public class WebExpressionVoter extends Object implements AccessDecisionVoter<FilterInvocation>
ACCESS_ABSTAIN, ACCESS_DENIED, ACCESS_GRANTED
Constructor and Description |
---|
WebExpressionVoter() |
Modifier and Type | Method and Description |
---|---|
void |
setExpressionHandler(SecurityExpressionHandler<FilterInvocation> expressionHandler) |
boolean |
supports(Class<?> clazz)
Indicates whether the
AccessDecisionVoter implementation is able to provide
access control votes for the indicated secured object type. |
boolean |
supports(ConfigAttribute attribute)
Indicates whether this
AccessDecisionVoter is able to vote on the passed
ConfigAttribute . |
int |
vote(Authentication authentication,
FilterInvocation fi,
Collection<ConfigAttribute> attributes)
Indicates whether or not access is granted.
|
public int vote(Authentication authentication, FilterInvocation fi, Collection<ConfigAttribute> attributes)
AccessDecisionVoter
The decision must be affirmative (ACCESS_GRANTED
), negative (
ACCESS_DENIED
) or the AccessDecisionVoter
can abstain (
ACCESS_ABSTAIN
) from voting. Under no circumstances should implementing
classes return any other value. If a weighting of results is desired, this should
be handled in a custom
AccessDecisionManager
instead.
Unless an AccessDecisionVoter
is specifically intended to vote on an access
control decision due to a passed method invocation or configuration attribute
parameter, it must return ACCESS_ABSTAIN
. This prevents the coordinating
AccessDecisionManager
from counting votes from those
AccessDecisionVoter
s without a legitimate interest in the access control
decision.
Whilst the secured object (such as a MethodInvocation
) is passed as a
parameter to maximise flexibility in making access control decisions, implementing
classes should not modify it or cause the represented invocation to take place (for
example, by calling MethodInvocation.proceed()
).
vote
in interface AccessDecisionVoter<FilterInvocation>
authentication
- the caller making the invocationfi
- the secured object being invokedattributes
- the configuration attributes associated with the secured objectAccessDecisionVoter.ACCESS_GRANTED
, AccessDecisionVoter.ACCESS_ABSTAIN
or
AccessDecisionVoter.ACCESS_DENIED
public boolean supports(ConfigAttribute attribute)
AccessDecisionVoter
AccessDecisionVoter
is able to vote on the passed
ConfigAttribute
.
This allows the AbstractSecurityInterceptor
to check every configuration
attribute can be consumed by the configured AccessDecisionManager
and/or
RunAsManager
and/or AfterInvocationManager
.
supports
in interface AccessDecisionVoter<FilterInvocation>
attribute
- a configuration attribute that has been configured against the
AbstractSecurityInterceptor
AccessDecisionVoter
can support the passed
configuration attributepublic boolean supports(Class<?> clazz)
AccessDecisionVoter
AccessDecisionVoter
implementation is able to provide
access control votes for the indicated secured object type.supports
in interface AccessDecisionVoter<FilterInvocation>
clazz
- the class that is being queriedpublic void setExpressionHandler(SecurityExpressionHandler<FilterInvocation> expressionHandler)