All Classes and Interfaces
Class
Description
Deprecated.
Deprecated.
Now used by only-deprecated classes.
Represents an application authentication event.
Abstract application event which indicates authentication failure for some reason.
Base class for
Authentication
objects.Deprecated.
Authorization events have moved.
Deprecated.
Use the
use-authorization-manager
attribute for
<method-security>
and <intercept-methods>
instead or use
annotation-based or AuthorizationManager
-based authorizationAn
AuthenticationProvider
implementation that retrieves user details from a
JAAS login configuration.Deprecated.
Use the
use-authorization-manager
attribute for
<method-security>
and <intercept-methods>
instead or use
annotation-based or AuthorizationManager
-based authorizationBase implementation of the facade which isolates Spring Security's requirements for
evaluating security expressions from the implementation of the underlying expression
objects.
Deprecated.
Use
org.springframework.security.web.access.intercept.AuthorizationFilter
instead
for filter security,
org.springframework.security.messaging.access.intercept.AuthorizationChannelInterceptor
for messaging security, or
AuthorizationManagerBeforeMethodInterceptor
and
AuthorizationManagerAfterMethodInterceptor
for method security.Abstract superclass for all session related events.
A base
AuthenticationProvider
that allows subclasses to override and work with
UserDetails
objects.A base
ReactiveAuthenticationManager
that allows subclasses to override and
work with UserDetails
objects.Deprecated.
Use
AuthorizationManager
insteadDeprecated.
Use
AuthorizationManager
insteadThrown if an
Authentication
object does not hold a required authority.Thrown if an authentication request is rejected because the account has expired.
Base class for authentication exceptions which are caused by a particular user account
status (locked, disabled etc).
Deprecated.
Use
AuthorizationManager
insteadDeprecated.
Use delegation with
AuthorizationManager
Deprecated.
Use delegation with
AuthorizationManager
Deprecated.
Use delegation with
AuthorizationManager
Deprecated.
Used only by now-deprecated classes.
Allows finding parameter names using the value attribute of any number of
Annotation
instances.An
AuthenticationProvider
implementation that validates
AnonymousAuthenticationToken
s.Represents an anonymous
Authentication
.Deprecated.
This class will be removed from the public API.
Deprecated.
This class will be removed from the public API.
Interface to be implemented by classes that can map a list of security attributes (such
as roles or group names) to a collection of Spring Security
GrantedAuthority
s.An
AuthorizationManager
that determines if the current user is authenticated.Representation of an authenticated
Principal
once an
Authentication
request has been successfully authenticated by the
AuthenticationManager.authenticate(Authentication)
method.A
ReactiveAuthorizationManager
that determines if the current user is
authenticated.Deprecated.
Use
AuthorityAuthorizationManager
insteadRepresents the token for an authentication request or for an authenticated principal
once the request has been processed by the
AuthenticationManager.authenticate(Authentication)
method.Deprecated.
Authentication is now separated from authorization.
Thrown if an authentication request is rejected because there is no
Authentication
object in the
SecurityContext
.Provides a
Authentication.getDetails()
object
for a given web request.Abstract superclass for all exceptions related to an
Authentication
object
being invalid for whatever reason.Application event which indicates authentication failure due to invalid credentials
being presented.
Application event which indicates authentication failure due to the user's credentials
having expired.
Application event which indicates authentication failure due to the user's account
being disabled.
Application event which indicates authentication failure due to the user's account
having expired.
Application event which indicates authentication failure due to the user's account
having been locked.
Application event which indicates authentication failure due to there being no
registered
AuthenticationProvider
that can process the request.Application event which indicates authentication failure due to the CAS user's ticket
being generated by an untrusted proxy.
Application event which indicates authentication failure due to there being a problem
internal to the
AuthenticationManager
.Processes an
Authentication
request.An interface for resolving an
AuthenticationManager
based on the provided
contextAn
Observation.Context
used during authenticationsAn
ObservationConvention
for translating authentications into
KeyValues
.Annotation that is used to resolve
Authentication.getPrincipal()
to a method
argument.Indicates a class can process a specific
Authentication
implementation.Thrown if an authentication request could not be processed due to a system problem.
Application event which indicates successful authentication.
Evaluates
Authentication
tokensBasic implementation of
AuthenticationTrustResolver
.Interface that allows for retrieving a UserDetails object based on an
Authentication object.
Represents an
AuthorizationDecision
based on a collection of authoritiesAn
AuthorizationManager
that determines if the current user is authorized by
evaluating if the Authentication
contains a specified authority.The AuthorityGranter interface is used to map a given principal to role names.
A
ReactiveAuthorizationManager
that determines if the current user is
authorized by evaluating if the Authentication
contains a specified authority.Utility method for manipulating GrantedAuthority collections etc.
An
ApplicationEvent
which indicates failed authorization.A parent class for
AuthorizationGrantedEvent
and
AuthorizationDeniedEvent
.A contract for publishing authorization events
Deprecated.
Use
AuthorizationDeniedEvent
insteadAn
ApplicationEvent
which indicates successful authorization.Ordering of Spring Security's authorization
Advisor
sAn Authorization manager which can determine if an
Authentication
has access to
a specific object.A
MethodInterceptor
which can determine if an Authentication
has access
to the result of an MethodInvocation
using an AuthorizationManager
A
MethodInterceptor
which can determine if an Authentication
has access
to the returned object from the MethodInvocation
using the configured
ReactiveAuthorizationManager
.A
MethodInterceptor
which uses a AuthorizationManager
to determine if
an Authentication
may invoke the given MethodInvocation
A
MethodInterceptor
which can determine if an Authentication
has access
to the MethodInvocation
using the configured
ReactiveAuthorizationManager
.A factory class to create an
AuthorizationManager
instances.An
Observation.Context
used during authorizationsAn
ObservationConvention
for translating authorizations into KeyValues
.Thrown if an authorization request could not be processed due to a system problem.
Deprecated.
Use
AuthorizationGrantedEvent
insteadThrown if an authentication request is rejected because the credentials are invalid.
Stores a security system related configuration attribute.
Deprecated.
Use
AuthorizationManager
insteadJackson module for spring-security-core.
Indicates that the implementing object contains sensitive data, which can be erased
using the
eraseCredentials
method.Thrown if an authentication request is rejected because the account's credentials have
expired.
Annotation that is used to resolve the
SecurityContext
as a method argument.Exception that is thrown because of a cycle in the role hierarchy definition
An
AuthenticationProvider
implementation that retrieves user details from a
UserDetailsService
.The default strategy for publishing authentication events.
Creates a LoginContext using the Configuration provided to it.
This LoginExceptionResolver simply wraps the LoginException with an
AuthenticationServiceException.
The standard implementation of
MethodSecurityExpressionHandler
.Spring Security's default
ParameterNameDiscoverer
which tries a number of
ParameterNameDiscoverer
depending on what is found on the classpath.The default implementation of
Token
.An interface that allows delayed access to a
SecurityContext
that may be
generated.Used for delegating to a number of SmartApplicationListener instances.
Deprecated.
Use the
use-authorization-manager
attribute for
<method-security>
and <intercept-methods>
instead or use
annotation-based or AuthorizationManager
-based authorizationA
ReactiveAuthenticationManager
that delegates to other
ReactiveAuthenticationManager
instances using the result from the first non
empty result.An
AsyncTaskExecutor
which wraps each Runnable
in a
DelegatingSecurityContextRunnable
and each Callable
in a
DelegatingSecurityContextCallable
.
Wraps a delegate
Callable
with logic for setting up a SecurityContext
before invoking the delegate Callable
and then removing the
SecurityContext
after the delegate has completed.An
ExecutorService
which wraps each Runnable
in a
DelegatingSecurityContextRunnable
and each Callable
in a
DelegatingSecurityContextCallable
.
Wraps a delegate
Runnable
with logic for setting up a SecurityContext
before invoking the delegate Runnable
and then removing the
SecurityContext
after the delegate has completed.An
ScheduledExecutorService
which wraps each Runnable
in a
DelegatingSecurityContextRunnable
and each Callable
in a
DelegatingSecurityContextCallable
.An
SchedulingTaskExecutor
which wraps each Runnable
in a
DelegatingSecurityContextRunnable
and each Callable
in a
DelegatingSecurityContextCallable
.An implementation of
TaskScheduler
invoking it whenever the trigger indicates a
next execution time.A null PermissionEvaluator which denies all access.
Thrown if an authentication request is rejected because the account is disabled.
Deprecated.
Use
ExpressionAuthorizationDecision
insteadRepresents an
AuthorizationDecision
based on a Expression
Deprecated.
Use
AuthorizationManager
interceptors insteadDeprecated.
Use
AuthorizationManagerAfterMethodInterceptor
insteadDeprecated.
Use
AuthorizationManagerAfterMethodInterceptor
insteadOffers static methods for directly manipulating fields.
Indicates that a object stores GrantedAuthority objects.
Mapping interface which can be injected into the authentication layer to convert the
authorities loaded from storage into those which will be used in the
Authentication
object.Represents an authority granted to an
Authentication
object.Allows management of groups of authorities and their members.
An in memory representation of a JAAS configuration.
An in memory implementation of Spring's
Resource
interface.Non-persistent implementation of
UserDetailsManager
which is backed by an
in-memory map.Thrown if an authentication request is rejected because the credentials are not
sufficiently trusted.
Indicates an interactive authentication was successful.
Deprecated.
Use delegation with
AuthorizationManager
Thrown if an authentication request could not be processed due to a system problem that
occurred internally.
The JaasAuthenticationCallbackHandler is similar to the
javax.security.auth.callback.CallbackHandler interface in that it defines a handle
method.
Parent class for events fired by the
JaasAuthenticationProvider
.Fired when LoginContext.login throws a LoginException, or if any other exception is
thrown during that time.
An
AuthenticationProvider
implementation that retrieves user details from a
JAAS login configuration.Fired by the
JaasAuthenticationProvider
after successfully logging the user into the LoginContext,
handling all callbacks, and calling all AuthorityGranters.UsernamePasswordAuthenticationToken extension to carry the Jaas LoginContext that the
user was logged into
GrantedAuthority
which, in addition to the assigned role, holds the principal
that an AuthorityGranter
used as a reason to grant this authority.The most basic Callbacks to be handled when using a LoginContext from JAAS, are the
NameCallback and PasswordCallback.
The most basic Callbacks to be handled when using a LoginContext from JAAS, are the
NameCallback and PasswordCallback.
UserDetailsService implementation which retrieves the user details (username,
password, enabled flag, and authorities) from a database using JDBC queries.
Jdbc user management service, based on the same table structure as its parent class,
JdbcDaoImpl.
An
AuthorizationManager
which can determine if an Authentication
may
invoke the MethodInvocation
by evaluating if the Authentication
contains a specified authority from the JSR-250 security annotations.Deprecated.
Use
Jsr250AuthorizationManager
insteadDeprecated.
Deprecated.
Use
Jsr250AuthorizationManager
insteadBasic implementation of
TokenService
that is compatible with clusters and
across machine restarts, without requiring database persistence.An API for notifying when the
SecurityContext
changes.Thrown if an authentication request is rejected because the account is locked.
Deprecated.
Logging is now embedded in Spring Security components.
Outputs authentication-related application events to Commons Logging.
The JaasAuthenticationProvider takes an instance of LoginExceptionResolver to resolve
LoginModule specific exceptions to Spring Security AuthenticationExceptions.
Application event which indicates successful logout
This class implements the Attributes2GrantedAuthoritiesMapper and
MappableAttributesRetriever interfaces based on the supplied Map.
Deprecated.
Use the
use-authorization-manager
attribute for
<method-security>
and <intercept-methods>
instead or use
annotation-based or AuthorizationManager
-based authorizationInterface to be implemented by classes that can retrieve a list of mappable security
attribute strings (for example the list of all available J2EE roles in a web or EJB
application).
A
Map
based implementation of ReactiveUserDetailsService
An expression-based
AuthorizationManager
that determines the access by
evaluating the provided expression against the MethodInvocation
.Deprecated.
This class will be removed from the public API.
Deprecated.
Use
AuthorizationManager
insteadA context object that contains a
MethodInvocation
and the result of that
MethodInvocation
.Static utility methods for creating
MethodInvocation
s usable within Spring
Security.Extended expression-handler facade which adds methods which are specific to securing
method invocations.
Interface which must be implemented if you want to use filtering in method security
expressions.
Deprecated.
Please use
AuthorizationManagerBeforeMethodInterceptor
and
AuthorizationManagerAfterMethodInterceptor
insteadDeprecated.
Use the
use-authorization-manager
attribute for
<method-security>
and <intercept-methods>
instead or use
annotation-based or AuthorizationManager
-based authorizationDeprecated.
Use
EnableMethodSecurity
or publish interceptors directlyDoes not perform any caching.
An
AuthenticationManager
that observes the authenticationAn
AuthorizationManager
that observes the authorizationAn
ReactiveAuthenticationManager
that observes the authenticationAn
ReactiveAuthorizationManager
that observes the authenticationA
SecurityContextChangedListener
that adds events to an existing
Observation
If no Observation
is present when an event is fired, then the event is
unrecorded.Deprecated.
use @{code org.springframework.security.core.parameters.P}
An annotation that can be used along with
AnnotationParameterNameDiscoverer
to
specify parameter names.Allows permissions to be pre-cached when using pre or post filtering with expressions
Strategy used in expression evaluation to determine whether a user has a permission or
permissions for a given domain object.
Annotation for specifying a method access-control expression which will be evaluated
after a method has been invoked.
An
AuthorizationManager
which can determine if an Authentication
may
return the result from an invoked MethodInvocation
by evaluating an expression
from the PostAuthorize
annotation.A
ReactiveAuthorizationManager
which can determine if an Authentication
has access to the returned object from the MethodInvocation
by evaluating an
expression from the PostAuthorize
annotation.Annotation for specifying a method filtering expression which will be evaluated after a
method has been invoked.
A
MethodInterceptor
which filters a returnedObject
from the
MethodInvocation
by evaluating an expression from the PostFilter
annotation.A
MethodInterceptor
which filters the returned object from the
MethodInvocation
by evaluating an expression from the PostFilter
annotation.Deprecated.
Use
AuthorizationManagerAfterMethodInterceptor
insteadDeprecated.
Use
AuthorizationManagerAfterMethodInterceptor
insteadDeprecated.
Use
AuthorizationManagerAfterMethodInterceptor
insteadAnnotation for specifying a method access-control expression which will be evaluated to
decide whether a method invocation is allowed or not.
An
AuthorizationManager
which can determine if an Authentication
may
invoke the MethodInvocation
by evaluating an expression from the
PreAuthorize
annotation.A
ReactiveAuthorizationManager
which can determine if an Authentication
has access to the MethodInvocation
by evaluating an expression from the
PreAuthorize
annotation.Annotation for specifying a method filtering expression which will be evaluated before
a method has been invoked.
A
MethodInterceptor
which filters a method argument by evaluating an expression
from the PreFilter
annotation.A
MethodInterceptor
which filters a reactive method argument by evaluating an
expression from the PreFilter
annotation.Deprecated.
Use
AuthorizationManagerBeforeMethodInterceptor
insteadDeprecated.
Use
AuthorizationManagerBeforeMethodInterceptor
insteadDeprecated.
Use
AuthorizationManagerBeforeMethodInterceptor
insteadDeprecated.
Deprecated.
Use
PreAuthorizeAuthorizationManager
and
PostAuthorizeAuthorizationManager
insteadDeprecated.
Use delegation with
AuthorizationManager
Iterates an
Authentication
request through a list of
AuthenticationProvider
s.Thrown by
ProviderManager
if no AuthenticationProvider
could be found
that supports the presented Authentication
object.Deprecated.
Only used by now-deprecated classes.
Determines if the provided
Authentication
can be authenticated.Adapts an AuthenticationManager to the reactive APIs.
An interface for resolving a
ReactiveAuthenticationManager
based on the
provided contextA reactive authorization manager which can determine if an
Authentication
has
access to a specific object.Allows getting and setting the Spring
SecurityContext
into a Context
.An API for changing a
UserDetails
password.An API for finding the
UserDetails
by username.An
AuthenticationProvider
implementation that validates
RememberMeAuthenticationToken
s.Represents a remembered
Authentication
.The simple interface of a role hierarchy.
This class defines a role hierarchy for use with various access checking components.
Utility methods for
RoleHierarchy
.Deprecated.
Deprecated.
Use
AuthorityAuthorizationManager
insteadUsed for creating
Key
converter instancesDeprecated.
Authentication is now separated from authorization in Spring Security.
Deprecated.
Authentication is now separated from authorization in Spring Security.
Deprecated.
Authentication is now separated from authorization in Spring Security.
Deprecated.
Authentication is now separated from authorization in Spring Security.
Java 5 annotation for describing service layer security attributes.
Deprecated.
An
AuthorizationManager
which can determine if an Authentication
may
invoke the MethodInvocation
by evaluating if the Authentication
contains a specified authority from the Spring Security's Secured
annotation.Creates a
SecureRandom
instance.Stores a
ConfigAttribute
as a String
.Interface defining the minimum security information associated with the current thread
of execution.
An event that represents a change in
SecurityContext
A listener for
SecurityContextChangedEvent
sAssociates a given
SecurityContext
with the current execution thread.A strategy for storing security context information against a thread.
Base implementation of
SecurityContext
.An implementation of
LoginModule
that uses a Spring Security
SecurityContext
to
provide authentication.Facade which isolates Spring Security's requirements for evaluating security
expressions from the implementation of the underlying expression objects
Standard interface for expression root objects used with expression-based security.
Base root object for use in Spring Security expression evaluations.
This utility class will find all the SecurityModules in classpath.
Implemented by classes that store and can identify the
ConfigAttribute
s that
applies to a given secure object invocation.Generic session creation event which indicates that a session (potentially represented
by a security context) has begun.
Generic "session termination" event which indicates that a session (potentially
represented by a security context) has ended.
Generic "session ID changed" event which indicates that a session identifier
(potentially represented by a security context) has changed.
Represents a record of a session within the Spring Security framework.
Maintains a registry of
SessionInformation
instances.Default implementation of
SessionRegistry
which
listens for SessionDestroyedEvent
s published in the Spring application context.Provides SHA512 digest methods.
This class implements the Attributes2GrantedAuthoritiesMapper interface by doing a
one-to-one mapping from roles to Spring Security GrantedAuthorities.
Simple one-to-one
GrantedAuthoritiesMapper
which allows for case conversion of
the authority name and the addition of a string prefix (which defaults to ROLE_
).Basic concrete implementation of a
GrantedAuthority
.Jackson Mixin class helps in serialize/deserialize
SimpleGrantedAuthority
.This class implements the MappableAttributesRetriever interface by just returning a
list of mappable attributes as previously set using the corresponding setter method.
Represents the AOP Alliance
MethodInvocation
.An implementation of
AuthorizationEventPublisher
that uses Spring's event
publishing support.Caches
UserDetails
instances in a Spring defined Cache
.Internal class used for checking version compatibility in a deployed application.
The default
MessageSource
used by Spring Security.An
AuthenticationProvider
implementation for the
TestingAuthenticationToken
.An
Authentication
implementation that is
designed for use whilst unit testing.A token issued by
TokenService
.Provides a mechanism to allocate and rebuild secure, randomised tokens.
A marker for
Authentication
s that should never be stored across requests, for
example a bearer token authenticationA
SecurityContext
that is annotated with @Transient
and thus should
never be stored across requests.Deprecated.
Use
AuthorizationManager
insteadModels core user information retrieved by a
UserDetailsService
.Builds the user to be added.
Used by
InMemoryUserDetailsManager
to
temporarily store the attributes associated with a user.Property editor that creates a
UserAttribute
from a comma separated list of
values.Provides a cache of
UserDetails
objects.Provides core user information.
This implementation for AuthenticationUserDetailsService wraps a regular Spring
Security UserDetailsService implementation, to retrieve a UserDetails object based on
the user name contained in an Authentication object.
Called by classes which make use of a
UserDetailsService
to check the status of
the loaded UserDetails object.An extension of the
UserDetailsService
which provides the ability to create new
users and update existing ones.An API for changing a
UserDetails
password.A
ReactiveAuthenticationManager
that uses a ReactiveUserDetailsService
to validate the provided username and password.Core interface which loads user-specific data.
Thrown if an
UserDetailsService
implementation cannot locate a User
by
its username.An
Authentication
implementation that is
designed for simple presentation of a username and password.
AuthorizationManager
instead