public abstract class AbstractSecurityInterceptor
extends java.lang.Object
implements org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.MessageSourceAware
The AbstractSecurityInterceptor
will ensure the proper startup
configuration of the security interceptor. It will also implement the proper handling
of secure object invocations, namely:
Authentication
object from the
SecurityContextHolder
.SecurityMetadataSource
.ConfigAttribute
s
for the secure object invocation):
Authentication.isAuthenticated()
returns
false
, or the alwaysReauthenticate
is true
,
authenticate the request against the configured AuthenticationManager
. When
authenticated, replace the Authentication
object on the
SecurityContextHolder
with the returned value.AccessDecisionManager
.RunAsManager
.InterceptorStatusToken
is returned so that after the
subclass has finished proceeding with execution of the object, its finally clause can
ensure the AbstractSecurityInterceptor
is re-called and tidies up
correctly using finallyInvocation(InterceptorStatusToken)
.AbstractSecurityInterceptor
via
the afterInvocation(InterceptorStatusToken, Object)
method.RunAsManager
replaced the Authentication
object,
return the SecurityContextHolder
to the object that existed after the call
to AuthenticationManager
.AfterInvocationManager
is defined, invoke the invocation manager
and allow it to replace the object due to be returned to the caller.ConfigAttribute
s for
the secure object invocation):
InterceptorStatusToken
which is subsequently re-presented to the
AbstractSecurityInterceptor
after the secure object has been executed. The
AbstractSecurityInterceptor
will take no further action when its
afterInvocation(InterceptorStatusToken, Object)
is called.Object
that should be returned to the caller. The subclass will then return that result or
exception to the original caller.Modifier and Type | Field and Description |
---|---|
protected org.apache.commons.logging.Log |
logger |
protected org.springframework.context.support.MessageSourceAccessor |
messages |
Constructor and Description |
---|
AbstractSecurityInterceptor() |
Modifier and Type | Method and Description |
---|---|
protected java.lang.Object |
afterInvocation(InterceptorStatusToken token,
java.lang.Object returnedObject)
Completes the work of the AbstractSecurityInterceptor after the secure
object invocation has been completed.
|
void |
afterPropertiesSet() |
protected InterceptorStatusToken |
beforeInvocation(java.lang.Object object) |
protected void |
finallyInvocation(InterceptorStatusToken token)
Cleans up the work of the AbstractSecurityInterceptor after the secure
object invocation has been completed.
|
AccessDecisionManager |
getAccessDecisionManager() |
AfterInvocationManager |
getAfterInvocationManager() |
AuthenticationManager |
getAuthenticationManager() |
RunAsManager |
getRunAsManager() |
abstract java.lang.Class<?> |
getSecureObjectClass()
Indicates the type of secure objects the subclass will be presenting to the
abstract parent for processing.
|
boolean |
isAlwaysReauthenticate() |
boolean |
isRejectPublicInvocations() |
boolean |
isValidateConfigAttributes() |
abstract SecurityMetadataSource |
obtainSecurityMetadataSource() |
void |
setAccessDecisionManager(AccessDecisionManager accessDecisionManager) |
void |
setAfterInvocationManager(AfterInvocationManager afterInvocationManager) |
void |
setAlwaysReauthenticate(boolean alwaysReauthenticate)
Indicates whether the
AbstractSecurityInterceptor should ignore the
Authentication.isAuthenticated() property. |
void |
setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher applicationEventPublisher) |
void |
setAuthenticationManager(AuthenticationManager newManager) |
void |
setMessageSource(org.springframework.context.MessageSource messageSource) |
void |
setPublishAuthorizationSuccess(boolean publishAuthorizationSuccess)
Only
AuthorizationFailureEvent will be published. |
void |
setRejectPublicInvocations(boolean rejectPublicInvocations)
By rejecting public invocations (and setting this property to true),
essentially you are ensuring that every secure object invocation advised by
AbstractSecurityInterceptor has a configuration attribute defined. |
void |
setRunAsManager(RunAsManager runAsManager) |
void |
setValidateConfigAttributes(boolean validateConfigAttributes) |
protected final org.apache.commons.logging.Log logger
protected org.springframework.context.support.MessageSourceAccessor messages
public void afterPropertiesSet()
afterPropertiesSet
in interface org.springframework.beans.factory.InitializingBean
protected InterceptorStatusToken beforeInvocation(java.lang.Object object)
protected void finallyInvocation(InterceptorStatusToken token)
token
- as returned by the beforeInvocation(Object)
methodprotected java.lang.Object afterInvocation(InterceptorStatusToken token, java.lang.Object returnedObject)
token
- as returned by the beforeInvocation(Object)
methodreturnedObject
- any object returned from the secure object invocation (may be
null)public AccessDecisionManager getAccessDecisionManager()
public AfterInvocationManager getAfterInvocationManager()
public AuthenticationManager getAuthenticationManager()
public RunAsManager getRunAsManager()
public abstract java.lang.Class<?> getSecureObjectClass()
AbstractSecurityInterceptor
all support the indicated secure object class.public boolean isAlwaysReauthenticate()
public boolean isRejectPublicInvocations()
public boolean isValidateConfigAttributes()
public abstract SecurityMetadataSource obtainSecurityMetadataSource()
public void setAccessDecisionManager(AccessDecisionManager accessDecisionManager)
public void setAfterInvocationManager(AfterInvocationManager afterInvocationManager)
public void setAlwaysReauthenticate(boolean alwaysReauthenticate)
AbstractSecurityInterceptor
should ignore the
Authentication.isAuthenticated()
property. Defaults to false
,
meaning by default the Authentication.isAuthenticated()
property is
trusted and re-authentication will not occur if the principal has already been
authenticated.alwaysReauthenticate
- true
to force
AbstractSecurityInterceptor
to disregard the value of
Authentication.isAuthenticated()
and always re-authenticate the
request (defaults to false
).public void setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher applicationEventPublisher)
setApplicationEventPublisher
in interface org.springframework.context.ApplicationEventPublisherAware
public void setAuthenticationManager(AuthenticationManager newManager)
public void setMessageSource(org.springframework.context.MessageSource messageSource)
setMessageSource
in interface org.springframework.context.MessageSourceAware
public void setPublishAuthorizationSuccess(boolean publishAuthorizationSuccess)
AuthorizationFailureEvent
will be published. If you set this property
to true
, AuthorizedEvent
s will also be published.publishAuthorizationSuccess
- default value is false
public void setRejectPublicInvocations(boolean rejectPublicInvocations)
AbstractSecurityInterceptor
has a configuration attribute defined.
This is useful to ensure a "fail safe" mode where undeclared secure objects will be
rejected and configuration omissions detected early. An
IllegalArgumentException will be thrown by the
AbstractSecurityInterceptor if you set this property to true and
an attempt is made to invoke a secure object that has no configuration attributes.rejectPublicInvocations
- set to true
to reject invocations of
secure objects that have no configuration attributes (by default it is
false
which treats undeclared secure objects as "public" or
unauthorized).public void setRunAsManager(RunAsManager runAsManager)
public void setValidateConfigAttributes(boolean validateConfigAttributes)