@Configuration public class GlobalMethodSecurityConfiguration extends Object implements ImportAware
Configuration for enabling global method security. Classes may extend this
class to customize the defaults, but must be sure to specify the
EnableGlobalMethodSecurity annotation on the subclass.EnableGlobalMethodSecurity| Constructor and Description |
|---|
GlobalMethodSecurityConfiguration() |
| Modifier and Type | Method and Description |
|---|---|
protected org.springframework.security.access.AccessDecisionManager |
accessDecisionManager()
Allows subclasses to provide a custom
AccessDecisionManager. |
protected org.springframework.security.access.intercept.AfterInvocationManager |
afterInvocationManager()
Provide a custom
AfterInvocationManager for the default implementation of
methodSecurityInterceptor(). |
protected org.springframework.security.authentication.AuthenticationManager |
authenticationManager()
Allows providing a custom
AuthenticationManager. |
protected void |
configure(AuthenticationManagerBuilder auth)
Sub classes can override this method to register different types of authentication.
|
protected org.springframework.security.access.expression.method.MethodSecurityExpressionHandler |
createExpressionHandler()
Provide a
MethodSecurityExpressionHandler that is registered with the
ExpressionBasedPreInvocationAdvice. |
protected org.springframework.security.access.method.MethodSecurityMetadataSource |
customMethodSecurityMetadataSource()
Provides a custom
MethodSecurityMetadataSource that is registered with the
methodSecurityMetadataSource(). |
protected org.springframework.security.access.expression.method.MethodSecurityExpressionHandler |
getExpressionHandler()
Gets the
MethodSecurityExpressionHandler or creates it using
expressionHandler. |
org.aopalliance.intercept.MethodInterceptor |
methodSecurityInterceptor()
Creates the default MethodInterceptor which is a MethodSecurityInterceptor using
the following methods to construct it.
|
org.springframework.security.access.method.MethodSecurityMetadataSource |
methodSecurityMetadataSource()
Provides the default
MethodSecurityMetadataSource that will be used. |
org.springframework.security.access.prepost.PreInvocationAuthorizationAdvice |
preInvocationAuthorizationAdvice()
Creates the
PreInvocationAuthorizationAdvice to be used. |
protected org.springframework.security.access.intercept.RunAsManager |
runAsManager()
Provide a custom
RunAsManager for the default implementation of
methodSecurityInterceptor(). |
void |
setApplicationContext(ApplicationContext context) |
void |
setAuthenticationTrustResolver(org.springframework.security.authentication.AuthenticationTrustResolver trustResolver) |
void |
setImportMetadata(AnnotationMetadata importMetadata)
Obtains the attributes from
EnableGlobalMethodSecurity if this class was
imported using the EnableGlobalMethodSecurity annotation. |
void |
setJsr250MethodSecurityMetadataSource(org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource jsr250MethodSecurityMetadataSource) |
void |
setMethodSecurityExpressionHandler(List<org.springframework.security.access.expression.method.MethodSecurityExpressionHandler> handlers) |
void |
setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcessor) |
void |
setPermissionEvaluator(List<org.springframework.security.access.PermissionEvaluator> permissionEvaluators) |
@Bean public org.aopalliance.intercept.MethodInterceptor methodSecurityInterceptor() throws Exception
accessDecisionManager()afterInvocationManager()authenticationManager()methodSecurityMetadataSource()runAsManager()
Subclasses can override this method to provide a different
MethodInterceptor.
Exceptionprotected org.springframework.security.access.intercept.AfterInvocationManager afterInvocationManager()
AfterInvocationManager for the default implementation of
methodSecurityInterceptor(). The default is null if pre post is not
enabled. Otherwise, it returns a AfterInvocationProviderManager.
Subclasses should override this method to provide a custom
AfterInvocationManager
protected org.springframework.security.access.intercept.RunAsManager runAsManager()
RunAsManager for the default implementation of
methodSecurityInterceptor(). The default is null.protected org.springframework.security.access.AccessDecisionManager accessDecisionManager()
AccessDecisionManager. The default is
a AffirmativeBased with the following voters:
PreInvocationAuthorizationAdviceVoterRoleVoterAuthenticatedVoterprotected org.springframework.security.access.expression.method.MethodSecurityExpressionHandler createExpressionHandler()
MethodSecurityExpressionHandler that is registered with the
ExpressionBasedPreInvocationAdvice. The default is
DefaultMethodSecurityExpressionHandler which optionally will Autowire an
AuthenticationTrustResolver.
Subclasses may override this method to provide a custom
MethodSecurityExpressionHandler
protected final org.springframework.security.access.expression.method.MethodSecurityExpressionHandler getExpressionHandler()
MethodSecurityExpressionHandler or creates it using
expressionHandler.null MethodSecurityExpressionHandlerprotected org.springframework.security.access.method.MethodSecurityMetadataSource customMethodSecurityMetadataSource()
MethodSecurityMetadataSource that is registered with the
methodSecurityMetadataSource(). Default is null.MethodSecurityMetadataSource that is registered with the
methodSecurityMetadataSource()protected org.springframework.security.authentication.AuthenticationManager authenticationManager()
throws Exception
AuthenticationManager. The default is to use any
authentication mechanisms registered by
configure(AuthenticationManagerBuilder). If
configure(AuthenticationManagerBuilder) was not overridden, then an
AuthenticationManager is attempted to be autowired by type.Exceptionprotected void configure(AuthenticationManagerBuilder auth) throws Exception
configure(AuthenticationManagerBuilder) will attempt to
autowire by type.auth - the AuthenticationManagerBuilder used to register different
authentication mechanisms for the global method security.Exception@Bean public org.springframework.security.access.method.MethodSecurityMetadataSource methodSecurityMetadataSource()
MethodSecurityMetadataSource that will be used. It
creates a DelegatingMethodSecurityMetadataSource based upon
customMethodSecurityMetadataSource() and the attributes on
EnableGlobalMethodSecurity.@Bean public org.springframework.security.access.prepost.PreInvocationAuthorizationAdvice preInvocationAuthorizationAdvice()
PreInvocationAuthorizationAdvice to be used. The default is
ExpressionBasedPreInvocationAdvice.public final void setImportMetadata(AnnotationMetadata importMetadata)
EnableGlobalMethodSecurity if this class was
imported using the EnableGlobalMethodSecurity annotation.setImportMetadata in interface ImportAware@Autowired(required=false) public void setAuthenticationTrustResolver(org.springframework.security.authentication.AuthenticationTrustResolver trustResolver)
@Autowired(required=false) public void setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcessor)
@Autowired(required=false) public void setJsr250MethodSecurityMetadataSource(org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource jsr250MethodSecurityMetadataSource)
@Autowired(required=false) public void setPermissionEvaluator(List<org.springframework.security.access.PermissionEvaluator> permissionEvaluators)
@Autowired(required=false) public void setMethodSecurityExpressionHandler(List<org.springframework.security.access.expression.method.MethodSecurityExpressionHandler> handlers)
@Autowired public void setApplicationContext(ApplicationContext context)