Class RoleVoter
- java.lang.Object
-
- org.springframework.security.access.vote.RoleVoter
-
- All Implemented Interfaces:
AccessDecisionVoter<java.lang.Object>
- Direct Known Subclasses:
RoleHierarchyVoter
public class RoleVoter extends java.lang.Object implements AccessDecisionVoter<java.lang.Object>
Votes if anyConfigAttribute.getAttribute()
starts with a prefix indicating that it is a role. The default prefix string isROLE_
, but this may be overridden to any value. It may also be set to empty, which means that essentially any attribute will be voted on. As described further below, the effect of an empty prefix may not be quite desirable.Abstains from voting if no configuration attribute commences with the role prefix. Votes to grant access if there is an exact matching
GrantedAuthority
to aConfigAttribute
starting with the role prefix. Votes to deny access if there is no exact matchingGrantedAuthority
to aConfigAttribute
starting with the role prefix.An empty role prefix means that the voter will vote for every ConfigAttribute. When there are different categories of ConfigAttributes used, this will not be optimal since the voter will be voting for attributes which do not represent roles. However, this option may be of some use when using pre-existing role names without a prefix, and no ability exists to prefix them with a role prefix on reading them in, such as provided for example in
JdbcDaoImpl
.All comparisons and prefixes are case sensitive.
-
-
Field Summary
-
Fields inherited from interface org.springframework.security.access.AccessDecisionVoter
ACCESS_ABSTAIN, ACCESS_DENIED, ACCESS_GRANTED
-
-
Constructor Summary
Constructors Constructor Description RoleVoter()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description java.lang.String
getRolePrefix()
void
setRolePrefix(java.lang.String rolePrefix)
Allows the default role prefix ofROLE_
to be overridden.boolean
supports(java.lang.Class<?> clazz)
This implementation supports any type of class, because it does not query the presented secure object.boolean
supports(ConfigAttribute attribute)
Indicates whether thisAccessDecisionVoter
is able to vote on the passedConfigAttribute
.int
vote(Authentication authentication, java.lang.Object object, java.util.Collection<ConfigAttribute> attributes)
Indicates whether or not access is granted.
-
-
-
Method Detail
-
getRolePrefix
public java.lang.String getRolePrefix()
-
setRolePrefix
public void setRolePrefix(java.lang.String rolePrefix)
Allows the default role prefix ofROLE_
to be overridden. May be set to an empty value, although this is usually not desirable.- Parameters:
rolePrefix
- the new prefix
-
supports
public boolean supports(ConfigAttribute attribute)
Description copied from interface:AccessDecisionVoter
Indicates whether thisAccessDecisionVoter
is able to vote on the passedConfigAttribute
.This allows the
AbstractSecurityInterceptor
to check every configuration attribute can be consumed by the configuredAccessDecisionManager
and/orRunAsManager
and/orAfterInvocationManager
.- Specified by:
supports
in interfaceAccessDecisionVoter<java.lang.Object>
- Parameters:
attribute
- a configuration attribute that has been configured against theAbstractSecurityInterceptor
- Returns:
- true if this
AccessDecisionVoter
can support the passed configuration attribute
-
supports
public boolean supports(java.lang.Class<?> clazz)
This implementation supports any type of class, because it does not query the presented secure object.- Specified by:
supports
in interfaceAccessDecisionVoter<java.lang.Object>
- Parameters:
clazz
- the secure object- Returns:
- always
true
-
vote
public int vote(Authentication authentication, java.lang.Object object, java.util.Collection<ConfigAttribute> attributes)
Description copied from interface:AccessDecisionVoter
Indicates whether or not access is granted.The decision must be affirmative (
ACCESS_GRANTED
), negative (ACCESS_DENIED
) or theAccessDecisionVoter
can abstain (ACCESS_ABSTAIN
) from voting. Under no circumstances should implementing classes return any other value. If a weighting of results is desired, this should be handled in a customAccessDecisionManager
instead.Unless an
AccessDecisionVoter
is specifically intended to vote on an access control decision due to a passed method invocation or configuration attribute parameter, it must returnACCESS_ABSTAIN
. This prevents the coordinatingAccessDecisionManager
from counting votes from thoseAccessDecisionVoter
s without a legitimate interest in the access control decision.Whilst the secured object (such as a
MethodInvocation
) is passed as a parameter to maximise flexibility in making access control decisions, implementing classes should not modify it or cause the represented invocation to take place (for example, by callingMethodInvocation.proceed()
).- Specified by:
vote
in interfaceAccessDecisionVoter<java.lang.Object>
- Parameters:
authentication
- the caller making the invocationobject
- the secured object being invokedattributes
- the configuration attributes associated with the secured object- Returns:
- either
AccessDecisionVoter.ACCESS_GRANTED
,AccessDecisionVoter.ACCESS_ABSTAIN
orAccessDecisionVoter.ACCESS_DENIED
-
-