Package org.springframework.security.access.intercept

Class RunAsManagerImpl

java.lang.Object
org.springframework.security.access.intercept.RunAsManagerImpl
All Implemented Interfaces:
org.springframework.beans.factory.InitializingBean, RunAsManager
public class RunAsManagerImpl extends Object implements RunAsManager, org.springframework.beans.factory.InitializingBean
Basic concrete implementation of a RunAsManager.

Is activated if any ConfigAttribute.getAttribute() is prefixed with RUN_AS_. If found, it generates a new RunAsUserToken containing the same principal, credentials and granted authorities as the original Authentication object, along with SimpleGrantedAuthoritys for each RUN_AS_ indicated. The created SimpleGrantedAuthoritys will be prefixed with a special prefix indicating that it is a role (default prefix value is ROLE_), and then the remainder of the RUN_AS_ keyword. For example, RUN_AS_FOO will result in the creation of a granted authority of ROLE_RUN_AS_FOO.

The role prefix may be overridden from the default, to match that used elsewhere, for example when using an existing role database with another prefix. An empty role prefix may also be specified. Note however that there are potential issues with using an empty role prefix since different categories of ConfigAttribute can not be properly discerned based on the prefix, with possible consequences when performing voting and other actions. However, this option may be of some use when using pre-existing role names without a prefix, and no ability exists to prefix them with a role prefix on reading them in, such as provided for example in JdbcDaoImpl.

  • Constructor Details

    • RunAsManagerImpl

      public RunAsManagerImpl()

  • Method Details

    • afterPropertiesSet

      public void afterPropertiesSet()
      Specified by:
      afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean

    • buildRunAs

      public Authentication buildRunAs(Authentication authentication, Object object, Collection<ConfigAttribute> attributes)
      Description copied from interface: RunAsManager
      Returns a replacement Authentication object for the current secure object invocation, or null if replacement not required.
      Specified by:
      buildRunAs in interface RunAsManager
      Parameters:
      authentication - the caller invoking the secure object
      object - the secured object being called
      attributes - the configuration attributes associated with the secure object being invoked
      Returns:
      a replacement object to be used for duration of the secure object invocation, or null if the Authentication should be left as is

    • getKey

      public String getKey()

    • getRolePrefix

      public String getRolePrefix()

    • setKey

      public void setKey(String key)

    • setRolePrefix

      public void setRolePrefix(String rolePrefix)
      Allows the default role prefix of ROLE_ to be overridden. May be set to an empty value, although this is usually not desirable.
      Parameters:
      rolePrefix - the new prefix

    • supports

      public boolean supports(ConfigAttribute attribute)
      Description copied from interface: RunAsManager
      Indicates whether this RunAsManager is able to process the passed ConfigAttribute.

      This allows the AbstractSecurityInterceptor to check every configuration attribute can be consumed by the configured AccessDecisionManager and/or RunAsManager and/or AfterInvocationManager.

      Specified by:
      supports in interface RunAsManager
      Parameters:
      attribute - a configuration attribute that has been configured against the AbstractSecurityInterceptor
      Returns:
      true if this RunAsManager can support the passed configuration attribute

    • supports

      public boolean supports(Class<?> clazz)
      This implementation supports any type of class, because it does not query the presented secure object.
      Specified by:
      supports in interface RunAsManager
      Parameters:
      clazz - the secure object
      Returns:
      always true