Package org.springframework.security.web.access.intercept

Class AuthorizationFilter

java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.access.intercept.AuthorizationFilter
All Implemented Interfaces:
jakarta.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
public class AuthorizationFilter extends org.springframework.web.filter.GenericFilterBean
An authorization filter that restricts access to the URL using AuthorizationManager.
Since:
5.5

  • Constructor Details

    • AuthorizationFilter

      public AuthorizationFilter(AuthorizationManager<jakarta.servlet.http.HttpServletRequest> authorizationManager)
      Creates an instance.
      Parameters:
      authorizationManager - the AuthorizationManager to use

  • Method Details

    • doFilter

      public void doFilter(jakarta.servlet.ServletRequest servletRequest, jakarta.servlet.ServletResponse servletResponse, jakarta.servlet.FilterChain chain) throws jakarta.servlet.ServletException, IOException
      Throws:
      jakarta.servlet.ServletException
      IOException

    • setSecurityContextHolderStrategy

      public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy)
      Sets the SecurityContextHolderStrategy to use. The default action is to use the SecurityContextHolderStrategy stored in SecurityContextHolder.
      Since:
      5.8

    • setAuthorizationEventPublisher

      public void setAuthorizationEventPublisher(AuthorizationEventPublisher eventPublisher)
      Use this AuthorizationEventPublisher to publish AuthorizationDeniedEvents and AuthorizationGrantedEvents.
      Parameters:
      eventPublisher - the ApplicationEventPublisher to use
      Since:
      5.7

    • getAuthorizationManager

      public AuthorizationManager<jakarta.servlet.http.HttpServletRequest> getAuthorizationManager()
      Gets the AuthorizationManager used by this filter
      Returns:
      the AuthorizationManager

    • setShouldFilterAllDispatcherTypes

      @Deprecated(since="6.1", forRemoval=true) public void setShouldFilterAllDispatcherTypes(boolean shouldFilterAllDispatcherTypes)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Permit access to the DispatcherType instead. 
       @Configuration
 @EnableWebSecurity
 public class SecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                http
                        .authorizeHttpRequests((authorize) -> authorize
                                .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll()
                                // ...
                        );
                return http.build();
        }
 }
      Sets whether to filter all dispatcher types.
      Parameters:
      shouldFilterAllDispatcherTypes - should filter all dispatcher types. Default is true
      Since:
      5.7

    • isObserveOncePerRequest

      public boolean isObserveOncePerRequest()

    • setObserveOncePerRequest

      public void setObserveOncePerRequest(boolean observeOncePerRequest)
      Sets whether this filter apply only once per request. By default, this is false, meaning the filter will execute on every request. Sometimes users may wish it to execute more than once per request, such as when JSP forwards are being used and filter security is desired on each included fragment of the HTTP request.
      Parameters:
      observeOncePerRequest - whether the filter should only be applied once per request

    • setFilterErrorDispatch

      public void setFilterErrorDispatch(boolean filterErrorDispatch)
      If set to true, the filter will be applied to error dispatcher. Defaults to true.
      Parameters:
      filterErrorDispatch - whether the filter should be applied to error dispatcher

    • setFilterAsyncDispatch

      public void setFilterAsyncDispatch(boolean filterAsyncDispatch)
      If set to true, the filter will be applied to the async dispatcher. Defaults to true.
      Parameters:
      filterAsyncDispatch - whether the filter should be applied to async dispatch