Class AbstractSecurityInterceptor
- java.lang.Object
-
- org.springframework.security.access.intercept.AbstractSecurityInterceptor
-
- All Implemented Interfaces:
org.springframework.beans.factory.Aware
,org.springframework.beans.factory.InitializingBean
,org.springframework.context.ApplicationEventPublisherAware
,org.springframework.context.MessageSourceAware
- Direct Known Subclasses:
ChannelSecurityInterceptor
,FilterSecurityInterceptor
,MethodSecurityInterceptor
@Deprecated public abstract class AbstractSecurityInterceptor extends java.lang.Object implements org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.MessageSourceAware
Deprecated.UseAuthorizationFilter
instead for filter security,AuthorizationChannelInterceptor
for messaging security, orAuthorizationManagerBeforeMethodInterceptor
andAuthorizationManagerAfterMethodInterceptor
for method security.Abstract class that implements security interception for secure objects.The
AbstractSecurityInterceptor
will ensure the proper startup configuration of the security interceptor. It will also implement the proper handling of secure object invocations, namely:- Obtain the
Authentication
object from theSecurityContextHolder
. - Determine if the request relates to a secured or public invocation by looking up
the secure object request against the
SecurityMetadataSource
. - For an invocation that is secured (there is a list of
ConfigAttribute
s for the secure object invocation):- If either the
Authentication.isAuthenticated()
returnsfalse
, or thealwaysReauthenticate
istrue
, authenticate the request against the configuredAuthenticationManager
. When authenticated, replace theAuthentication
object on theSecurityContextHolder
with the returned value. - Authorize the request against the configured
AccessDecisionManager
. - Perform any run-as replacement via the configured
RunAsManager
. - Pass control back to the concrete subclass, which will actually proceed with
executing the object. A
InterceptorStatusToken
is returned so that after the subclass has finished proceeding with execution of the object, its finally clause can ensure theAbstractSecurityInterceptor
is re-called and tidies up correctly usingfinallyInvocation(InterceptorStatusToken)
. - The concrete subclass will re-call the
AbstractSecurityInterceptor
via theafterInvocation(InterceptorStatusToken, Object)
method. - If the
RunAsManager
replaced theAuthentication
object, return theSecurityContextHolder
to the object that existed after the call toAuthenticationManager
. - If an
AfterInvocationManager
is defined, invoke the invocation manager and allow it to replace the object due to be returned to the caller.
- If either the
- For an invocation that is public (there are no
ConfigAttribute
s for the secure object invocation):- As described above, the concrete subclass will be returned an
InterceptorStatusToken
which is subsequently re-presented to theAbstractSecurityInterceptor
after the secure object has been executed. TheAbstractSecurityInterceptor
will take no further action when itsafterInvocation(InterceptorStatusToken, Object)
is called.
- As described above, the concrete subclass will be returned an
- Control again returns to the concrete subclass, along with the
Object
that should be returned to the caller. The subclass will then return that result or exception to the original caller.
-
-
Constructor Summary
Constructors Constructor Description AbstractSecurityInterceptor()
Deprecated.
-
Method Summary
All Methods Instance Methods Abstract Methods Concrete Methods Deprecated Methods Modifier and Type Method Description protected java.lang.Object
afterInvocation(InterceptorStatusToken token, java.lang.Object returnedObject)
Deprecated.Completes the work of the AbstractSecurityInterceptor after the secure object invocation has been completed.void
afterPropertiesSet()
Deprecated.protected InterceptorStatusToken
beforeInvocation(java.lang.Object object)
Deprecated.protected void
finallyInvocation(InterceptorStatusToken token)
Deprecated.Cleans up the work of the AbstractSecurityInterceptor after the secure object invocation has been completed.AccessDecisionManager
getAccessDecisionManager()
Deprecated.AfterInvocationManager
getAfterInvocationManager()
Deprecated.AuthenticationManager
getAuthenticationManager()
Deprecated.RunAsManager
getRunAsManager()
Deprecated.abstract java.lang.Class<?>
getSecureObjectClass()
Deprecated.Indicates the type of secure objects the subclass will be presenting to the abstract parent for processing.boolean
isAlwaysReauthenticate()
Deprecated.boolean
isRejectPublicInvocations()
Deprecated.boolean
isValidateConfigAttributes()
Deprecated.abstract SecurityMetadataSource
obtainSecurityMetadataSource()
Deprecated.void
setAccessDecisionManager(AccessDecisionManager accessDecisionManager)
Deprecated.void
setAfterInvocationManager(AfterInvocationManager afterInvocationManager)
Deprecated.void
setAlwaysReauthenticate(boolean alwaysReauthenticate)
Deprecated.Indicates whether theAbstractSecurityInterceptor
should ignore theAuthentication.isAuthenticated()
property.void
setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher applicationEventPublisher)
Deprecated.void
setAuthenticationManager(AuthenticationManager newManager)
Deprecated.void
setMessageSource(org.springframework.context.MessageSource messageSource)
Deprecated.void
setPublishAuthorizationSuccess(boolean publishAuthorizationSuccess)
Deprecated.OnlyAuthorizationFailureEvent
will be published.void
setRejectPublicInvocations(boolean rejectPublicInvocations)
Deprecated.By rejecting public invocations (and setting this property to true), essentially you are ensuring that every secure object invocation advised byAbstractSecurityInterceptor
has a configuration attribute defined.void
setRunAsManager(RunAsManager runAsManager)
Deprecated.void
setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy)
Deprecated.Sets theSecurityContextHolderStrategy
to use.void
setValidateConfigAttributes(boolean validateConfigAttributes)
Deprecated.
-
-
-
Method Detail
-
afterPropertiesSet
public void afterPropertiesSet()
Deprecated.- Specified by:
afterPropertiesSet
in interfaceorg.springframework.beans.factory.InitializingBean
-
beforeInvocation
protected InterceptorStatusToken beforeInvocation(java.lang.Object object)
Deprecated.
-
finallyInvocation
protected void finallyInvocation(InterceptorStatusToken token)
Deprecated.Cleans up the work of the AbstractSecurityInterceptor after the secure object invocation has been completed. This method should be invoked after the secure object invocation and before afterInvocation regardless of the secure object invocation returning successfully (i.e. it should be done in a finally block).- Parameters:
token
- as returned by thebeforeInvocation(Object)
method
-
afterInvocation
protected java.lang.Object afterInvocation(InterceptorStatusToken token, java.lang.Object returnedObject)
Deprecated.Completes the work of the AbstractSecurityInterceptor after the secure object invocation has been completed.- Parameters:
token
- as returned by thebeforeInvocation(Object)
methodreturnedObject
- any object returned from the secure object invocation (may be null)- Returns:
- the object the secure object invocation should ultimately return to its caller (may be null)
-
getAccessDecisionManager
public AccessDecisionManager getAccessDecisionManager()
Deprecated.
-
getAfterInvocationManager
public AfterInvocationManager getAfterInvocationManager()
Deprecated.
-
getAuthenticationManager
public AuthenticationManager getAuthenticationManager()
Deprecated.
-
getRunAsManager
public RunAsManager getRunAsManager()
Deprecated.
-
getSecureObjectClass
public abstract java.lang.Class<?> getSecureObjectClass()
Deprecated.Indicates the type of secure objects the subclass will be presenting to the abstract parent for processing. This is used to ensure collaborators wired to theAbstractSecurityInterceptor
all support the indicated secure object class.- Returns:
- the type of secure object the subclass provides services for
-
isAlwaysReauthenticate
public boolean isAlwaysReauthenticate()
Deprecated.
-
isRejectPublicInvocations
public boolean isRejectPublicInvocations()
Deprecated.
-
isValidateConfigAttributes
public boolean isValidateConfigAttributes()
Deprecated.
-
obtainSecurityMetadataSource
public abstract SecurityMetadataSource obtainSecurityMetadataSource()
Deprecated.
-
setSecurityContextHolderStrategy
public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy)
Deprecated.Sets theSecurityContextHolderStrategy
to use. The default action is to use theSecurityContextHolderStrategy
stored inSecurityContextHolder
.- Since:
- 5.8
-
setAccessDecisionManager
public void setAccessDecisionManager(AccessDecisionManager accessDecisionManager)
Deprecated.
-
setAfterInvocationManager
public void setAfterInvocationManager(AfterInvocationManager afterInvocationManager)
Deprecated.
-
setAlwaysReauthenticate
public void setAlwaysReauthenticate(boolean alwaysReauthenticate)
Deprecated.Indicates whether theAbstractSecurityInterceptor
should ignore theAuthentication.isAuthenticated()
property. Defaults tofalse
, meaning by default theAuthentication.isAuthenticated()
property is trusted and re-authentication will not occur if the principal has already been authenticated.- Parameters:
alwaysReauthenticate
-true
to forceAbstractSecurityInterceptor
to disregard the value ofAuthentication.isAuthenticated()
and always re-authenticate the request (defaults tofalse
).
-
setApplicationEventPublisher
public void setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher applicationEventPublisher)
Deprecated.- Specified by:
setApplicationEventPublisher
in interfaceorg.springframework.context.ApplicationEventPublisherAware
-
setAuthenticationManager
public void setAuthenticationManager(AuthenticationManager newManager)
Deprecated.
-
setMessageSource
public void setMessageSource(org.springframework.context.MessageSource messageSource)
Deprecated.- Specified by:
setMessageSource
in interfaceorg.springframework.context.MessageSourceAware
-
setPublishAuthorizationSuccess
public void setPublishAuthorizationSuccess(boolean publishAuthorizationSuccess)
Deprecated.OnlyAuthorizationFailureEvent
will be published. If you set this property totrue
,AuthorizedEvent
s will also be published.- Parameters:
publishAuthorizationSuccess
- default value isfalse
-
setRejectPublicInvocations
public void setRejectPublicInvocations(boolean rejectPublicInvocations)
Deprecated.By rejecting public invocations (and setting this property to true), essentially you are ensuring that every secure object invocation advised byAbstractSecurityInterceptor
has a configuration attribute defined. This is useful to ensure a "fail safe" mode where undeclared secure objects will be rejected and configuration omissions detected early. An IllegalArgumentException will be thrown by the AbstractSecurityInterceptor if you set this property to true and an attempt is made to invoke a secure object that has no configuration attributes.- Parameters:
rejectPublicInvocations
- set totrue
to reject invocations of secure objects that have no configuration attributes (by default it isfalse
which treats undeclared secure objects as "public" or unauthorized).
-
setRunAsManager
public void setRunAsManager(RunAsManager runAsManager)
Deprecated.
-
setValidateConfigAttributes
public void setValidateConfigAttributes(boolean validateConfigAttributes)
Deprecated.
-
-