Package org.springframework.security.authorization.method

Class AuthorizationAdvisorProxyFactory

java.lang.Object

org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory

All Implemented Interfaces:

Iterable<AuthorizationAdvisor>, AuthorizationProxyFactory

public final class AuthorizationAdvisorProxyFactory
extends Object
implements AuthorizationProxyFactory, Iterable<AuthorizationAdvisor>

A proxy factory for applying authorization advice to an arbitrary object.

For example, consider a non-Spring-managed object Foo:

     class Foo {
         @PreAuthorize("hasAuthority('bar:read')")
         String bar() { ... }
     }
 

Use AuthorizationAdvisorProxyFactory to wrap the instance in Spring Security's PreAuthorize method interceptor like so:

     AuthorizationProxyFactory proxyFactory = AuthorizationAdvisorProxyFactory.withDefaults();
     Foo foo = new Foo();
     foo.bar(); // passes
     Foo securedFoo = proxyFactory.proxy(foo);
     securedFoo.bar(); // access denied!
 

Since:

6.3

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static interface	AuthorizationAdvisorProxyFactory.TargetVisitor	An interface to handle how the AuthorizationAdvisorProxyFactory should step through the target's object hierarchy.

Method Summary

Modifier and Type	Method	Description
Iterator<AuthorizationAdvisor>	iterator()
Object	proxy(Object target)	Proxy an object to enforce authorization advice.
void	setAdvisors(Collection<AuthorizationAdvisor> advisors)	Add advisors that should be included to each proxy created.
void	setAdvisors(AuthorizationAdvisor... advisors)	Add advisors that should be included to each proxy created.
void	setTargetVisitor(AuthorizationAdvisorProxyFactory.TargetVisitor visitor)	Use this visitor to navigate the proxy target's hierarchy.
static AuthorizationAdvisorProxyFactory	withDefaults()	Construct an AuthorizationAdvisorProxyFactory with the defaults needed for wrapping objects in Spring Security's pre-post method security support.
static AuthorizationAdvisorProxyFactory	withReactiveDefaults()	Construct an AuthorizationAdvisorProxyFactory with the defaults needed for wrapping objects in Spring Security's pre-post reactive method security support.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface java.lang.Iterable

forEach, spliterator

Method Details

withDefaults

public static AuthorizationAdvisorProxyFactory withDefaults()

Construct an AuthorizationAdvisorProxyFactory with the defaults needed for wrapping objects in Spring Security's pre-post method security support.

Returns:

an AuthorizationAdvisorProxyFactory for adding pre-post method security support

withReactiveDefaults

public static AuthorizationAdvisorProxyFactory withReactiveDefaults()

Construct an AuthorizationAdvisorProxyFactory with the defaults needed for wrapping objects in Spring Security's pre-post reactive method security support.

Returns:

an AuthorizationAdvisorProxyFactory for adding pre-post reactive method security support

proxy

public Object proxy(Object target)

Proxy an object to enforce authorization advice.

Proxies any instance of a non-final class or a class that implements more than one interface.

If target is an Iterator, Collection, Array, Map, Stream, or Optional, then the element or value type is proxied.

If target is a Class, then ProxyFactory.getProxyClass(java.lang.ClassLoader) is invoked instead.

Specified by:

proxy in interface AuthorizationProxyFactory

Parameters:

target - the instance to proxy

Returns:

the proxied instance

setAdvisors

public void setAdvisors(AuthorizationAdvisor... advisors)

Add advisors that should be included to each proxy created.

All advisors are re-sorted by their advisor order.

Parameters:

advisors - the advisors to add

setAdvisors

public void setAdvisors(Collection<AuthorizationAdvisor> advisors)

Add advisors that should be included to each proxy created.

All advisors are re-sorted by their advisor order.

Parameters:

advisors - the advisors to add

setTargetVisitor

public void setTargetVisitor(AuthorizationAdvisorProxyFactory.TargetVisitor visitor)

Use this visitor to navigate the proxy target's hierarchy.

This can be helpful when you want a specialized behavior for a type or set of types. For example, if you want to have this factory skip primitives and wrappers, then you can do:

        AuthorizationAdvisorProxyFactory proxyFactory = new AuthorizationAdvisorProxyFactory();
        proxyFactory.setTargetVisitor(TargetVisitor.defaultsSkipValueTypes());
 

The default AuthorizationAdvisorProxyFactory.TargetVisitor proxies Class instances as well as instances contained in reactive types (if reactor is present), collection types, and other container types like Optional and Supplier.

If you want to add support for another container type, you can do so in the following way:

        TargetVisitor functions = (factory, target) -> {
                if (target instanceof Function function) {
                        return (input) -> factory.proxy(function.apply(input));
                }
                return null;
        };
        AuthorizationAdvisorProxyFactory proxyFactory = new AuthorizationAdvisorProxyFactory();
        proxyFactory.setTargetVisitor(TargetVisitor.of(functions, TargetVisitor.defaultsSkipValueTypes()));
 

Parameters:

visitor - the visitor to use to introduce specialized behavior for a type

See Also:

• AuthorizationAdvisorProxyFactory.TargetVisitor.defaults()

iterator

@NonNull
public Iterator<AuthorizationAdvisor> iterator()

Specified by:

iterator in interface Iterable<AuthorizationAdvisor>