org.springframework.security.access.vote

Class AuthenticatedVoter

java.lang.Object

org.springframework.security.access.vote.AuthenticatedVoter

All Implemented Interfaces:

AccessDecisionVoter<Object>

public class AuthenticatedVoter
extends Object
implements AccessDecisionVoter<Object>

Votes if a ConfigAttribute.getAttribute() of IS_AUTHENTICATED_FULLY or IS_AUTHENTICATED_REMEMBERED or IS_AUTHENTICATED_ANONYMOUSLY is present. This list is in order of most strict checking to least strict checking.

The current Authentication will be inspected to determine if the principal has a particular level of authentication. The "FULLY" authenticated option means the user is authenticated fully (i.e. AuthenticationTrustResolver.isAnonymous(Authentication) is false and AuthenticationTrustResolver.isRememberMe(Authentication) is false). The "REMEMBERED" will grant access if the principal was either authenticated via remember-me OR is fully authenticated. The "ANONYMOUSLY" will grant access if the principal was authenticated via remember-me, OR anonymously, OR via full authentication.

All comparisons and prefixes are case sensitive.

Field Summary

Fields

Modifier and Type	Field and Description
static String	IS_AUTHENTICATED_ANONYMOUSLY
static String	IS_AUTHENTICATED_FULLY
static String	IS_AUTHENTICATED_REMEMBERED

Fields inherited from interface org.springframework.security.access.AccessDecisionVoter

ACCESS_ABSTAIN, ACCESS_DENIED, ACCESS_GRANTED

Constructor Summary

Constructors

Constructor and Description
AuthenticatedVoter()

Method Summary

Methods

Modifier and Type	Method and Description
void	setAuthenticationTrustResolver(AuthenticationTrustResolver authenticationTrustResolver)
boolean	supports(Class<?> clazz) This implementation supports any type of class, because it does not query the presented secure object.
boolean	supports(ConfigAttribute attribute) Indicates whether this AccessDecisionVoter is able to vote on the passed ConfigAttribute.
int	vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) Indicates whether or not access is granted.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

IS_AUTHENTICATED_FULLY

public static final String IS_AUTHENTICATED_FULLY

See Also:

Constant Field Values

IS_AUTHENTICATED_REMEMBERED

public static final String IS_AUTHENTICATED_REMEMBERED

See Also:

Constant Field Values

IS_AUTHENTICATED_ANONYMOUSLY

public static final String IS_AUTHENTICATED_ANONYMOUSLY

See Also:

Constant Field Values

Constructor Detail

AuthenticatedVoter

public AuthenticatedVoter()

Method Detail

setAuthenticationTrustResolver

public void setAuthenticationTrustResolver(AuthenticationTrustResolver authenticationTrustResolver)

supports

public boolean supports(ConfigAttribute attribute)

Description copied from interface: AccessDecisionVoter

Indicates whether this AccessDecisionVoter is able to vote on the passed ConfigAttribute.

This allows the AbstractSecurityInterceptor to check every configuration attribute can be consumed by the configured AccessDecisionManager and/or RunAsManager and/or AfterInvocationManager.

Specified by:

supports in interface AccessDecisionVoter<Object>

Parameters:

attribute - a configuration attribute that has been configured against the AbstractSecurityInterceptor

Returns:

true if this AccessDecisionVoter can support the passed configuration attribute

supports

public boolean supports(Class<?> clazz)

This implementation supports any type of class, because it does not query the presented secure object.

Specified by:

supports in interface AccessDecisionVoter<Object>

Parameters:

clazz - the secure object type

Returns:

always true

vote

public int vote(Authentication authentication,
       Object object,
       Collection<ConfigAttribute> attributes)

Description copied from interface: AccessDecisionVoter

Indicates whether or not access is granted.

The decision must be affirmative (ACCESS_GRANTED), negative (ACCESS_DENIED) or the AccessDecisionVoter can abstain (ACCESS_ABSTAIN) from voting. Under no circumstances should implementing classes return any other value. If a weighting of results is desired, this should be handled in a custom AccessDecisionManager instead.

Unless an AccessDecisionVoter is specifically intended to vote on an access control decision due to a passed method invocation or configuration attribute parameter, it must return ACCESS_ABSTAIN. This prevents the coordinating AccessDecisionManager from counting votes from those AccessDecisionVoters without a legitimate interest in the access control decision.

Whilst the secured object (such as a MethodInvocation) is passed as a parameter to maximise flexibility in making access control decisions, implementing classes should not modify it or cause the represented invocation to take place (for example, by calling MethodInvocation.proceed()).

Specified by:

vote in interface AccessDecisionVoter<Object>

Parameters:

authentication - the caller making the invocation

object - the secured object being invoked

attributes - the configuration attributes associated with the secured object

Returns:

either AccessDecisionVoter.ACCESS_GRANTED, AccessDecisionVoter.ACCESS_ABSTAIN or AccessDecisionVoter.ACCESS_DENIED