Interface AccessDecisionVoter<S>

    • Method Summary

      All Methods Instance Methods Abstract Methods 
      Modifier and Type Method Description
      boolean supports​(java.lang.Class<?> clazz)
      Indicates whether the AccessDecisionVoter implementation is able to provide access control votes for the indicated secured object type.
      boolean supports​(ConfigAttribute attribute)
      Indicates whether this AccessDecisionVoter is able to vote on the passed ConfigAttribute.
      int vote​(Authentication authentication, S object, java.util.Collection<ConfigAttribute> attributes)
      Indicates whether or not access is granted.
    • Method Detail

      • supports

        boolean supports​(ConfigAttribute attribute)
        Indicates whether this AccessDecisionVoter is able to vote on the passed ConfigAttribute.

        This allows the AbstractSecurityInterceptor to check every configuration attribute can be consumed by the configured AccessDecisionManager and/or RunAsManager and/or AfterInvocationManager.

        Parameters:
        attribute - a configuration attribute that has been configured against the AbstractSecurityInterceptor
        Returns:
        true if this AccessDecisionVoter can support the passed configuration attribute
      • supports

        boolean supports​(java.lang.Class<?> clazz)
        Indicates whether the AccessDecisionVoter implementation is able to provide access control votes for the indicated secured object type.
        Parameters:
        clazz - the class that is being queried
        Returns:
        true if the implementation can process the indicated class
      • vote

        int vote​(Authentication authentication,
                 S object,
                 java.util.Collection<ConfigAttribute> attributes)
        Indicates whether or not access is granted.

        The decision must be affirmative (ACCESS_GRANTED), negative ( ACCESS_DENIED) or the AccessDecisionVoter can abstain ( ACCESS_ABSTAIN) from voting. Under no circumstances should implementing classes return any other value. If a weighting of results is desired, this should be handled in a custom AccessDecisionManager instead.

        Unless an AccessDecisionVoter is specifically intended to vote on an access control decision due to a passed method invocation or configuration attribute parameter, it must return ACCESS_ABSTAIN. This prevents the coordinating AccessDecisionManager from counting votes from those AccessDecisionVoters without a legitimate interest in the access control decision.

        Whilst the secured object (such as a MethodInvocation) is passed as a parameter to maximise flexibility in making access control decisions, implementing classes should not modify it or cause the represented invocation to take place (for example, by calling MethodInvocation.proceed()).

        Parameters:
        authentication - the caller making the invocation
        object - the secured object being invoked
        attributes - the configuration attributes associated with the secured object
        Returns:
        either ACCESS_GRANTED, ACCESS_ABSTAIN or ACCESS_DENIED