| java.lang.Object | ||
| ↳ | org.springframework.security.access.vote.AbstractAclVoter | |
| ↳ | org.springframework.security.acls.AclEntryVoter | |
Class Overview
Given a domain object instance passed as a method argument, ensures the principal has appropriate permission
as indicated by the AclService.
The AclService is used to retrieve the access control list (ACL) permissions associated with a domain object instance for the current Authentication object.
The voter will vote if any getAttribute() matches the #processConfigAttribute.
The provider will then locate the first method argument of type #processDomainObjectClass. Assuming that
method argument is non-null, the provider will then lookup the ACLs from the AclManager and ensure the
principal is isGranted(List, List, boolean) when presenting the #requirePermission array to that
method.
If the method argument is null, the voter will abstain from voting. If the method argument
could not be found, an AuthorizationServiceException will be thrown.
In practical terms users will typically setup a number of AclEntryVoters. Each will have a
different processDomainObjectClass, #processConfigAttribute and
#requirePermission combination. For example, a small application might employ the following instances of
AclEntryVoter:
- Process domain object class
BankAccount, configuration attributeVOTE_ACL_BANK_ACCONT_READ, require permissionBasePermission.READ - Process domain object class
BankAccount, configuration attributeVOTE_ACL_BANK_ACCOUNT_WRITE, require permission listBasePermission.WRITEandBasePermission.CREATE(allowing the principal to have either of these two permissions) - Process domain object class
Customer, configuration attributeVOTE_ACL_CUSTOMER_READ, require permissionBasePermission.READ - Process domain object class
Customer, configuration attributeVOTE_ACL_CUSTOMER_WRITE, require permission listBasePermission.WRITEandBasePermission.CREATE
BankAccount and Customer had common parents.
If the principal does not have sufficient permissions, the voter will vote to deny access.
All comparisons and prefixes are case sensitive.
Summary
|
[Expand]
Inherited Constants | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
 From interface
org.springframework.security.access.AccessDecisionVoter
| |||||||||||
| Public Constructors | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Public Methods | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Protected Methods | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Optionally specifies a method of the domain object that will be used to obtain a contained domain
object.
| |||||||||||
|
[Expand]
Inherited Methods | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
From class
org.springframework.security.access.vote.AbstractAclVoter
| |||||||||||
|
From class
java.lang.Object
| |||||||||||
|
From interface
org.springframework.security.access.AccessDecisionVoter
| |||||||||||
Public Constructors
public AclEntryVoter (AclService aclService, String processConfigAttribute, Permission[] requirePermission)
Public Methods
public void setObjectIdentityRetrievalStrategy (ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy)
public int vote (Authentication authentication, MethodInvocation object, Collection<ConfigAttribute> attributes)
Protected Methods
protected String getInternalMethod ()
Optionally specifies a method of the domain object that will be used to obtain a contained domain object. That contained domain object will be used for the ACL evaluation. This is useful if a domain object contains a parent that an ACL evaluation should be targeted for, instead of the child domain object (which perhaps is being created and as such does not yet have any ACL permissions)
Returns
nullto use the domain object, or the name of a method (that requires no arguments) that should be invoked to obtain anObjectwhich will be the domain object used for ACL evaluation