AclEntryAfterInvocationProvider

Class Overview

Given a domain object instance returned from a secure object invocation, ensures the principal has appropriate permission as defined by the AclService.

The AclService is used to retrieve the access control list (ACL) permissions associated with a domain object instance for the current Authentication object.

This after invocation provider will fire if any getAttribute() matches the processConfigAttribute. The provider will then lookup the ACLs from the AclService and ensure the principal is Acl.isGranted(List, List, boolean) when presenting the requirePermission array to that method.

Often users will set up an AclEntryAfterInvocationProvider with a processConfigAttribute of AFTER_ACL_READ and a requirePermission of BasePermission.READ. These are also the defaults.

If the principal does not have sufficient permissions, an AccessDeniedException will be thrown.

If the provided returnedObject is null, permission will always be granted and null will be returned.

All comparisons and prefixes are case sensitive.

Summary

[Expand] Inherited Fields
From class org.springframework.security.acls.afterinvocation.AbstractAclProvider protected final AclService aclService protected ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy protected String processConfigAttribute protected Class<?> processDomainObjectClass protected final List<Permission> requirePermission protected SidRetrievalStrategy sidRetrievalStrategy

[Expand] Inherited Methods
From class org.springframework.security.acls.afterinvocation.AbstractAclProvider Class<?> getProcessDomainObjectClass() boolean hasPermission(Authentication authentication, Object domainObject) void setObjectIdentityRetrievalStrategy(ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy) void setProcessConfigAttribute(String processConfigAttribute) void setProcessDomainObjectClass(Class<?> processDomainObjectClass) void setSidRetrievalStrategy(SidRetrievalStrategy sidRetrievalStrategy) boolean supports(Class<?> clazz) This implementation supports any type of class, because it does not query the presented secure object. boolean supports(ConfigAttribute attribute) Indicates whether this AfterInvocationProvider is able to participate in a decision involving the passed ConfigAttribute.
From class java.lang.Object Object clone() boolean equals(Object arg0) void finalize() final Class<?> getClass() int hashCode() final void notify() final void notifyAll() String toString() final void wait() final void wait(long arg0, int arg1) final void wait(long arg0)
From interface org.springframework.context.MessageSourceAware abstract void setMessageSource(MessageSource arg0)
From interface org.springframework.security.access.AfterInvocationProvider abstract Object decide(Authentication authentication, Object object, Collection<ConfigAttribute> attributes, Object returnedObject) abstract boolean supports(Class<?> clazz) Indicates whether the AfterInvocationProvider is able to provide "after invocation" processing for the indicated secured object type. abstract boolean supports(ConfigAttribute attribute) Indicates whether this AfterInvocationProvider is able to participate in a decision involving the passed ConfigAttribute.