|
spring-security-acl | ||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||
java.lang.Objectorg.springframework.security.access.vote.AbstractAclVoter
org.springframework.security.acls.AclEntryVoter
public class AclEntryVoter
Given a domain object instance passed as a method argument, ensures the principal has appropriate permission
as indicated by the AclService.
The AclService is used to retrieve the access control list (ACL) permissions associated with a domain object instance for the current Authentication object.
The voter will vote if any ConfigAttribute.getAttribute() matches the processConfigAttribute.
The provider will then locate the first method argument of type AbstractAclVoter.processDomainObjectClass. Assuming that
method argument is non-null, the provider will then lookup the ACLs from the AclManager and ensure the
principal is Acl.isGranted(List,
List, boolean) when presenting the requirePermission array to that
method.
If the method argument is null, the voter will abstain from voting. If the method argument
could not be found, an AuthorizationServiceException will be thrown.
In practical terms users will typically setup a number of AclEntryVoters. Each will have a
different processDomainObjectClass, processConfigAttribute and
requirePermission combination. For example, a small application might employ the following instances of
AclEntryVoter:
BankAccount, configuration attribute
VOTE_ACL_BANK_ACCONT_READ, require permission BasePermission.READBankAccount, configuration attribute
VOTE_ACL_BANK_ACCOUNT_WRITE, require permission list BasePermission.WRITE and
BasePermission.CREATE (allowing the principal to have either of these two permissions)Customer, configuration attribute
VOTE_ACL_CUSTOMER_READ, require permission BasePermission.READCustomer, configuration attribute
VOTE_ACL_CUSTOMER_WRITE, require permission list BasePermission.WRITE and
BasePermission.CREATEAbstractAclVoter.processDomainObjectClass
if both BankAccount and Customer had common parents.
If the principal does not have sufficient permissions, the voter will vote to deny access.
All comparisons and prefixes are case sensitive.
| Field Summary |
|---|
| Fields inherited from interface org.springframework.security.access.AccessDecisionVoter |
|---|
ACCESS_ABSTAIN, ACCESS_DENIED, ACCESS_GRANTED |
| Constructor Summary | |
|---|---|
AclEntryVoter(AclService aclService,
String processConfigAttribute,
Permission[] requirePermission)
|
|
| Method Summary | |
|---|---|
protected String |
getInternalMethod()
Optionally specifies a method of the domain object that will be used to obtain a contained domain object. |
protected String |
getProcessConfigAttribute()
|
void |
setInternalMethod(String internalMethod)
|
void |
setObjectIdentityRetrievalStrategy(ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy)
|
void |
setSidRetrievalStrategy(SidRetrievalStrategy sidRetrievalStrategy)
|
boolean |
supports(org.springframework.security.access.ConfigAttribute attribute)
|
int |
vote(org.springframework.security.core.Authentication authentication,
Object object,
Collection<org.springframework.security.access.ConfigAttribute> attributes)
|
| Methods inherited from class org.springframework.security.access.vote.AbstractAclVoter |
|---|
getDomainObjectInstance, getProcessDomainObjectClass, setProcessDomainObjectClass, supports |
| Methods inherited from class java.lang.Object |
|---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
| Constructor Detail |
|---|
public AclEntryVoter(AclService aclService,
String processConfigAttribute,
Permission[] requirePermission)
| Method Detail |
|---|
protected String getInternalMethod()
null to use the domain object, or the name of a method (that requires no arguments) that
should be invoked to obtain an Object which will be the domain object used for ACL
evaluationpublic void setInternalMethod(String internalMethod)
protected String getProcessConfigAttribute()
public void setObjectIdentityRetrievalStrategy(ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy)
public void setSidRetrievalStrategy(SidRetrievalStrategy sidRetrievalStrategy)
public boolean supports(org.springframework.security.access.ConfigAttribute attribute)
public int vote(org.springframework.security.core.Authentication authentication,
Object object,
Collection<org.springframework.security.access.ConfigAttribute> attributes)
|
spring-security-acl | ||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||