RunAsManager
| org.springframework.security.access.intercept.RunAsManager |
 Known Indirect Subclasses
|
Class Overview
Creates a new temporary Authentication object for the current secure
object invocation only.
This interface permits implementations to replace the
Authentication object that applies to the current secure
object invocation only. The AbstractSecurityInterceptor will replace
the Authentication object held in the
SecurityContext
for the duration of the secure object callback only, returning it to
the original Authentication object when the callback ends.
This is provided so that systems with two layers of objects can be
established. One layer is public facing and has normal secure methods with
the granted authorities expected to be held by external callers. The other
layer is private, and is only expected to be called by objects within the
public facing layer. The objects in this private layer still need security
(otherwise they would be public methods) and they also need security in
such a manner that prevents them being called directly by external callers.
The objects in the private layer would be configured to require granted
authorities never granted to external callers. The
RunAsManager interface provides a mechanism to elevate
security in this manner.
It is expected implementations will provide a corresponding concrete
Authentication and AuthenticationProvider so that
the replacement Authentication object can be authenticated.
Some form of security will need to be implemented to ensure the
AuthenticationProvider only accepts
Authentication objects created by an authorized concrete
implementation of RunAsManager.
Summary
| Public Methods | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Returns a replacement
Authentication object for the current secure object invocation, or
null if replacement not required. | |||||||||||
Indicates whether the
RunAsManager implementation is able to provide run-as replacement for
the indicated secure object type. | |||||||||||
Indicates whether this
RunAsManager is able to process the passed
ConfigAttribute. | |||||||||||
Public Methods
public abstract Authentication buildRunAs (Authentication authentication, Object object, Collection<ConfigAttribute> attributes)
Returns a replacement Authentication object for the current secure object invocation, or
null if replacement not required.
Parameters
| authentication | the caller invoking the secure object |
|---|---|
| object | the secured object being called |
| attributes | the configuration attributes associated with the secure object being invoked |
Returns
- a replacement object to be used for duration of the secure object invocation, or
nullif theAuthenticationshould be left as is
public abstract boolean supports (Class<?> clazz)
Indicates whether the RunAsManager implementation is able to provide run-as replacement for
the indicated secure object type.
Parameters
| clazz | the class that is being queried |
|---|
Returns
- true if the implementation can process the indicated class
public abstract boolean supports (ConfigAttribute attribute)
Indicates whether this RunAsManager is able to process the passed
ConfigAttribute.
This allows the AbstractSecurityInterceptor to check every
configuration attribute can be consumed by the configured AccessDecisionManager and/or
RunAsManager and/or AfterInvocationManager.
Parameters
| attribute | a configuration attribute that has been configured against the
AbstractSecurityInterceptor |
|---|
Returns
trueif thisRunAsManagercan support the passed configuration attribute