public class PreInvocationAuthorizationAdviceVoter extends Object implements AccessDecisionVoter<org.aopalliance.intercept.MethodInvocation>
In practice, if these annotations are being used, they will normally contain all the necessary access control logic, so a voter-based system is not really necessary and a single AccessDecisionManager which contained the same logic would suffice. However, this class fits in readily with the traditional voter-based AccessDecisionManager implementations used by Spring Security.
Modifier and Type | Field and Description |
---|---|
protected org.apache.commons.logging.Log |
logger |
ACCESS_ABSTAIN, ACCESS_DENIED, ACCESS_GRANTED
Constructor and Description |
---|
PreInvocationAuthorizationAdviceVoter(PreInvocationAuthorizationAdvice pre) |
Modifier and Type | Method and Description |
---|---|
boolean |
supports(Class<?> clazz)
Indicates whether the
AccessDecisionVoter implementation is able to provide
access control votes for the indicated secured object type. |
boolean |
supports(ConfigAttribute attribute)
Indicates whether this
AccessDecisionVoter is able to vote on the passed
ConfigAttribute . |
int |
vote(Authentication authentication,
org.aopalliance.intercept.MethodInvocation method,
Collection<ConfigAttribute> attributes)
Indicates whether or not access is granted.
|
public PreInvocationAuthorizationAdviceVoter(PreInvocationAuthorizationAdvice pre)
public boolean supports(ConfigAttribute attribute)
AccessDecisionVoter
AccessDecisionVoter
is able to vote on the passed
ConfigAttribute
.
This allows the AbstractSecurityInterceptor
to check every configuration
attribute can be consumed by the configured AccessDecisionManager
and/or
RunAsManager
and/or AfterInvocationManager
.
supports
in interface AccessDecisionVoter<org.aopalliance.intercept.MethodInvocation>
attribute
- a configuration attribute that has been configured against the
AbstractSecurityInterceptor
AccessDecisionVoter
can support the passed
configuration attributepublic boolean supports(Class<?> clazz)
AccessDecisionVoter
AccessDecisionVoter
implementation is able to provide
access control votes for the indicated secured object type.supports
in interface AccessDecisionVoter<org.aopalliance.intercept.MethodInvocation>
clazz
- the class that is being queriedpublic int vote(Authentication authentication, org.aopalliance.intercept.MethodInvocation method, Collection<ConfigAttribute> attributes)
AccessDecisionVoter
The decision must be affirmative (ACCESS_GRANTED
), negative (
ACCESS_DENIED
) or the AccessDecisionVoter
can abstain (
ACCESS_ABSTAIN
) from voting. Under no circumstances should implementing
classes return any other value. If a weighting of results is desired, this should
be handled in a custom
AccessDecisionManager
instead.
Unless an AccessDecisionVoter
is specifically intended to vote on an access
control decision due to a passed method invocation or configuration attribute
parameter, it must return ACCESS_ABSTAIN
. This prevents the coordinating
AccessDecisionManager
from counting votes from those
AccessDecisionVoter
s without a legitimate interest in the access control
decision.
Whilst the secured object (such as a MethodInvocation
) is passed as a
parameter to maximise flexibility in making access control decisions, implementing
classes should not modify it or cause the represented invocation to take place (for
example, by calling MethodInvocation.proceed()
).
vote
in interface AccessDecisionVoter<org.aopalliance.intercept.MethodInvocation>
authentication
- the caller making the invocationmethod
- the secured object being invokedattributes
- the configuration attributes associated with the secured objectAccessDecisionVoter.ACCESS_GRANTED
, AccessDecisionVoter.ACCESS_ABSTAIN
or
AccessDecisionVoter.ACCESS_DENIED