Class DefaultMethodSecurityExpressionHandler

  • All Implemented Interfaces:
    org.springframework.aop.framework.AopInfrastructureBean, org.springframework.beans.factory.Aware, org.springframework.context.ApplicationContextAware, MethodSecurityExpressionHandler, SecurityExpressionHandler<org.aopalliance.intercept.MethodInvocation>

    public class DefaultMethodSecurityExpressionHandler
    extends AbstractSecurityExpressionHandler<org.aopalliance.intercept.MethodInvocation>
    implements MethodSecurityExpressionHandler
    The standard implementation of MethodSecurityExpressionHandler.

    A single instance should usually be shared amongst the beans that require expression support.

    Since:
    3.0
    • Field Detail

      • logger

        protected final org.apache.commons.logging.Log logger
    • Constructor Detail

      • DefaultMethodSecurityExpressionHandler

        public DefaultMethodSecurityExpressionHandler()
    • Method Detail

      • createEvaluationContextInternal

        public org.springframework.expression.spel.support.StandardEvaluationContext createEvaluationContextInternal​(Authentication auth,
                                                                                                                     org.aopalliance.intercept.MethodInvocation mi)
        Uses a MethodSecurityEvaluationContext as the EvaluationContext implementation.
        Overrides:
        createEvaluationContextInternal in class AbstractSecurityExpressionHandler<org.aopalliance.intercept.MethodInvocation>
        Parameters:
        auth - the current authentication object
        mi - the invocation (filter, method, channel)
        Returns:
        A StandardEvaluationContext or potentially a custom subclass if overridden.
      • createEvaluationContext

        public org.springframework.expression.EvaluationContext createEvaluationContext​(java.util.function.Supplier<Authentication> authentication,
                                                                                        org.aopalliance.intercept.MethodInvocation mi)
        Description copied from interface: SecurityExpressionHandler
        Provides an evaluation context in which to evaluate security expressions for the invocation type. You can override this method in order to provide a custom implementation that uses lazy initialization of the Authentication object. By default, this method uses eager initialization of the Authentication object.
        Specified by:
        createEvaluationContext in interface SecurityExpressionHandler<org.aopalliance.intercept.MethodInvocation>
        Parameters:
        authentication - the Supplier of the Authentication to use
        mi - the SecurityExpressionHandler to use
        Returns:
        the EvaluationContext to use
      • filter

        public java.lang.Object filter​(java.lang.Object filterTarget,
                                       org.springframework.expression.Expression filterExpression,
                                       org.springframework.expression.EvaluationContext ctx)
        Filters the filterTarget object (which must be either a collection, array, map or stream), by evaluating the supplied expression.

        If a Collection or Map is used, the original instance will be modified to contain the elements for which the permission expression evaluates to true. For an array, a new array instance will be returned.

        Specified by:
        filter in interface MethodSecurityExpressionHandler
        Parameters:
        filterTarget - the array or collection to be filtered.
        filterExpression - the expression which should be used as the filter condition. If it returns false on evaluation, the object will be removed from the returned collection
        ctx - the current evaluation context (as created through a call to SecurityExpressionHandler.createEvaluationContext(org.springframework.security.core.Authentication, Object)
        Returns:
        the filtered collection or array
      • setParameterNameDiscoverer

        public void setParameterNameDiscoverer​(org.springframework.core.ParameterNameDiscoverer parameterNameDiscoverer)
        Sets the ParameterNameDiscoverer to use. The default is DefaultSecurityParameterNameDiscoverer.
        Parameters:
        parameterNameDiscoverer -
      • getParameterNameDiscoverer

        protected org.springframework.core.ParameterNameDiscoverer getParameterNameDiscoverer()
        Returns:
        The current ParameterNameDiscoverer
      • setPermissionCacheOptimizer

        public void setPermissionCacheOptimizer​(PermissionCacheOptimizer permissionCacheOptimizer)
      • setDefaultRolePrefix

        public void setDefaultRolePrefix​(java.lang.String defaultRolePrefix)

        Sets the default prefix to be added to SecurityExpressionRoot.hasAnyRole(String...) or SecurityExpressionRoot.hasRole(String). For example, if hasRole("ADMIN") or hasRole("ROLE_ADMIN") is passed in, then the role ROLE_ADMIN will be used when the defaultRolePrefix is "ROLE_" (default).

        If null or empty, then no default role prefix is used.

        Parameters:
        defaultRolePrefix - the default prefix to add to roles. Default "ROLE_".
      • getDefaultRolePrefix

        protected java.lang.String getDefaultRolePrefix()
        Returns:
        The default role prefix