public interface AccessDecisionVoter
The coordination of voting (ie polling AccessDecisionVoter
s,
tallying their responses, and making the final authorization decision) is
performed by an AccessDecisionManager
.
Modifier and Type | Field and Description |
---|---|
static int |
ACCESS_ABSTAIN |
static int |
ACCESS_DENIED |
static int |
ACCESS_GRANTED |
Modifier and Type | Method and Description |
---|---|
boolean |
supports(Class clazz)
Indicates whether the
AccessDecisionVoter implementation is able to provide access control
votes for the indicated secured object type. |
boolean |
supports(ConfigAttribute attribute)
Indicates whether this
AccessDecisionVoter is able to vote on the passed
ConfigAttribute . |
int |
vote(Authentication authentication,
Object object,
ConfigAttributeDefinition config)
Indicates whether or not access is granted.
|
static final int ACCESS_GRANTED
static final int ACCESS_ABSTAIN
static final int ACCESS_DENIED
boolean supports(ConfigAttribute attribute)
AccessDecisionVoter
is able to vote on the passed
ConfigAttribute
.This allows the AbstractSecurityInterceptor
to check every
configuration attribute can be consumed by the configured AccessDecisionManager
and/or
RunAsManager
and/or AfterInvocationManager
.
attribute
- a configuration attribute that has been configured against the
AbstractSecurityInterceptor
AccessDecisionVoter
can support the passed configuration attributeboolean supports(Class clazz)
AccessDecisionVoter
implementation is able to provide access control
votes for the indicated secured object type.clazz
- the class that is being queriedint vote(Authentication authentication, Object object, ConfigAttributeDefinition config)
The decision must be affirmative (ACCESS_GRANTED
), negative (ACCESS_DENIED
)
or the AccessDecisionVoter
can abstain (ACCESS_ABSTAIN
) from voting.
Under no circumstances should implementing classes return any other value. If a weighting of results is desired,
this should be handled in a custom AccessDecisionManager
instead.
Unless an AccessDecisionVoter
is specifically intended to vote on an access control
decision due to a passed method invocation or configuration attribute parameter, it must return
ACCESS_ABSTAIN
. This prevents the coordinating AccessDecisionManager
from counting
votes from those AccessDecisionVoter
s without a legitimate interest in the access control
decision.
Whilst the method invocation is passed as a parameter to maximise flexibility in making access
control decisions, implementing classes must never modify the behaviour of the method invocation (such as
calling MethodInvocation.proceed()
).
authentication
- the caller invoking the methodobject
- the secured objectconfig
- the configuration attributes associated with the method being invokedACCESS_GRANTED
, ACCESS_ABSTAIN
or ACCESS_DENIED
Copyright © 2018. All rights reserved.