Package org.springframework.security.access.vote

Class AuthenticatedVoter

  • All Implemented Interfaces:
    AccessDecisionVoter<java.lang.Object>
    public class AuthenticatedVoter
extends java.lang.Object
implements AccessDecisionVoter<java.lang.Object>
    Votes if a ConfigAttribute.getAttribute() of IS_AUTHENTICATED_FULLY or IS_AUTHENTICATED_REMEMBERED or IS_AUTHENTICATED_ANONYMOUSLY is present. This list is in order of most strict checking to least strict checking.

    The current Authentication will be inspected to determine if the principal has a particular level of authentication. The "FULLY" authenticated option means the user is authenticated fully (i.e. AuthenticationTrustResolver.isAnonymous(Authentication) is false and AuthenticationTrustResolver.isRememberMe(Authentication) is false). The "REMEMBERED" will grant access if the principal was either authenticated via remember-me OR is fully authenticated. The "ANONYMOUSLY" will grant access if the principal was authenticated via remember-me, OR anonymously, OR via full authentication.

    All comparisons and prefixes are case sensitive.

    • Field Detail

      • IS_AUTHENTICATED_FULLY

        public static final java.lang.String IS_AUTHENTICATED_FULLY
        See Also:
        Constant Field Values

      • IS_AUTHENTICATED_REMEMBERED

        public static final java.lang.String IS_AUTHENTICATED_REMEMBERED
        See Also:
        Constant Field Values

      • IS_AUTHENTICATED_ANONYMOUSLY

        public static final java.lang.String IS_AUTHENTICATED_ANONYMOUSLY
        See Also:
        Constant Field Values

    • Constructor Detail

      • AuthenticatedVoter

        public AuthenticatedVoter()

    • Method Detail

      • setAuthenticationTrustResolver

        public void setAuthenticationTrustResolver​(AuthenticationTrustResolver authenticationTrustResolver)

      • supports

        public boolean supports​(ConfigAttribute attribute)
        Description copied from interface: AccessDecisionVoter
        Indicates whether this AccessDecisionVoter is able to vote on the passed ConfigAttribute.

        This allows the AbstractSecurityInterceptor to check every configuration attribute can be consumed by the configured AccessDecisionManager and/or RunAsManager and/or AfterInvocationManager.

        Specified by:
        supports in interface AccessDecisionVoter<java.lang.Object>
        Parameters:
        attribute - a configuration attribute that has been configured against the AbstractSecurityInterceptor
        Returns:
        true if this AccessDecisionVoter can support the passed configuration attribute

      • supports

        public boolean supports​(java.lang.Class<?> clazz)
        This implementation supports any type of class, because it does not query the presented secure object.
        Specified by:
        supports in interface AccessDecisionVoter<java.lang.Object>
        Parameters:
        clazz - the secure object type
        Returns:
        always true

      • vote

        public int vote​(Authentication authentication,
                java.lang.Object object,
                java.util.Collection<ConfigAttribute> attributes)
        Description copied from interface: AccessDecisionVoter
        Indicates whether or not access is granted.

        The decision must be affirmative (ACCESS_GRANTED), negative ( ACCESS_DENIED) or the AccessDecisionVoter can abstain ( ACCESS_ABSTAIN) from voting. Under no circumstances should implementing classes return any other value. If a weighting of results is desired, this should be handled in a custom AccessDecisionManager instead.

        Unless an AccessDecisionVoter is specifically intended to vote on an access control decision due to a passed method invocation or configuration attribute parameter, it must return ACCESS_ABSTAIN. This prevents the coordinating AccessDecisionManager from counting votes from those AccessDecisionVoters without a legitimate interest in the access control decision.

        Whilst the secured object (such as a MethodInvocation) is passed as a parameter to maximise flexibility in making access control decisions, implementing classes should not modify it or cause the represented invocation to take place (for example, by calling MethodInvocation.proceed()).

        Specified by:
        vote in interface AccessDecisionVoter<java.lang.Object>
        Parameters:
        authentication - the caller making the invocation
        object - the secured object being invoked
        attributes - the configuration attributes associated with the secured object
        Returns:
        either AccessDecisionVoter.ACCESS_GRANTED, AccessDecisionVoter.ACCESS_ABSTAIN or AccessDecisionVoter.ACCESS_DENIED