Class AbstractFallbackMethodSecurityMetadataSource

java.lang.Object
org.springframework.security.access.method.AbstractMethodSecurityMetadataSource
org.springframework.security.access.method.AbstractFallbackMethodSecurityMetadataSource
All Implemented Interfaces:
org.springframework.aop.framework.AopInfrastructureBean, MethodSecurityMetadataSource, SecurityMetadataSource
Direct Known Subclasses:
Jsr250MethodSecurityMetadataSource, MapBasedMethodSecurityMetadataSource, SecuredAnnotationSecurityMetadataSource

public abstract class AbstractFallbackMethodSecurityMetadataSource extends AbstractMethodSecurityMetadataSource
Abstract implementation of MethodSecurityMetadataSource that supports both Spring AOP and AspectJ and performs attribute resolution from: 1. specific target method; 2. target class; 3. declaring method; 4. declaring class/interface. Use with DelegatingMethodSecurityMetadataSource for caching support.

This class mimics the behaviour of Spring's AbstractFallbackTransactionAttributeSource class.

Note that this class cannot extract security metadata where that metadata is expressed by way of a target method/class (i.e. #1 and #2 above) AND the target method/class is encapsulated in another proxy object. Spring Security does not walk a proxy chain to locate the concrete/final target object. Consider making Spring Security your final advisor (so it advises the final target, as opposed to another proxy), move the metadata to declared methods or interfaces the proxy implements, or provide your own replacement MethodSecurityMetadataSource.

Since:
2.0
  • Constructor Details

    • AbstractFallbackMethodSecurityMetadataSource

      public AbstractFallbackMethodSecurityMetadataSource()
  • Method Details

    • getAttributes

      public Collection<ConfigAttribute> getAttributes(Method method, Class<?> targetClass)
    • findAttributes

      protected abstract Collection<ConfigAttribute> findAttributes(Method method, Class<?> targetClass)
      Obtains the security metadata applicable to the specified method invocation.

      Note that the Method.getDeclaringClass() may not equal the targetClass. Both parameters are provided to assist subclasses which may wish to provide advanced capabilities related to method metadata being "registered" against a method even if the target class does not declare the method (i.e. the subclass may only inherit the method).

      Parameters:
      method - the method for the current invocation (never null)
      targetClass - the target class for the invocation (may be null)
      Returns:
      the security metadata (or null if no metadata applies)
    • findAttributes

      protected abstract Collection<ConfigAttribute> findAttributes(Class<?> clazz)
      Obtains the security metadata registered against the specified class.

      Subclasses should only return metadata expressed at a class level. Subclasses should NOT aggregate metadata for each method registered against a class, as the abstract superclass will separate invoke findAttributes(Method, Class) for individual methods as appropriate.

      Parameters:
      clazz - the target class for the invocation (never null)
      Returns:
      the security metadata (or null if no metadata applies)