Class WebExpressionVoter

java.lang.Object
org.springframework.security.web.access.expression.WebExpressionVoter
All Implemented Interfaces:
AccessDecisionVoter<FilterInvocation>

public class WebExpressionVoter extends Object implements AccessDecisionVoter<FilterInvocation>
Voter which handles web authorisation decisions.
Since:
3.0
  • Constructor Details

    • WebExpressionVoter

      public WebExpressionVoter()
  • Method Details

    • vote

      public int vote(Authentication authentication, FilterInvocation filterInvocation, Collection<ConfigAttribute> attributes)
      Description copied from interface: AccessDecisionVoter
      Indicates whether or not access is granted.

      The decision must be affirmative (ACCESS_GRANTED), negative ( ACCESS_DENIED) or the AccessDecisionVoter can abstain ( ACCESS_ABSTAIN) from voting. Under no circumstances should implementing classes return any other value. If a weighting of results is desired, this should be handled in a custom AccessDecisionManager instead.

      Unless an AccessDecisionVoter is specifically intended to vote on an access control decision due to a passed method invocation or configuration attribute parameter, it must return ACCESS_ABSTAIN. This prevents the coordinating AccessDecisionManager from counting votes from those AccessDecisionVoters without a legitimate interest in the access control decision.

      Whilst the secured object (such as a MethodInvocation) is passed as a parameter to maximise flexibility in making access control decisions, implementing classes should not modify it or cause the represented invocation to take place (for example, by calling MethodInvocation.proceed()).

      Specified by:
      vote in interface AccessDecisionVoter<FilterInvocation>
      Parameters:
      authentication - the caller making the invocation
      filterInvocation - the secured object being invoked
      attributes - the configuration attributes associated with the secured object
      Returns:
      either AccessDecisionVoter.ACCESS_GRANTED, AccessDecisionVoter.ACCESS_ABSTAIN or AccessDecisionVoter.ACCESS_DENIED
    • supports

      public boolean supports(ConfigAttribute attribute)
      Description copied from interface: AccessDecisionVoter
      Indicates whether this AccessDecisionVoter is able to vote on the passed ConfigAttribute.

      This allows the AbstractSecurityInterceptor to check every configuration attribute can be consumed by the configured AccessDecisionManager and/or RunAsManager and/or AfterInvocationManager.

      Specified by:
      supports in interface AccessDecisionVoter<FilterInvocation>
      Parameters:
      attribute - a configuration attribute that has been configured against the AbstractSecurityInterceptor
      Returns:
      true if this AccessDecisionVoter can support the passed configuration attribute
    • supports

      public boolean supports(Class<?> clazz)
      Description copied from interface: AccessDecisionVoter
      Indicates whether the AccessDecisionVoter implementation is able to provide access control votes for the indicated secured object type.
      Specified by:
      supports in interface AccessDecisionVoter<FilterInvocation>
      Parameters:
      clazz - the class that is being queried
      Returns:
      true if the implementation can process the indicated class
    • setExpressionHandler

      public void setExpressionHandler(SecurityExpressionHandler<FilterInvocation> expressionHandler)