AccessDecisionVoter
| org.springframework.security.access.AccessDecisionVoter<S> |
 Known Indirect Subclasses
|
Class Overview
Indicates a class is responsible for voting on authorization decisions.
The coordination of voting (ie polling AccessDecisionVoters,
tallying their responses, and making the final authorization decision) is
performed by an AccessDecisionManager.
Summary
| Constants | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| int | ACCESS_ABSTAIN | ||||||||||
| int | ACCESS_DENIED | ||||||||||
| int | ACCESS_GRANTED | ||||||||||
| Public Methods | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Indicates whether the
AccessDecisionVoter implementation is able to provide access control
votes for the indicated secured object type. | |||||||||||
Indicates whether this
AccessDecisionVoter is able to vote on the passed ConfigAttribute. | |||||||||||
Indicates whether or not access is granted.
| |||||||||||
Constants
public static final int ACCESS_ABSTAIN
public static final int ACCESS_DENIED
public static final int ACCESS_GRANTED
Public Methods
public abstract boolean supports (Class<?> clazz)
Indicates whether the AccessDecisionVoter implementation is able to provide access control
votes for the indicated secured object type.
Parameters
| clazz | the class that is being queried |
|---|
Returns
- true if the implementation can process the indicated class
public abstract boolean supports (ConfigAttribute attribute)
Indicates whether this AccessDecisionVoter is able to vote on the passed ConfigAttribute.
This allows the AbstractSecurityInterceptor to check every configuration attribute can be consumed by
the configured AccessDecisionManager and/or RunAsManager and/or AfterInvocationManager.
Parameters
| attribute | a configuration attribute that has been configured against the
AbstractSecurityInterceptor |
|---|
Returns
- true if this
AccessDecisionVotercan support the passed configuration attribute
public abstract int vote (Authentication authentication, S object, Collection<ConfigAttribute> attributes)
Indicates whether or not access is granted.
The decision must be affirmative (ACCESS_GRANTED), negative (ACCESS_DENIED)
or the AccessDecisionVoter can abstain (ACCESS_ABSTAIN) from voting.
Under no circumstances should implementing classes return any other value. If a weighting of results is desired,
this should be handled in a custom AccessDecisionManager instead.
Unless an AccessDecisionVoter is specifically intended to vote on an access control
decision due to a passed method invocation or configuration attribute parameter, it must return
ACCESS_ABSTAIN. This prevents the coordinating AccessDecisionManager from counting
votes from those AccessDecisionVoters without a legitimate interest in the access control
decision.
Whilst the secured object (such as a MethodInvocation) is passed as a parameter to maximise flexibility
in making access control decisions, implementing classes should not modify it or cause the represented invocation
to take place (for example, by calling MethodInvocation.proceed()).
Parameters
| authentication | the caller making the invocation |
|---|---|
| object | the secured object being invoked |
| attributes | the configuration attributes associated with the secured object |
Returns
- either
ACCESS_GRANTED,ACCESS_ABSTAINorACCESS_DENIED