Package org.springframework.security.authorization.method

Class AuthorizationAdvisorProxyFactory

java.lang.Object
org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory
All Implemented Interfaces:
Iterable<AuthorizationAdvisor>, org.springframework.aop.framework.AopInfrastructureBean, org.springframework.beans.factory.SmartInitializingSingleton, AuthorizationProxyFactory
public final class AuthorizationAdvisorProxyFactory extends Object implements AuthorizationProxyFactory, Iterable<AuthorizationAdvisor>, org.springframework.aop.framework.AopInfrastructureBean, org.springframework.beans.factory.SmartInitializingSingleton
A proxy factory for applying authorization advice to an arbitrary object.

For example, consider a non-Spring-managed object Foo: 

     class Foo {
         @PreAuthorize("hasAuthority('bar:read')")
         String bar() { ... }
     }
Use AuthorizationAdvisorProxyFactory to wrap the instance in Spring Security's PreAuthorize method interceptor like so: 
     AuthorizationProxyFactory proxyFactory = AuthorizationAdvisorProxyFactory.withDefaults();
     Foo foo = new Foo();
     foo.bar(); // passes
     Foo securedFoo = proxyFactory.proxy(foo);
     securedFoo.bar(); // access denied!
Since:
6.3

  • Constructor Details

  • Method Details

    • withDefaults

      public static AuthorizationAdvisorProxyFactory withDefaults()
      Construct an AuthorizationAdvisorProxyFactory with the defaults needed for wrapping objects in Spring Security's pre-post method security support.
      Returns:
      an AuthorizationAdvisorProxyFactory for adding pre-post method security support

    • withReactiveDefaults

      public static AuthorizationAdvisorProxyFactory withReactiveDefaults()
      Construct an AuthorizationAdvisorProxyFactory with the defaults needed for wrapping objects in Spring Security's pre-post reactive method security support.
      Returns:
      an AuthorizationAdvisorProxyFactory for adding pre-post reactive method security support

    • afterSingletonsInstantiated

      public void afterSingletonsInstantiated()
      Specified by:
      afterSingletonsInstantiated in interface org.springframework.beans.factory.SmartInitializingSingleton

    • proxy

      public <T> @Nullable T proxy(@Nullable T target)
      Proxy an object to enforce authorization advice.

      Proxies any instance of a non-final class or a class that implements more than one interface.

      If target is an Iterator, Collection, Array, Map, Stream, or Optional, then the element or value type is proxied.

      If target is a Class, then ProxyFactory.getProxyClass(java.lang.ClassLoader) is invoked instead.

      Specified by:
      proxy in interface AuthorizationProxyFactory
      Type Parameters:
      T - the type of the object being proxied
      Parameters:
      target - the instance to proxy
      Returns:
      the proxied instance

    • setAdvisors

      @Deprecated public void setAdvisors(AuthorizationAdvisor... advisors)
      Deprecated.
      Please use addAdvisor(org.springframework.security.authorization.method.AuthorizationAdvisor) instead
      Add advisors that should be included to each proxy created.

      All advisors are re-sorted by their advisor order.

      Parameters:
      advisors - the advisors to add

    • setAdvisors

      @Deprecated public void setAdvisors(Collection<AuthorizationAdvisor> advisors)
      Deprecated.
      Please use addAdvisor(org.springframework.security.authorization.method.AuthorizationAdvisor) instead
      Add advisors that should be included to each proxy created.

      All advisors are re-sorted by their advisor order.

      Parameters:
      advisors - the advisors to add

    • addAdvisor

      @Deprecated public void addAdvisor(AuthorizationAdvisor advisor)
      Deprecated.
      please provide all advisors in the constructor
      Add an advisor that should be included to each proxy created.

      This method sorts the advisors based on the order in Ordered.getOrder(). You can use the values in AuthorizationInterceptorsOrderto ensure advisors are located where you need them.

      Parameters:
      advisor -
      Since:
      6.4

    • setTargetVisitor

      public void setTargetVisitor(AuthorizationAdvisorProxyFactory.TargetVisitor visitor)
      Use this visitor to navigate the proxy target's hierarchy.

      This can be helpful when you want a specialized behavior for a type or set of types. For example, if you want to have this factory skip primitives and wrappers, then you can do: 

              AuthorizationAdvisorProxyFactory proxyFactory = new AuthorizationAdvisorProxyFactory();
        proxyFactory.setTargetVisitor(TargetVisitor.defaultsSkipValueTypes());

      The default AuthorizationAdvisorProxyFactory.TargetVisitor proxies Class instances as well as instances contained in reactive types (if reactor is present), collection types, and other container types like Optional and Supplier.

      If you want to add support for another container type, you can do so in the following way: 

              TargetVisitor functions = (factory, target) -> {
                if (target instanceof Function function) {
                        return (input) -> factory.proxy(function.apply(input));
                }
                return null;
        };
        AuthorizationAdvisorProxyFactory proxyFactory = new AuthorizationAdvisorProxyFactory();
        proxyFactory.setTargetVisitor(TargetVisitor.of(functions, TargetVisitor.defaultsSkipValueTypes()));
      Parameters:
      visitor - the visitor to use to introduce specialized behavior for a type
      See Also:

    • iterator

      public Iterator<AuthorizationAdvisor> iterator()
      Specified by:
      iterator in interface Iterable<AuthorizationAdvisor>