Class PrePostAnnotationSecurityMetadataSource

java.lang.Object
org.springframework.security.access.method.AbstractMethodSecurityMetadataSource
org.springframework.security.access.prepost.PrePostAnnotationSecurityMetadataSource
All Implemented Interfaces:
org.springframework.aop.framework.AopInfrastructureBean, MethodSecurityMetadataSource, SecurityMetadataSource

public class PrePostAnnotationSecurityMetadataSource extends AbstractMethodSecurityMetadataSource
MethodSecurityMetadataSource which extracts metadata from the @PreFilter and @PreAuthorize annotations placed on a method. This class is merely responsible for locating the relevant annotations (if any). It delegates the actual ConfigAttribute creation to its PrePostInvocationAttributeFactory, thus decoupling itself from the mechanism which will enforce the annotations' behaviour.

Annotations may be specified on classes or methods, and method-specific annotations will take precedence. If you use any annotation and do not specify a pre-authorization condition, then the method will be allowed as if a @PreAuthorize("permitAll") were present.

Since we are handling multiple annotations here, it's possible that we may have to combine annotations defined in multiple locations for a single method - they may be defined on the method itself, or at interface or class level.

Since:
3.0
See Also: