Class AclEntryVoter
- java.lang.Object
-
- org.springframework.security.access.vote.AbstractAclVoter
-
- org.springframework.security.acls.AclEntryVoter
-
- All Implemented Interfaces:
org.springframework.security.access.AccessDecisionVoter<org.aopalliance.intercept.MethodInvocation>
public class AclEntryVoter extends org.springframework.security.access.vote.AbstractAclVoter
Given a domain object instance passed as a method argument, ensures the principal has appropriate permission as indicated by the
AclService
.The AclService is used to retrieve the access control list (ACL) permissions associated with a domain object instance for the current Authentication object.
The voter will vote if any
ConfigAttribute.getAttribute()
matches theprocessConfigAttribute
. The provider will then locate the first method argument of typeAbstractAclVoter.processDomainObjectClass
. Assuming that method argument is non-null, the provider will then lookup the ACLs from theAclManager
and ensure the principal isAcl.isGranted(List, List, boolean)
when presenting therequirePermission
array to that method.If the method argument is null, the voter will abstain from voting. If the method argument could not be found, an
AuthorizationServiceException
will be thrown.In practical terms users will typically setup a number of AclEntryVoters. Each will have a different
processDomainObjectClass
,processConfigAttribute
andrequirePermission
combination. For example, a small application might employ the following instances of AclEntryVoter:- Process domain object class
BankAccount
, configuration attributeVOTE_ACL_BANK_ACCONT_READ
, require permissionBasePermission.READ
- Process domain object class
BankAccount
, configuration attributeVOTE_ACL_BANK_ACCOUNT_WRITE
, require permission listBasePermission.WRITE
andBasePermission.CREATE
(allowing the principal to have either of these two permissions) - Process domain object class
Customer
, configuration attributeVOTE_ACL_CUSTOMER_READ
, require permissionBasePermission.READ
- Process domain object class
Customer
, configuration attributeVOTE_ACL_CUSTOMER_WRITE
, require permission listBasePermission.WRITE
andBasePermission.CREATE
AbstractAclVoter.processDomainObjectClass
if bothBankAccount
andCustomer
had common parents.If the principal does not have sufficient permissions, the voter will vote to deny access.
All comparisons and prefixes are case sensitive.
-
-
Constructor Summary
Constructors Constructor Description AclEntryVoter(AclService aclService, java.lang.String processConfigAttribute, Permission[] requirePermission)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected java.lang.String
getInternalMethod()
Optionally specifies a method of the domain object that will be used to obtain a contained domain object.protected java.lang.String
getProcessConfigAttribute()
void
setInternalMethod(java.lang.String internalMethod)
void
setObjectIdentityRetrievalStrategy(ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy)
void
setSidRetrievalStrategy(SidRetrievalStrategy sidRetrievalStrategy)
boolean
supports(org.springframework.security.access.ConfigAttribute attribute)
int
vote(org.springframework.security.core.Authentication authentication, org.aopalliance.intercept.MethodInvocation object, java.util.Collection<org.springframework.security.access.ConfigAttribute> attributes)
-
-
-
Constructor Detail
-
AclEntryVoter
public AclEntryVoter(AclService aclService, java.lang.String processConfigAttribute, Permission[] requirePermission)
-
-
Method Detail
-
getInternalMethod
protected java.lang.String getInternalMethod()
Optionally specifies a method of the domain object that will be used to obtain a contained domain object. That contained domain object will be used for the ACL evaluation. This is useful if a domain object contains a parent that an ACL evaluation should be targeted for, instead of the child domain object (which perhaps is being created and as such does not yet have any ACL permissions)- Returns:
null
to use the domain object, or the name of a method (that requires no arguments) that should be invoked to obtain anObject
which will be the domain object used for ACL evaluation
-
setInternalMethod
public void setInternalMethod(java.lang.String internalMethod)
-
getProcessConfigAttribute
protected java.lang.String getProcessConfigAttribute()
-
setObjectIdentityRetrievalStrategy
public void setObjectIdentityRetrievalStrategy(ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy)
-
setSidRetrievalStrategy
public void setSidRetrievalStrategy(SidRetrievalStrategy sidRetrievalStrategy)
-
supports
public boolean supports(org.springframework.security.access.ConfigAttribute attribute)
-
vote
public int vote(org.springframework.security.core.Authentication authentication, org.aopalliance.intercept.MethodInvocation object, java.util.Collection<org.springframework.security.access.ConfigAttribute> attributes)
-
-