Package org.springframework.security.access.expression

Class SecurityExpressionRoot<T extends @Nullable Object>

java.lang.Object

org.springframework.security.access.expression.SecurityExpressionRoot<T>

All Implemented Interfaces:

SecurityExpressionOperations

Direct Known Subclasses:

MessageSecurityExpressionRoot, WebSecurityExpressionRoot

public abstract class SecurityExpressionRoot<T extends @Nullable Object>
extends Object
implements SecurityExpressionOperations

Base root object for use in Spring Security expression evaluations.

Since:

3.0

Field Summary

Fields

Modifier and Type	Field	Description
final String	admin
final String	create
final String	delete
final boolean	denyAll	Allows "denyAll" expression
final boolean	permitAll	Allows "permitAll" expression
final String	read
final String	write

Constructor Summary

Constructors

Constructor	Description
SecurityExpressionRoot(@Nullable Authentication authentication)	Deprecated. Use SecurityExpressionRoot(Supplier, Object) instead
SecurityExpressionRoot(Supplier<? extends @Nullable Authentication> authentication, T object)	Creates a new instance that uses lazy initialization of the Authentication object.
SecurityExpressionRoot(Supplier<@Nullable Authentication> authentication)	Deprecated. Use SecurityExpressionRoot(Supplier, Object) instead

Method Summary

Modifier and Type	Method	Description
final boolean	denyAll()	Always denies access
final Authentication	getAuthentication()	Gets the Authentication used for evaluating the expressions
@Nullable Object	getPrincipal()	Convenience method to access Authentication.getPrincipal() from getAuthentication()
final boolean	hasAnyAuthority(String... authorities)	Determines if the SecurityExpressionOperations.getAuthentication() has any of the specified authorities within Authentication.getAuthorities().
final boolean	hasAnyRole(String... roles)	Determines if the SecurityExpressionOperations.getAuthentication() has any of the specified authorities within Authentication.getAuthorities().
final boolean	hasAuthority(String authority)	Determines if the SecurityExpressionOperations.getAuthentication() has a particular authority within Authentication.getAuthorities().
boolean	hasPermission(Object target, Object permission)	Determines if the SecurityExpressionOperations.getAuthentication() has permission to access the target given the permission
boolean	hasPermission(Object targetId, String targetType, Object permission)	Determines if the SecurityExpressionOperations.getAuthentication() has permission to access the domain object with a given id, type, and permission.
final boolean	hasRole(String role)	Determines if the SecurityExpressionOperations.getAuthentication() has a particular authority within Authentication.getAuthorities().
final boolean	isAnonymous()	Determines if the SecurityExpressionOperations.getAuthentication() is anonymous
final boolean	isAuthenticated()	Determines ifthe SecurityExpressionOperations.getAuthentication() is authenticated
final boolean	isFullyAuthenticated()	Determines if the SecurityExpressionOperations.getAuthentication() authenticated without the use of remember me
final boolean	isRememberMe()	Determines if the SecurityExpressionOperations.getAuthentication() was authenticated using remember me
final boolean	permitAll()	Always grants access.
void	setAuthorizationManagerFactory(AuthorizationManagerFactory<T> authorizationManagerFactory)	Sets the AuthorizationManagerFactory to use for creating instances of AuthorizationManager.
void	setDefaultRolePrefix(@Nullable String defaultRolePrefix)	Deprecated. Use setAuthorizationManagerFactory(AuthorizationManagerFactory) instead
void	setPermissionEvaluator(PermissionEvaluator permissionEvaluator)
void	setRoleHierarchy(@Nullable RoleHierarchy roleHierarchy)	Deprecated. Use setAuthorizationManagerFactory(AuthorizationManagerFactory) instead
void	setTrustResolver(AuthenticationTrustResolver trustResolver)	Deprecated. Use setAuthorizationManagerFactory(AuthorizationManagerFactory) instead

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

permitAll

public final boolean permitAll

Allows "permitAll" expression

See Also:

• Constant Field Values

denyAll

public final boolean denyAll

Allows "denyAll" expression

See Also:

• Constant Field Values

read

public final String read

See Also:

• Constant Field Values

write

public final String write

See Also:

• Constant Field Values

create

public final String create

See Also:

• Constant Field Values

delete

public final String delete

See Also:

• Constant Field Values

admin

public final String admin

See Also:

• Constant Field Values

Constructor Details

SecurityExpressionRoot

@Deprecated(since="7.0")
public SecurityExpressionRoot(@Nullable Authentication authentication)

Deprecated.

Use SecurityExpressionRoot(Supplier, Object) instead

Creates a new instance

Parameters:

authentication - the Authentication to use. Cannot be null.

SecurityExpressionRoot

@Deprecated(since="7.0")
public SecurityExpressionRoot(Supplier<@Nullable Authentication> authentication)

Deprecated.

Use SecurityExpressionRoot(Supplier, Object) instead

Creates a new instance that uses lazy initialization of the Authentication object.

Parameters:

authentication - the Supplier of the Authentication to use. Cannot be null.

Since:

5.8

SecurityExpressionRoot

public SecurityExpressionRoot(Supplier<? extends @Nullable Authentication> authentication,
 T object)

Creates a new instance that uses lazy initialization of the Authentication object.

Parameters:

authentication - the Supplier of the Authentication to use. Cannot be null.

object - the object being authorized

Since:

7.0

Method Details

hasAuthority

public final boolean hasAuthority(String authority)

Description copied from interface: SecurityExpressionOperations

Determines if the SecurityExpressionOperations.getAuthentication() has a particular authority within Authentication.getAuthorities().

Specified by:

hasAuthority in interface SecurityExpressionOperations

Parameters:

authority - the authority to test (i.e. "ROLE_USER")

Returns:

true if the authority is found, else false

hasAnyAuthority

public final boolean hasAnyAuthority(String... authorities)

Description copied from interface: SecurityExpressionOperations

Determines if the SecurityExpressionOperations.getAuthentication() has any of the specified authorities within Authentication.getAuthorities().

Specified by:

hasAnyAuthority in interface SecurityExpressionOperations

Parameters:

authorities - the authorities to test (i.e. "ROLE_USER", "ROLE_ADMIN")

Returns:

true if any of the authorities is found, else false

hasRole

public final boolean hasRole(String role)

Description copied from interface: SecurityExpressionOperations

Determines if the SecurityExpressionOperations.getAuthentication() has a particular authority within Authentication.getAuthorities().

This is similar to SecurityExpressionOperations.hasAuthority(String) except that this method implies that the String passed in is a role. For example, if "USER" is passed in the implementation may convert it to use "ROLE_USER" instead. The way in which the role is converted may depend on the implementation settings.

Specified by:

hasRole in interface SecurityExpressionOperations

Parameters:

role - the authority to test (i.e. "USER")

Returns:

true if the authority is found, else false

hasAnyRole

public final boolean hasAnyRole(String... roles)

Description copied from interface: SecurityExpressionOperations

Determines if the SecurityExpressionOperations.getAuthentication() has any of the specified authorities within Authentication.getAuthorities().

This is a similar to hasAnyAuthority except that this method implies that the String passed in is a role. For example, if "USER" is passed in the implementation may convert it to use "ROLE_USER" instead. The way in which the role is converted may depend on the implementation settings.

Specified by:

hasAnyRole in interface SecurityExpressionOperations

Parameters:

roles - the authorities to test (i.e. "USER", "ADMIN")

Returns:

true if any of the authorities is found, else false

getAuthentication

public final Authentication getAuthentication()

Description copied from interface: SecurityExpressionOperations

Gets the Authentication used for evaluating the expressions

Specified by:

getAuthentication in interface SecurityExpressionOperations

Returns:

the Authentication for evaluating the expressions

permitAll

public final boolean permitAll()

Description copied from interface: SecurityExpressionOperations

Always grants access.

Specified by:

permitAll in interface SecurityExpressionOperations

Returns:

true

denyAll

public final boolean denyAll()

Description copied from interface: SecurityExpressionOperations

Always denies access

Specified by:

denyAll in interface SecurityExpressionOperations

Returns:

false

isAnonymous

public final boolean isAnonymous()

Description copied from interface: SecurityExpressionOperations

Determines if the SecurityExpressionOperations.getAuthentication() is anonymous

Specified by:

isAnonymous in interface SecurityExpressionOperations

Returns:

true if the user is anonymous, else false

isAuthenticated

public final boolean isAuthenticated()

Description copied from interface: SecurityExpressionOperations

Determines ifthe SecurityExpressionOperations.getAuthentication() is authenticated

Specified by:

isAuthenticated in interface SecurityExpressionOperations

Returns:

true if the SecurityExpressionOperations.getAuthentication() is authenticated, else false

isRememberMe

public final boolean isRememberMe()

Description copied from interface: SecurityExpressionOperations

Determines if the SecurityExpressionOperations.getAuthentication() was authenticated using remember me

Specified by:

isRememberMe in interface SecurityExpressionOperations

Returns:

true if the SecurityExpressionOperations.getAuthentication() authenticated using remember me, else false

isFullyAuthenticated

public final boolean isFullyAuthenticated()

Description copied from interface: SecurityExpressionOperations

Determines if the SecurityExpressionOperations.getAuthentication() authenticated without the use of remember me

Specified by:

isFullyAuthenticated in interface SecurityExpressionOperations

Returns:

true if the SecurityExpressionOperations.getAuthentication() authenticated without the use of remember me, else false

getPrincipal

public @Nullable Object getPrincipal()

Convenience method to access Authentication.getPrincipal() from getAuthentication()

Returns:

setTrustResolver

@Deprecated(since="7.0")
public void setTrustResolver(AuthenticationTrustResolver trustResolver)

Deprecated.

Use setAuthorizationManagerFactory(AuthorizationManagerFactory) instead

setRoleHierarchy

@Deprecated(since="7.0")
public void setRoleHierarchy(@Nullable RoleHierarchy roleHierarchy)

Deprecated.

Use setAuthorizationManagerFactory(AuthorizationManagerFactory) instead

setDefaultRolePrefix

@Deprecated(since="7.0")
public void setDefaultRolePrefix(@Nullable String defaultRolePrefix)

Deprecated.

Use setAuthorizationManagerFactory(AuthorizationManagerFactory) instead

Sets the default prefix to be added to hasAnyRole(String...) or hasRole(String). For example, if hasRole("ADMIN") or hasRole("ROLE_ADMIN") is passed in, then the role ROLE_ADMIN will be used when the defaultRolePrefix is "ROLE_" (default).

If null or empty, then no default role prefix is used.

Parameters:

defaultRolePrefix - the default prefix to add to roles. Default "ROLE_".

setAuthorizationManagerFactory

public void setAuthorizationManagerFactory(AuthorizationManagerFactory<T> authorizationManagerFactory)

Sets the AuthorizationManagerFactory to use for creating instances of AuthorizationManager.

Parameters:

authorizationManagerFactory - the AuthorizationManagerFactory to use

Since:

7.0

hasPermission

public boolean hasPermission(Object target,
 Object permission)

Description copied from interface: SecurityExpressionOperations

Determines if the SecurityExpressionOperations.getAuthentication() has permission to access the target given the permission

Specified by:

hasPermission in interface SecurityExpressionOperations

Parameters:

target - the target domain object to check permission on

permission - the permission to check on the domain object (i.e. "read", "write", etc.).

Returns:

true if permission is granted to the SecurityExpressionOperations.getAuthentication(), else false

hasPermission

public boolean hasPermission(Object targetId,
 String targetType,
 Object permission)

Description copied from interface: SecurityExpressionOperations

Determines if the SecurityExpressionOperations.getAuthentication() has permission to access the domain object with a given id, type, and permission.

Specified by:

hasPermission in interface SecurityExpressionOperations

Parameters:

targetId - the identifier of the domain object to determine access

targetType - the type (i.e. com.example.domain.Message)

permission - the permission to check on the domain object (i.e. "read", "write", etc.)

Returns:

true if permission is granted to the SecurityExpressionOperations.getAuthentication(), else false

setPermissionEvaluator

public void setPermissionEvaluator(PermissionEvaluator permissionEvaluator)