Package org.springframework.security.web.access.intercept

Class FilterSecurityInterceptor

  • All Implemented Interfaces:
    javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.MessageSourceAware
    public class FilterSecurityInterceptor
extends org.springframework.security.access.intercept.AbstractSecurityInterceptor
implements javax.servlet.Filter
    Performs security handling of HTTP resources via a filter implementation.

    The SecurityMetadataSource required by this security interceptor is of type FilterInvocationSecurityMetadataSource.

    Refer to AbstractSecurityInterceptor for details on the workflow.

    • Field Summary

      • Fields inherited from class org.springframework.security.access.intercept.AbstractSecurityInterceptor

        logger, messages

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      void destroy()
      Not used (we rely on IoC container lifecycle services instead)
      void doFilter​(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)
      Method that is actually called by the filter chain.
      java.lang.Class<?> getSecureObjectClass()  
      FilterInvocationSecurityMetadataSource getSecurityMetadataSource()  
      void init​(javax.servlet.FilterConfig arg0)
      Not used (we rely on IoC container lifecycle services instead)
      void invoke​(FilterInvocation filterInvocation)  
      boolean isObserveOncePerRequest()
      Indicates whether once-per-request handling will be observed.
      org.springframework.security.access.SecurityMetadataSource obtainSecurityMetadataSource()  
      void setObserveOncePerRequest​(boolean observeOncePerRequest)  
      void setSecurityMetadataSource​(FilterInvocationSecurityMetadataSource newSource)  

      • Methods inherited from class org.springframework.security.access.intercept.AbstractSecurityInterceptor

        afterInvocation, afterPropertiesSet, beforeInvocation, finallyInvocation, getAccessDecisionManager, getAfterInvocationManager, getAuthenticationManager, getRunAsManager, isAlwaysReauthenticate, isRejectPublicInvocations, isValidateConfigAttributes, setAccessDecisionManager, setAfterInvocationManager, setAlwaysReauthenticate, setApplicationEventPublisher, setAuthenticationManager, setMessageSource, setPublishAuthorizationSuccess, setRejectPublicInvocations, setRunAsManager, setValidateConfigAttributes

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • FilterSecurityInterceptor

        public FilterSecurityInterceptor()

    • Method Detail

      • init

        public void init​(javax.servlet.FilterConfig arg0)
        Not used (we rely on IoC container lifecycle services instead)
        Specified by:
        init in interface javax.servlet.Filter
        Parameters:
        arg0 - ignored

      • destroy

        public void destroy()
        Not used (we rely on IoC container lifecycle services instead)
        Specified by:
        destroy in interface javax.servlet.Filter

      • doFilter

        public void doFilter​(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws java.io.IOException,
                     javax.servlet.ServletException
        Method that is actually called by the filter chain. Simply delegates to the invoke(FilterInvocation) method.
        Specified by:
        doFilter in interface javax.servlet.Filter
        Parameters:
        request - the servlet request
        response - the servlet response
        chain - the filter chain
        Throws:
        java.io.IOException - if the filter chain fails
        javax.servlet.ServletException - if the filter chain fails

      • obtainSecurityMetadataSource

        public org.springframework.security.access.SecurityMetadataSource obtainSecurityMetadataSource()
        Specified by:
        obtainSecurityMetadataSource in class org.springframework.security.access.intercept.AbstractSecurityInterceptor

      • getSecureObjectClass

        public java.lang.Class<?> getSecureObjectClass()
        Specified by:
        getSecureObjectClass in class org.springframework.security.access.intercept.AbstractSecurityInterceptor

      • invoke

        public void invoke​(FilterInvocation filterInvocation)
            throws java.io.IOException,
                   javax.servlet.ServletException
        Throws:
        java.io.IOException
        javax.servlet.ServletException

      • isObserveOncePerRequest

        public boolean isObserveOncePerRequest()
        Indicates whether once-per-request handling will be observed. By default this is true, meaning the FilterSecurityInterceptor will only execute once-per-request. Sometimes users may wish it to execute more than once per request, such as when JSP forwards are being used and filter security is desired on each included fragment of the HTTP request.
        Returns:
        true (the default) if once-per-request is honoured, otherwise false if FilterSecurityInterceptor will enforce authorizations for each and every fragment of the HTTP request.

      • setObserveOncePerRequest

        public void setObserveOncePerRequest​(boolean observeOncePerRequest)