Package org.springframework.security.web.access.intercept

Class AuthorizationFilter

java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.access.intercept.AuthorizationFilter
All Implemented Interfaces:
jakarta.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
public class AuthorizationFilter extends org.springframework.web.filter.GenericFilterBean
An authorization filter that restricts access to the URL using AuthorizationManager.
Since:
5.5

  • Field Summary

    Fields inherited from class org.springframework.web.filter.GenericFilterBean

    logger

  • Constructor Summary

    Constructors
    Constructor
    Description
    AuthorizationFilter(org.springframework.security.authorization.AuthorizationManager<jakarta.servlet.http.HttpServletRequest> authorizationManager)
    Creates an instance.

  • Method Summary

    Modifier and Type
    Method
    Description
    void
    doFilter(jakarta.servlet.ServletRequest servletRequest, jakarta.servlet.ServletResponse servletResponse, jakarta.servlet.FilterChain chain)
     
    org.springframework.security.authorization.AuthorizationManager<jakarta.servlet.http.HttpServletRequest>
    getAuthorizationManager()
    Gets the AuthorizationManager used by this filter
    boolean
    isObserveOncePerRequest()
     
    void
    setAuthorizationEventPublisher(org.springframework.security.authorization.AuthorizationEventPublisher eventPublisher)
    Use this AuthorizationEventPublisher to publish AuthorizationDeniedEvents and AuthorizationGrantedEvents.
    void
    setFilterAsyncDispatch(boolean filterAsyncDispatch)
    If set to true, the filter will be applied to the async dispatcher.
    void
    setFilterErrorDispatch(boolean filterErrorDispatch)
    If set to true, the filter will be applied to error dispatcher.
    void
    setObserveOncePerRequest(boolean observeOncePerRequest)
    Sets whether this filter apply only once per request.
    void
    setSecurityContextHolderStrategy(org.springframework.security.core.context.SecurityContextHolderStrategy securityContextHolderStrategy)
    Sets the SecurityContextHolderStrategy to use.
    void
    setShouldFilterAllDispatcherTypes(boolean shouldFilterAllDispatcherTypes)
    Deprecated, for removal: This API element is subject to removal in a future version.
    Permit access to the DispatcherType instead.

    Methods inherited from class org.springframework.web.filter.GenericFilterBean

    addRequiredProperty, afterPropertiesSet, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • AuthorizationFilter

      public AuthorizationFilter(org.springframework.security.authorization.AuthorizationManager<jakarta.servlet.http.HttpServletRequest> authorizationManager)
      Creates an instance.
      Parameters:
      authorizationManager - the AuthorizationManager to use

  • Method Details

    • doFilter

      public void doFilter(jakarta.servlet.ServletRequest servletRequest, jakarta.servlet.ServletResponse servletResponse, jakarta.servlet.FilterChain chain) throws jakarta.servlet.ServletException, IOException
      Throws:
      jakarta.servlet.ServletException
      IOException

    • setSecurityContextHolderStrategy

      public void setSecurityContextHolderStrategy(org.springframework.security.core.context.SecurityContextHolderStrategy securityContextHolderStrategy)
      Sets the SecurityContextHolderStrategy to use. The default action is to use the SecurityContextHolderStrategy stored in SecurityContextHolder.
      Since:
      5.8

    • setAuthorizationEventPublisher

      public void setAuthorizationEventPublisher(org.springframework.security.authorization.AuthorizationEventPublisher eventPublisher)
      Use this AuthorizationEventPublisher to publish AuthorizationDeniedEvents and AuthorizationGrantedEvents.
      Parameters:
      eventPublisher - the ApplicationEventPublisher to use
      Since:
      5.7

    • getAuthorizationManager

      public org.springframework.security.authorization.AuthorizationManager<jakarta.servlet.http.HttpServletRequest> getAuthorizationManager()
      Gets the AuthorizationManager used by this filter
      Returns:
      the AuthorizationManager

    • setShouldFilterAllDispatcherTypes

      @Deprecated(since="6.1", forRemoval=true) public void setShouldFilterAllDispatcherTypes(boolean shouldFilterAllDispatcherTypes)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Permit access to the DispatcherType instead. 
       @Configuration
 @EnableWebSecurity
 public class SecurityConfig {

        @Bean
        public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
                http
                        .authorizeHttpRequests((authorize) -> authorize
                                .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll()
                                // ...
                        );
                return http.build();
        }
 }
      Sets whether to filter all dispatcher types.
      Parameters:
      shouldFilterAllDispatcherTypes - should filter all dispatcher types. Default is true
      Since:
      5.7

    • isObserveOncePerRequest

      public boolean isObserveOncePerRequest()

    • setObserveOncePerRequest

      public void setObserveOncePerRequest(boolean observeOncePerRequest)
      Sets whether this filter apply only once per request. By default, this is false, meaning the filter will execute on every request. Sometimes users may wish it to execute more than once per request, such as when JSP forwards are being used and filter security is desired on each included fragment of the HTTP request.
      Parameters:
      observeOncePerRequest - whether the filter should only be applied once per request

    • setFilterErrorDispatch

      public void setFilterErrorDispatch(boolean filterErrorDispatch)
      If set to true, the filter will be applied to error dispatcher. Defaults to true.
      Parameters:
      filterErrorDispatch - whether the filter should be applied to error dispatcher

    • setFilterAsyncDispatch

      public void setFilterAsyncDispatch(boolean filterAsyncDispatch)
      If set to true, the filter will be applied to the async dispatcher. Defaults to true.
      Parameters:
      filterAsyncDispatch - whether the filter should be applied to async dispatch