Class AbstractSecurityInterceptor
java.lang.Object
org.springframework.security.access.intercept.AbstractSecurityInterceptor
- All Implemented Interfaces:
- org.springframework.beans.factory.Aware,- org.springframework.beans.factory.InitializingBean,- org.springframework.context.ApplicationEventPublisherAware,- org.springframework.context.MessageSourceAware
- Direct Known Subclasses:
- ChannelSecurityInterceptor,- FilterSecurityInterceptor,- MethodSecurityInterceptor
@NullUnmarked
@Deprecated
public abstract class AbstractSecurityInterceptor
extends Object
implements org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.MessageSourceAware
Deprecated.
Abstract class that implements security interception for secure objects.
 
 The AbstractSecurityInterceptor will ensure the proper startup
 configuration of the security interceptor. It will also implement the proper handling
 of secure object invocations, namely:
 
- Obtain the Authenticationobject from theSecurityContextHolder.
- Determine if the request relates to a secured or public invocation by looking up
 the secure object request against the SecurityMetadataSource.
- For an invocation that is secured (there is a list of ConfigAttributes for the secure object invocation):- If either the
 Authentication.isAuthenticated()returnsfalse, or thealwaysReauthenticateistrue, authenticate the request against the configuredAuthenticationManager. When authenticated, replace theAuthenticationobject on theSecurityContextHolderwith the returned value.
- Authorize the request against the configured AccessDecisionManager.
- Perform any run-as replacement via the configured RunAsManager.
- Pass control back to the concrete subclass, which will actually proceed with
 executing the object. A InterceptorStatusTokenis returned so that after the subclass has finished proceeding with execution of the object, its finally clause can ensure theAbstractSecurityInterceptoris re-called and tidies up correctly usingfinallyInvocation(InterceptorStatusToken).
- The concrete subclass will re-call the AbstractSecurityInterceptorvia theafterInvocation(InterceptorStatusToken, Object)method.
- If the RunAsManagerreplaced theAuthenticationobject, return theSecurityContextHolderto the object that existed after the call toAuthenticationManager.
- If an AfterInvocationManageris defined, invoke the invocation manager and allow it to replace the object due to be returned to the caller.
 
- If either the
 
- For an invocation that is public (there are no ConfigAttributes for the secure object invocation):- As described above, the concrete subclass will be returned an
 InterceptorStatusTokenwhich is subsequently re-presented to theAbstractSecurityInterceptorafter the secure object has been executed. TheAbstractSecurityInterceptorwill take no further action when itsafterInvocation(InterceptorStatusToken, Object)is called.
 
- As described above, the concrete subclass will be returned an
 
- Control again returns to the concrete subclass, along with the Objectthat should be returned to the caller. The subclass will then return that result or exception to the original caller.
- 
Field SummaryFields
- 
Constructor SummaryConstructors
- 
Method SummaryModifier and TypeMethodDescriptionprotected ObjectafterInvocation(InterceptorStatusToken token, @Nullable Object returnedObject) Deprecated.Completes the work of the AbstractSecurityInterceptor after the secure object invocation has been completed.voidDeprecated.protected @Nullable InterceptorStatusTokenbeforeInvocation(Object object) Deprecated.protected voidDeprecated.Cleans up the work of the AbstractSecurityInterceptor after the secure object invocation has been completed.Deprecated.Deprecated.Deprecated.Deprecated.abstract Class<?>Deprecated.Indicates the type of secure objects the subclass will be presenting to the abstract parent for processing.booleanDeprecated.booleanDeprecated.booleanDeprecated.abstract SecurityMetadataSourceDeprecated.voidsetAccessDecisionManager(AccessDecisionManager accessDecisionManager) Deprecated.voidsetAfterInvocationManager(AfterInvocationManager afterInvocationManager) Deprecated.voidsetAlwaysReauthenticate(boolean alwaysReauthenticate) Deprecated.Indicates whether theAbstractSecurityInterceptorshould ignore theAuthentication.isAuthenticated()property.voidsetApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher applicationEventPublisher) Deprecated.voidsetAuthenticationManager(AuthenticationManager newManager) Deprecated.voidsetMessageSource(org.springframework.context.MessageSource messageSource) Deprecated.voidsetPublishAuthorizationSuccess(boolean publishAuthorizationSuccess) Deprecated.OnlyAuthorizationFailureEventwill be published.voidsetRejectPublicInvocations(boolean rejectPublicInvocations) Deprecated.By rejecting public invocations (and setting this property to true), essentially you are ensuring that every secure object invocation advised byAbstractSecurityInterceptorhas a configuration attribute defined.voidsetRunAsManager(RunAsManager runAsManager) Deprecated.voidsetSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) Deprecated.Sets theSecurityContextHolderStrategyto use.voidsetValidateConfigAttributes(boolean validateConfigAttributes) Deprecated.
- 
Field Details- 
loggerprotected final org.apache.commons.logging.Log loggerDeprecated.
- 
messagesprotected org.springframework.context.support.MessageSourceAccessor messagesDeprecated.
 
- 
- 
Constructor Details- 
AbstractSecurityInterceptorpublic AbstractSecurityInterceptor()Deprecated.
 
- 
- 
Method Details- 
afterPropertiesSetpublic void afterPropertiesSet()Deprecated.- Specified by:
- afterPropertiesSetin interface- org.springframework.beans.factory.InitializingBean
 
- 
beforeInvocationDeprecated.
- 
finallyInvocationDeprecated.Cleans up the work of the AbstractSecurityInterceptor after the secure object invocation has been completed. This method should be invoked after the secure object invocation and before afterInvocation regardless of the secure object invocation returning successfully (i.e. it should be done in a finally block).- Parameters:
- token- as returned by the- beforeInvocation(Object)method
 
- 
afterInvocationDeprecated.Completes the work of the AbstractSecurityInterceptor after the secure object invocation has been completed.- Parameters:
- token- as returned by the- beforeInvocation(Object)method
- returnedObject- any object returned from the secure object invocation (may be null)
- Returns:
- the object the secure object invocation should ultimately return to its caller (may be null)
 
- 
getAccessDecisionManagerDeprecated.
- 
getAfterInvocationManagerDeprecated.
- 
getAuthenticationManagerDeprecated.
- 
getRunAsManagerDeprecated.
- 
getSecureObjectClassDeprecated.Indicates the type of secure objects the subclass will be presenting to the abstract parent for processing. This is used to ensure collaborators wired to theAbstractSecurityInterceptorall support the indicated secure object class.- Returns:
- the type of secure object the subclass provides services for
 
- 
isAlwaysReauthenticatepublic boolean isAlwaysReauthenticate()Deprecated.
- 
isRejectPublicInvocationspublic boolean isRejectPublicInvocations()Deprecated.
- 
isValidateConfigAttributespublic boolean isValidateConfigAttributes()Deprecated.
- 
obtainSecurityMetadataSourceDeprecated.
- 
setSecurityContextHolderStrategypublic void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) Deprecated.Sets theSecurityContextHolderStrategyto use. The default action is to use theSecurityContextHolderStrategystored inSecurityContextHolder.- Since:
- 5.8
 
- 
setAccessDecisionManagerDeprecated.
- 
setAfterInvocationManagerDeprecated.
- 
setAlwaysReauthenticatepublic void setAlwaysReauthenticate(boolean alwaysReauthenticate) Deprecated.Indicates whether theAbstractSecurityInterceptorshould ignore theAuthentication.isAuthenticated()property. Defaults tofalse, meaning by default theAuthentication.isAuthenticated()property is trusted and re-authentication will not occur if the principal has already been authenticated.- Parameters:
- alwaysReauthenticate-- trueto force- AbstractSecurityInterceptorto disregard the value of- Authentication.isAuthenticated()and always re-authenticate the request (defaults to- false).
 
- 
setApplicationEventPublisherpublic void setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher applicationEventPublisher) Deprecated.- Specified by:
- setApplicationEventPublisherin interface- org.springframework.context.ApplicationEventPublisherAware
 
- 
setAuthenticationManagerDeprecated.
- 
setMessageSourcepublic void setMessageSource(org.springframework.context.MessageSource messageSource) Deprecated.- Specified by:
- setMessageSourcein interface- org.springframework.context.MessageSourceAware
 
- 
setPublishAuthorizationSuccesspublic void setPublishAuthorizationSuccess(boolean publishAuthorizationSuccess) Deprecated.OnlyAuthorizationFailureEventwill be published. If you set this property totrue,AuthorizedEvents will also be published.- Parameters:
- publishAuthorizationSuccess- default value is- false
 
- 
setRejectPublicInvocationspublic void setRejectPublicInvocations(boolean rejectPublicInvocations) Deprecated.By rejecting public invocations (and setting this property to true), essentially you are ensuring that every secure object invocation advised byAbstractSecurityInterceptorhas a configuration attribute defined. This is useful to ensure a "fail safe" mode where undeclared secure objects will be rejected and configuration omissions detected early. An IllegalArgumentException will be thrown by the AbstractSecurityInterceptor if you set this property to true and an attempt is made to invoke a secure object that has no configuration attributes.- Parameters:
- rejectPublicInvocations- set to- trueto reject invocations of secure objects that have no configuration attributes (by default it is- falsewhich treats undeclared secure objects as "public" or unauthorized).
 
- 
setRunAsManagerDeprecated.
- 
setValidateConfigAttributespublic void setValidateConfigAttributes(boolean validateConfigAttributes) Deprecated.
 
- 
AuthorizationFilterinstead for filter security,AuthorizationChannelInterceptorfor messaging security, orAuthorizationManagerBeforeMethodInterceptorandAuthorizationManagerAfterMethodInterceptorfor method security.