Class AbstractFallbackMethodSecurityMetadataSource

  • All Implemented Interfaces:
    org.springframework.aop.framework.AopInfrastructureBean, MethodSecurityMetadataSource, SecurityMetadataSource
    Direct Known Subclasses:
    Jsr250MethodSecurityMetadataSource, MapBasedMethodSecurityMetadataSource, SecuredAnnotationSecurityMetadataSource

    public abstract class AbstractFallbackMethodSecurityMetadataSource
    extends AbstractMethodSecurityMetadataSource
    Abstract implementation of MethodSecurityMetadataSource that supports both Spring AOP and AspectJ and performs attribute resolution from: 1. specific target method; 2. target class; 3. declaring method; 4. declaring class/interface. Use with DelegatingMethodSecurityMetadataSource for caching support.

    This class mimics the behaviour of Spring's AbstractFallbackTransactionAttributeSource class.

    Note that this class cannot extract security metadata where that metadata is expressed by way of a target method/class (i.e. #1 and #2 above) AND the target method/class is encapsulated in another proxy object. Spring Security does not walk a proxy chain to locate the concrete/final target object. Consider making Spring Security your final advisor (so it advises the final target, as opposed to another proxy), move the metadata to declared methods or interfaces the proxy implements, or provide your own replacement MethodSecurityMetadataSource.

    Since:
    2.0
    • Constructor Detail

      • AbstractFallbackMethodSecurityMetadataSource

        public AbstractFallbackMethodSecurityMetadataSource()
    • Method Detail

      • getAttributes

        public java.util.Collection<ConfigAttribute> getAttributes​(java.lang.reflect.Method method,
                                                                   java.lang.Class<?> targetClass)
      • findAttributes

        protected abstract java.util.Collection<ConfigAttribute> findAttributes​(java.lang.reflect.Method method,
                                                                                java.lang.Class<?> targetClass)
        Obtains the security metadata applicable to the specified method invocation.

        Note that the Method.getDeclaringClass() may not equal the targetClass. Both parameters are provided to assist subclasses which may wish to provide advanced capabilities related to method metadata being "registered" against a method even if the target class does not declare the method (i.e. the subclass may only inherit the method).

        Parameters:
        method - the method for the current invocation (never null)
        targetClass - the target class for the invocation (may be null)
        Returns:
        the security metadata (or null if no metadata applies)
      • findAttributes

        protected abstract java.util.Collection<ConfigAttribute> findAttributes​(java.lang.Class<?> clazz)
        Obtains the security metadata registered against the specified class.

        Subclasses should only return metadata expressed at a class level. Subclasses should NOT aggregate metadata for each method registered against a class, as the abstract superclass will separate invoke findAttributes(Method, Class) for individual methods as appropriate.

        Parameters:
        clazz - the target class for the invocation (never null)
        Returns:
        the security metadata (or null if no metadata applies)