Package org.springframework.security.config.annotation.method.configuration

Class GlobalMethodSecurityConfiguration

  • All Implemented Interfaces:
    org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanFactoryAware, org.springframework.beans.factory.SmartInitializingSingleton, org.springframework.context.annotation.ImportAware
    @Configuration(proxyBeanMethods=false)
@Role(2)
public class GlobalMethodSecurityConfiguration
extends java.lang.Object
implements org.springframework.context.annotation.ImportAware, org.springframework.beans.factory.SmartInitializingSingleton, org.springframework.beans.factory.BeanFactoryAware
    Base Configuration for enabling global method security. Classes may extend this class to customize the defaults, but must be sure to specify the EnableGlobalMethodSecurity annotation on the subclass.
    Since:
    3.2
    See Also:
    EnableGlobalMethodSecurity

    • Constructor Detail

      • GlobalMethodSecurityConfiguration

        public GlobalMethodSecurityConfiguration()

    • Method Detail

      • methodSecurityInterceptor

        @Bean
public org.aopalliance.intercept.MethodInterceptor methodSecurityInterceptor​(org.springframework.security.access.method.MethodSecurityMetadataSource methodSecurityMetadataSource)
        Creates the default MethodInterceptor which is a MethodSecurityInterceptor using the following methods to construct it.

        Subclasses can override this method to provide a different MethodInterceptor.

        Parameters:
        methodSecurityMetadataSource - the default MethodSecurityMetadataSource.
        Returns:
        the MethodInterceptor.

      • afterSingletonsInstantiated

        public void afterSingletonsInstantiated()
        Specified by:
        afterSingletonsInstantiated in interface org.springframework.beans.factory.SmartInitializingSingleton

      • afterInvocationManager

        protected org.springframework.security.access.intercept.AfterInvocationManager afterInvocationManager()
        Provide a custom AfterInvocationManager for the default implementation of methodSecurityInterceptor(MethodSecurityMetadataSource). The default is null if pre post is not enabled. Otherwise, it returns a AfterInvocationProviderManager.

        Subclasses should override this method to provide a custom AfterInvocationManager

        Returns:
        the AfterInvocationManager to use

      • runAsManager

        protected org.springframework.security.access.intercept.RunAsManager runAsManager()
        Provide a custom RunAsManager for the default implementation of methodSecurityInterceptor(MethodSecurityMetadataSource). The default is null.
        Returns:
        the RunAsManager to use

      • accessDecisionManager

        protected org.springframework.security.access.AccessDecisionManager accessDecisionManager()
        Allows subclasses to provide a custom AccessDecisionManager. The default is a AffirmativeBased with the following voters:
        • PreInvocationAuthorizationAdviceVoter
        • RoleVoter
        • AuthenticatedVoter
        Returns:
        the AccessDecisionManager to use

      • createExpressionHandler

        protected org.springframework.security.access.expression.method.MethodSecurityExpressionHandler createExpressionHandler()
        Provide a MethodSecurityExpressionHandler that is registered with the ExpressionBasedPreInvocationAdvice. The default is DefaultMethodSecurityExpressionHandler which optionally will Autowire an AuthenticationTrustResolver.

        Subclasses may override this method to provide a custom MethodSecurityExpressionHandler

        Returns:
        the MethodSecurityExpressionHandler to use

      • getExpressionHandler

        protected final org.springframework.security.access.expression.method.MethodSecurityExpressionHandler getExpressionHandler()
        Gets the MethodSecurityExpressionHandler or creates it using expressionHandler.
        Returns:
        a non null MethodSecurityExpressionHandler

      • customMethodSecurityMetadataSource

        protected org.springframework.security.access.method.MethodSecurityMetadataSource customMethodSecurityMetadataSource()
        Provides a custom MethodSecurityMetadataSource that is registered with the methodSecurityMetadataSource(). Default is null.
        Returns:
        a custom MethodSecurityMetadataSource that is registered with the methodSecurityMetadataSource()

      • authenticationManager

        protected org.springframework.security.authentication.AuthenticationManager authenticationManager()
                                                                                           throws java.lang.Exception
        Allows providing a custom AuthenticationManager. The default is to use any authentication mechanisms registered by configure(AuthenticationManagerBuilder). If configure(AuthenticationManagerBuilder) was not overridden, then an AuthenticationManager is attempted to be autowired by type.
        Returns:
        the AuthenticationManager to use
        Throws:
        java.lang.Exception

      • methodSecurityMetadataSource

        @Bean
@Role(2)
public org.springframework.security.access.method.MethodSecurityMetadataSource methodSecurityMetadataSource()
        Provides the default MethodSecurityMetadataSource that will be used. It creates a DelegatingMethodSecurityMetadataSource based upon customMethodSecurityMetadataSource() and the attributes on EnableGlobalMethodSecurity.
        Returns:
        the MethodSecurityMetadataSource

      • preInvocationAuthorizationAdvice

        @Bean
public org.springframework.security.access.prepost.PreInvocationAuthorizationAdvice preInvocationAuthorizationAdvice()
        Creates the PreInvocationAuthorizationAdvice to be used. The default is ExpressionBasedPreInvocationAdvice.
        Returns:
        the PreInvocationAuthorizationAdvice

      • setImportMetadata

        public final void setImportMetadata​(org.springframework.core.type.AnnotationMetadata importMetadata)
        Obtains the attributes from EnableGlobalMethodSecurity if this class was imported using the EnableGlobalMethodSecurity annotation.
        Specified by:
        setImportMetadata in interface org.springframework.context.annotation.ImportAware

      • setObjectPostProcessor

        @Autowired(required=false)
public void setObjectPostProcessor​(ObjectPostProcessor<java.lang.Object> objectPostProcessor)

      • setMethodSecurityExpressionHandler

        @Autowired(required=false)
public void setMethodSecurityExpressionHandler​(java.util.List<org.springframework.security.access.expression.method.MethodSecurityExpressionHandler> handlers)

      • setBeanFactory

        public void setBeanFactory​(org.springframework.beans.factory.BeanFactory beanFactory)
                    throws org.springframework.beans.BeansException
        Specified by:
        setBeanFactory in interface org.springframework.beans.factory.BeanFactoryAware
        Throws:
        org.springframework.beans.BeansException