIED
Overview  Package   Class  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD