Interface RunAsManager
- All Known Implementing Classes:
RunAsManagerImpl
Authentication
object for the current secure object
invocation only.
This interface permits implementations to replace the Authentication
object that applies to the current secure object invocation only. The
AbstractSecurityInterceptor
will
replace the Authentication
object held in the
SecurityContext
for
the duration of the secure object callback only, returning it to the original
Authentication
object when the callback ends.
This is provided so that systems with two layers of objects can be established. One
layer is public facing and has normal secure methods with the granted authorities
expected to be held by external callers. The other layer is private, and is only
expected to be called by objects within the public facing layer. The objects in this
private layer still need security (otherwise they would be public methods) and they
also need security in such a manner that prevents them being called directly by
external callers. The objects in the private layer would be configured to require
granted authorities never granted to external callers. The RunAsManager
interface provides a mechanism to elevate security in this manner.
It is expected implementations will provide a corresponding concrete
Authentication
and AuthenticationProvider
so that the
replacement Authentication
object can be authenticated. Some form of
security will need to be implemented to ensure the AuthenticationProvider
only accepts Authentication
objects created by an authorized concrete
implementation of RunAsManager
.
-
Method Summary
Modifier and TypeMethodDescriptionbuildRunAs
(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) Returns a replacementAuthentication
object for the current secure object invocation, ornull
if replacement not required.boolean
Indicates whether theRunAsManager
implementation is able to provide run-as replacement for the indicated secure object type.boolean
supports
(ConfigAttribute attribute) Indicates whether thisRunAsManager
is able to process the passedConfigAttribute
.
-
Method Details
-
buildRunAs
Authentication buildRunAs(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) Returns a replacementAuthentication
object for the current secure object invocation, ornull
if replacement not required.- Parameters:
authentication
- the caller invoking the secure objectobject
- the secured object being calledattributes
- the configuration attributes associated with the secure object being invoked- Returns:
- a replacement object to be used for duration of the secure object
invocation, or
null
if theAuthentication
should be left as is
-
supports
Indicates whether thisRunAsManager
is able to process the passedConfigAttribute
.This allows the
AbstractSecurityInterceptor
to check every configuration attribute can be consumed by the configuredAccessDecisionManager
and/orRunAsManager
and/orAfterInvocationManager
.- Parameters:
attribute
- a configuration attribute that has been configured against theAbstractSecurityInterceptor
- Returns:
true
if thisRunAsManager
can support the passed configuration attribute
-
supports
Indicates whether theRunAsManager
implementation is able to provide run-as replacement for the indicated secure object type.- Parameters:
clazz
- the class that is being queried- Returns:
- true if the implementation can process the indicated class
-