public class AuthenticatedVoter extends Object implements AccessDecisionVoter<Object>
ConfigAttribute.getAttribute()
of
IS_AUTHENTICATED_FULLY
or IS_AUTHENTICATED_REMEMBERED
or
IS_AUTHENTICATED_ANONYMOUSLY
is present. This list is in order of most
strict checking to least strict checking.
The current Authentication
will be inspected to determine if the principal
has a particular level of authentication. The "FULLY" authenticated option means the
user is authenticated fully (i.e.
AuthenticationTrustResolver.isAnonymous(Authentication)
is false and
AuthenticationTrustResolver.isRememberMe(Authentication)
is false). The "REMEMBERED" will grant access if the principal was either authenticated
via remember-me OR is fully authenticated. The "ANONYMOUSLY" will grant access if the
principal was authenticated via remember-me, OR anonymously, OR via full
authentication.
All comparisons and prefixes are case sensitive.
Modifier and Type | Field and Description |
---|---|
static String |
IS_AUTHENTICATED_ANONYMOUSLY |
static String |
IS_AUTHENTICATED_FULLY |
static String |
IS_AUTHENTICATED_REMEMBERED |
ACCESS_ABSTAIN, ACCESS_DENIED, ACCESS_GRANTED
Constructor and Description |
---|
AuthenticatedVoter() |
Modifier and Type | Method and Description |
---|---|
void |
setAuthenticationTrustResolver(AuthenticationTrustResolver authenticationTrustResolver) |
boolean |
supports(Class<?> clazz)
This implementation supports any type of class, because it does not query the
presented secure object.
|
boolean |
supports(ConfigAttribute attribute)
Indicates whether this
AccessDecisionVoter is able to vote on the passed
ConfigAttribute . |
int |
vote(Authentication authentication,
Object object,
Collection<ConfigAttribute> attributes)
Indicates whether or not access is granted.
|
public static final String IS_AUTHENTICATED_FULLY
public static final String IS_AUTHENTICATED_REMEMBERED
public static final String IS_AUTHENTICATED_ANONYMOUSLY
public void setAuthenticationTrustResolver(AuthenticationTrustResolver authenticationTrustResolver)
public boolean supports(ConfigAttribute attribute)
AccessDecisionVoter
AccessDecisionVoter
is able to vote on the passed
ConfigAttribute
.
This allows the AbstractSecurityInterceptor
to check every configuration
attribute can be consumed by the configured AccessDecisionManager
and/or
RunAsManager
and/or AfterInvocationManager
.
supports
in interface AccessDecisionVoter<Object>
attribute
- a configuration attribute that has been configured against the
AbstractSecurityInterceptor
AccessDecisionVoter
can support the passed
configuration attributepublic boolean supports(Class<?> clazz)
supports
in interface AccessDecisionVoter<Object>
clazz
- the secure object typetrue
public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes)
AccessDecisionVoter
The decision must be affirmative (ACCESS_GRANTED
), negative (
ACCESS_DENIED
) or the AccessDecisionVoter
can abstain (
ACCESS_ABSTAIN
) from voting. Under no circumstances should implementing
classes return any other value. If a weighting of results is desired, this should
be handled in a custom
AccessDecisionManager
instead.
Unless an AccessDecisionVoter
is specifically intended to vote on an access
control decision due to a passed method invocation or configuration attribute
parameter, it must return ACCESS_ABSTAIN
. This prevents the coordinating
AccessDecisionManager
from counting votes from those
AccessDecisionVoter
s without a legitimate interest in the access control
decision.
Whilst the secured object (such as a MethodInvocation
) is passed as a
parameter to maximise flexibility in making access control decisions, implementing
classes should not modify it or cause the represented invocation to take place (for
example, by calling MethodInvocation.proceed()
).
vote
in interface AccessDecisionVoter<Object>
authentication
- the caller making the invocationobject
- the secured object being invokedattributes
- the configuration attributes associated with the secured objectAccessDecisionVoter.ACCESS_GRANTED
, AccessDecisionVoter.ACCESS_ABSTAIN
or
AccessDecisionVoter.ACCESS_DENIED