@Configuration public class GlobalMethodSecurityConfiguration extends Object implements ImportAware
Configuration for enabling global method security. Classes may
extend this class to customize the defaults, but must be sure to specify the
EnableGlobalMethodSecurity annotation on the subclass.EnableGlobalMethodSecurity| Constructor and Description |
|---|
GlobalMethodSecurityConfiguration() |
| Modifier and Type | Method and Description |
|---|---|
protected org.springframework.security.access.AccessDecisionManager |
accessDecisionManager()
Allows subclasses to provide a custom
AccessDecisionManager. |
protected org.springframework.security.access.intercept.AfterInvocationManager |
afterInvocationManager()
Provide a custom
AfterInvocationManager for the default
implementation of methodSecurityInterceptor(). |
protected org.springframework.security.authentication.AuthenticationManager |
authenticationManager()
Allows providing a custom
AuthenticationManager. |
protected void |
configure(AuthenticationManagerBuilder auth)
Sub classes can override this method to register different types of authentication.
|
protected org.springframework.security.access.expression.method.MethodSecurityExpressionHandler |
createExpressionHandler()
Provide a
MethodSecurityExpressionHandler that is registered with
the ExpressionBasedPreInvocationAdvice. |
protected org.springframework.security.access.method.MethodSecurityMetadataSource |
customMethodSecurityMetadataSource()
Provides a custom
MethodSecurityMetadataSource that is registered
with the methodSecurityMetadataSource(). |
protected org.springframework.security.access.expression.method.MethodSecurityExpressionHandler |
getExpressionHandler()
Gets the
MethodSecurityExpressionHandler or creates it using expressionHandler. |
org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor |
metaDataSourceAdvisor()
Obtains the
MethodSecurityMetadataSourceAdvisor to be used. |
org.aopalliance.intercept.MethodInterceptor |
methodSecurityInterceptor()
Creates the default MethodInterceptor which is a MethodSecurityInterceptor using the following methods to
construct it.
|
org.springframework.security.access.method.MethodSecurityMetadataSource |
methodSecurityMetadataSource()
Provides the default
MethodSecurityMetadataSource that will be
used. |
org.springframework.security.access.prepost.PreInvocationAuthorizationAdvice |
preInvocationAuthorizationAdvice()
Creates the
PreInvocationAuthorizationAdvice to be used. |
protected org.springframework.security.access.intercept.RunAsManager |
runAsManager()
Provide a custom
RunAsManager for the default implementation of
methodSecurityInterceptor(). |
void |
setAuthenticationConfiguration(AuthenticationConfiguration authenticationConfiguration) |
void |
setAuthenticationTrustResolver(org.springframework.security.authentication.AuthenticationTrustResolver trustResolver) |
void |
setImportMetadata(AnnotationMetadata importMetadata)
Obtains the attributes from
EnableGlobalMethodSecurity if this class was imported using the EnableGlobalMethodSecurity annotation. |
void |
setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcessor) |
void |
setPermissionEvaluator(List<org.springframework.security.access.PermissionEvaluator> permissionEvaluators) |
@Bean public org.aopalliance.intercept.MethodInterceptor methodSecurityInterceptor() throws Exception
accessDecisionManager()afterInvocationManager()authenticationManager()methodSecurityMetadataSource()runAsManager()
Subclasses can override this method to provide a different MethodInterceptor.
Exceptionprotected org.springframework.security.access.intercept.AfterInvocationManager afterInvocationManager()
AfterInvocationManager for the default
implementation of methodSecurityInterceptor(). The default is
null if pre post is not enabled. Otherwise, it returns a AfterInvocationProviderManager.
Subclasses should override this method to provide a custom AfterInvocationManager
protected org.springframework.security.access.intercept.RunAsManager runAsManager()
RunAsManager for the default implementation of
methodSecurityInterceptor(). The default is null.protected org.springframework.security.access.AccessDecisionManager accessDecisionManager()
AccessDecisionManager. The default is a AffirmativeBased
with the following voters:
PreInvocationAuthorizationAdviceVoterRoleVoter AuthenticatedVoter protected org.springframework.security.access.expression.method.MethodSecurityExpressionHandler createExpressionHandler()
MethodSecurityExpressionHandler that is registered with
the ExpressionBasedPreInvocationAdvice. The default is
DefaultMethodSecurityExpressionHandler which optionally will
Autowire an AuthenticationTrustResolver.
Subclasses may override this method to provide a custom
MethodSecurityExpressionHandler
protected final org.springframework.security.access.expression.method.MethodSecurityExpressionHandler getExpressionHandler()
MethodSecurityExpressionHandler or creates it using expressionHandler.null MethodSecurityExpressionHandlerprotected org.springframework.security.access.method.MethodSecurityMetadataSource customMethodSecurityMetadataSource()
MethodSecurityMetadataSource that is registered
with the methodSecurityMetadataSource(). Default is null.MethodSecurityMetadataSource that is registered
with the methodSecurityMetadataSource()protected org.springframework.security.authentication.AuthenticationManager authenticationManager()
throws Exception
AuthenticationManager. The default is
to use any authentication mechanisms registered by configure(AuthenticationManagerBuilder). If
configure(AuthenticationManagerBuilder) was not overridden, then an AuthenticationManager
is attempted to be autowired by type.Exceptionprotected void configure(AuthenticationManagerBuilder auth) throws Exception
configure(AuthenticationManagerBuilder) will attempt to autowire by type.auth - the AuthenticationManagerBuilder used to register different authentication mechanisms for the
global method security.Exception@Bean public org.springframework.security.access.method.MethodSecurityMetadataSource methodSecurityMetadataSource()
MethodSecurityMetadataSource that will be
used. It creates a DelegatingMethodSecurityMetadataSource based
upon customMethodSecurityMetadataSource() and the attributes on
EnableGlobalMethodSecurity.@Bean public org.springframework.security.access.prepost.PreInvocationAuthorizationAdvice preInvocationAuthorizationAdvice()
PreInvocationAuthorizationAdvice to be used. The
default is ExpressionBasedPreInvocationAdvice.@Role(value=2) @Bean public org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor metaDataSourceAdvisor()
MethodSecurityMetadataSourceAdvisor to be used.public final void setImportMetadata(AnnotationMetadata importMetadata)
EnableGlobalMethodSecurity if this class was imported using the EnableGlobalMethodSecurity annotation.setImportMetadata in interface ImportAware@Autowired(required=false) public void setAuthenticationTrustResolver(org.springframework.security.authentication.AuthenticationTrustResolver trustResolver)
@Autowired(required=false) public void setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcessor)
@Autowired(required=false) public void setPermissionEvaluator(List<org.springframework.security.access.PermissionEvaluator> permissionEvaluators)
@Autowired(required=false) public void setAuthenticationConfiguration(AuthenticationConfiguration authenticationConfiguration)