public interface AccessDecisionVoter<S>
The coordination of voting (ie polling AccessDecisionVoter
s, tallying their
responses, and making the final authorization decision) is performed by an
AccessDecisionManager
.
Modifier and Type | Field and Description |
---|---|
static int |
ACCESS_ABSTAIN |
static int |
ACCESS_DENIED |
static int |
ACCESS_GRANTED |
Modifier and Type | Method and Description |
---|---|
boolean |
supports(Class<?> clazz)
Indicates whether the
AccessDecisionVoter implementation is able to provide
access control votes for the indicated secured object type. |
boolean |
supports(ConfigAttribute attribute)
Indicates whether this
AccessDecisionVoter is able to vote on the passed
ConfigAttribute . |
int |
vote(Authentication authentication,
S object,
Collection<ConfigAttribute> attributes)
Indicates whether or not access is granted.
|
static final int ACCESS_GRANTED
static final int ACCESS_ABSTAIN
static final int ACCESS_DENIED
boolean supports(ConfigAttribute attribute)
AccessDecisionVoter
is able to vote on the passed
ConfigAttribute
.
This allows the AbstractSecurityInterceptor
to check every configuration
attribute can be consumed by the configured AccessDecisionManager
and/or
RunAsManager
and/or AfterInvocationManager
.
attribute
- a configuration attribute that has been configured against the
AbstractSecurityInterceptor
AccessDecisionVoter
can support the passed
configuration attributeboolean supports(Class<?> clazz)
AccessDecisionVoter
implementation is able to provide
access control votes for the indicated secured object type.clazz
- the class that is being queriedint vote(Authentication authentication, S object, Collection<ConfigAttribute> attributes)
The decision must be affirmative (ACCESS_GRANTED
), negative (
ACCESS_DENIED
) or the AccessDecisionVoter
can abstain (
ACCESS_ABSTAIN
) from voting. Under no circumstances should implementing
classes return any other value. If a weighting of results is desired, this should
be handled in a custom
AccessDecisionManager
instead.
Unless an AccessDecisionVoter
is specifically intended to vote on an access
control decision due to a passed method invocation or configuration attribute
parameter, it must return ACCESS_ABSTAIN
. This prevents the coordinating
AccessDecisionManager
from counting votes from those
AccessDecisionVoter
s without a legitimate interest in the access control
decision.
Whilst the secured object (such as a MethodInvocation
) is passed as a
parameter to maximise flexibility in making access control decisions, implementing
classes should not modify it or cause the represented invocation to take place (for
example, by calling MethodInvocation.proceed()
).
authentication
- the caller making the invocationobject
- the secured object being invokedattributes
- the configuration attributes associated with the secured objectACCESS_GRANTED
, ACCESS_ABSTAIN
or
ACCESS_DENIED