Interface AccessDecisionVoter<S>
-
- All Known Implementing Classes:
AbstractAclVoter
,AclEntryVoter
,AuthenticatedVoter
,Jsr250Voter
,MessageExpressionVoter
,PreInvocationAuthorizationAdviceVoter
,RoleHierarchyVoter
,RoleVoter
,WebExpressionVoter
public interface AccessDecisionVoter<S>
Indicates a class is responsible for voting on authorization decisions.The coordination of voting (ie polling
AccessDecisionVoter
s, tallying their responses, and making the final authorization decision) is performed by anAccessDecisionManager
.
-
-
Field Summary
Fields Modifier and Type Field Description static int
ACCESS_ABSTAIN
static int
ACCESS_DENIED
static int
ACCESS_GRANTED
-
Method Summary
All Methods Instance Methods Abstract Methods Modifier and Type Method Description boolean
supports(java.lang.Class<?> clazz)
Indicates whether theAccessDecisionVoter
implementation is able to provide access control votes for the indicated secured object type.boolean
supports(ConfigAttribute attribute)
Indicates whether thisAccessDecisionVoter
is able to vote on the passedConfigAttribute
.int
vote(Authentication authentication, S object, java.util.Collection<ConfigAttribute> attributes)
Indicates whether or not access is granted.
-
-
-
Field Detail
-
ACCESS_GRANTED
static final int ACCESS_GRANTED
- See Also:
- Constant Field Values
-
ACCESS_ABSTAIN
static final int ACCESS_ABSTAIN
- See Also:
- Constant Field Values
-
ACCESS_DENIED
static final int ACCESS_DENIED
- See Also:
- Constant Field Values
-
-
Method Detail
-
supports
boolean supports(ConfigAttribute attribute)
Indicates whether thisAccessDecisionVoter
is able to vote on the passedConfigAttribute
.This allows the
AbstractSecurityInterceptor
to check every configuration attribute can be consumed by the configuredAccessDecisionManager
and/orRunAsManager
and/orAfterInvocationManager
.- Parameters:
attribute
- a configuration attribute that has been configured against theAbstractSecurityInterceptor
- Returns:
- true if this
AccessDecisionVoter
can support the passed configuration attribute
-
supports
boolean supports(java.lang.Class<?> clazz)
Indicates whether theAccessDecisionVoter
implementation is able to provide access control votes for the indicated secured object type.- Parameters:
clazz
- the class that is being queried- Returns:
- true if the implementation can process the indicated class
-
vote
int vote(Authentication authentication, S object, java.util.Collection<ConfigAttribute> attributes)
Indicates whether or not access is granted.The decision must be affirmative (
ACCESS_GRANTED
), negative (ACCESS_DENIED
) or theAccessDecisionVoter
can abstain (ACCESS_ABSTAIN
) from voting. Under no circumstances should implementing classes return any other value. If a weighting of results is desired, this should be handled in a customAccessDecisionManager
instead.Unless an
AccessDecisionVoter
is specifically intended to vote on an access control decision due to a passed method invocation or configuration attribute parameter, it must returnACCESS_ABSTAIN
. This prevents the coordinatingAccessDecisionManager
from counting votes from thoseAccessDecisionVoter
s without a legitimate interest in the access control decision.Whilst the secured object (such as a
MethodInvocation
) is passed as a parameter to maximise flexibility in making access control decisions, implementing classes should not modify it or cause the represented invocation to take place (for example, by callingMethodInvocation.proceed()
).- Parameters:
authentication
- the caller making the invocationobject
- the secured object being invokedattributes
- the configuration attributes associated with the secured object- Returns:
- either
ACCESS_GRANTED
,ACCESS_ABSTAIN
orACCESS_DENIED
-
-