java.lang.Object | |
↳ | org.springframework.security.access.intercept.AbstractSecurityInterceptor |
Known Direct Subclasses |
Known Indirect Subclasses |
Abstract class that implements security interception for secure objects.
The AbstractSecurityInterceptor
will ensure the proper startup configuration of the security
interceptor. It will also implement the proper handling of secure object invocations, namely:
Authentication
object from the SecurityContextHolder
.SecurityMetadataSource
.ConfigAttribute
s for the secure
object invocation):
isAuthenticated()
returns false
, or the #alwaysReauthenticate is
true
, authenticate the request against the configured AuthenticationManager
.
When authenticated, replace the Authentication
object on the
SecurityContextHolder
with the returned value.AccessDecisionManager
.RunAsManager
.InterceptorStatusToken
is returned so that after the subclass has finished proceeding with
execution of the object, its finally clause can ensure the AbstractSecurityInterceptor
is re-called and tidies up correctly.AbstractSecurityInterceptor
via the
afterInvocation(InterceptorStatusToken, Object)
method.RunAsManager
replaced the Authentication
object, return the
SecurityContextHolder
to the object that existed after the call to
AuthenticationManager
.AfterInvocationManager
is defined, invoke the
invocation manager and allow it to replace the object due to be returned to
the caller.ConfigAttribute
s for the secure object
invocation):
InterceptorStatusToken
which is
subsequently re-presented to the AbstractSecurityInterceptor
after the secure object has been executed.
The AbstractSecurityInterceptor
will take no further action when its
afterInvocation(InterceptorStatusToken, Object)
is called.Object
that should be returned to
the caller. The subclass will then return that result or exception to the original caller.Fields | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
logger | |||||||||||
messages |
Public Constructors | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Public Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Indicates the type of secure objects the subclass will be presenting to
the abstract parent for processing.
| |||||||||||
Indicates whether the
AbstractSecurityInterceptor should
ignore the isAuthenticated() property. | |||||||||||
Only
AuthorizationFailureEvent will be published. | |||||||||||
By rejecting public invocations (and setting this property to true), essentially you are ensuring
that every secure object invocation advised by
AbstractSecurityInterceptor has a configuration
attribute defined. | |||||||||||
Protected Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Completes the work of the AbstractSecurityInterceptor after the secure object invocation has been
completed.
| |||||||||||
[Expand]
Inherited Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
From class
java.lang.Object
| |||||||||||
From interface
org.springframework.beans.factory.InitializingBean
| |||||||||||
From interface
org.springframework.context.ApplicationEventPublisherAware
| |||||||||||
From interface
org.springframework.context.MessageSourceAware
|
Indicates the type of secure objects the subclass will be presenting to
the abstract parent for processing. This is used to ensure collaborators
wired to the AbstractSecurityInterceptor
all support the
indicated secure object class.
Indicates whether the AbstractSecurityInterceptor
should
ignore the isAuthenticated()
property. Defaults to
false
, meaning by default the
Authentication.isAuthenticated()
property is trusted and
re-authentication will not occur if the principal has already been
authenticated.
alwaysReauthenticate | true to force AbstractSecurityInterceptor to
disregard the value of Authentication.isAuthenticated() and always re-authenticate the request
(defaults to false ).
|
---|
Only AuthorizationFailureEvent
will be published.
If you set this property to true
, AuthorizedEvent
s will also be published.
publishAuthorizationSuccess | default value is false
|
---|
By rejecting public invocations (and setting this property to true), essentially you are ensuring
that every secure object invocation advised by AbstractSecurityInterceptor
has a configuration
attribute defined. This is useful to ensure a "fail safe" mode where undeclared secure objects will be rejected
and configuration omissions detected early. An IllegalArgumentException will be thrown by the
AbstractSecurityInterceptor if you set this property to true and an attempt is made to invoke
a secure object that has no configuration attributes.
rejectPublicInvocations | set to true to reject invocations of secure objects that have no
configuration attributes (by default it is false which treats undeclared secure objects
as "public" or unauthorized).
|
---|
Completes the work of the AbstractSecurityInterceptor after the secure object invocation has been completed.
token | as returned by the beforeInvocation(Object) } method |
---|---|
returnedObject | any object returned from the secure object invocation (may be null) |