AccessDecisionManager is able to process
* authorization requests presented with the passed ConfigAttribute.
*
* This allows the AbstractSecurityInterceptor to check every
* configuration attribute can be consumed by the configured
* AccessDecisionManager and/or RunAsManager and/or
* AfterInvocationManager.
*
AbstractSecurityInterceptor
* @return true if this AccessDecisionManager can support the passed
* configuration attribute
*/
boolean supports(ConfigAttribute attribute);
/**
* Indicates whether the AccessDecisionManager implementation is able to
* provide access control decisions for the indicated secured object type.
* @param clazz the class that is being queried
* @return true if the implementation can process the indicated class
*/
boolean supports(Class clazz);
}
================================================
FILE: access/src/main/java/org/springframework/security/access/AccessDecisionVoter.java
================================================
/*
* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.access;
import java.util.Collection;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.core.Authentication;
/**
* Indicates a class is responsible for voting on authorization decisions.
*
* The coordination of voting (ie polling {@code AccessDecisionVoter}s, tallying their
* responses, and making the final authorization decision) is performed by an
* {@link org.springframework.security.access.AccessDecisionManager}.
*
* @author Ben Alex
* @deprecated Use {@link AuthorizationManager} instead
*/
@Deprecated
public interface AccessDecisionVoter {
int ACCESS_GRANTED = 1;
int ACCESS_ABSTAIN = 0;
int ACCESS_DENIED = -1;
/**
* Indicates whether this {@code AccessDecisionVoter} is able to vote on the passed
* {@code ConfigAttribute}.
*
* This allows the {@code AbstractSecurityInterceptor} to check every configuration * attribute can be consumed by the configured {@code AccessDecisionManager} and/or * {@code RunAsManager} and/or {@code AfterInvocationManager}. * @param attribute a configuration attribute that has been configured against the * {@code AbstractSecurityInterceptor} * @return true if this {@code AccessDecisionVoter} can support the passed * configuration attribute */ boolean supports(ConfigAttribute attribute); /** * Indicates whether the {@code AccessDecisionVoter} implementation is able to provide * access control votes for the indicated secured object type. * @param clazz the class that is being queried * @return true if the implementation can process the indicated class */ boolean supports(Class clazz); /** * Indicates whether or not access is granted. *
* The decision must be affirmative ({@code ACCESS_GRANTED}), negative ( * {@code ACCESS_DENIED}) or the {@code AccessDecisionVoter} can abstain ( * {@code ACCESS_ABSTAIN}) from voting. Under no circumstances should implementing * classes return any other value. If a weighting of results is desired, this should * be handled in a custom * {@link org.springframework.security.access.AccessDecisionManager} instead. *
* Unless an {@code AccessDecisionVoter} is specifically intended to vote on an access * control decision due to a passed method invocation or configuration attribute * parameter, it must return {@code ACCESS_ABSTAIN}. This prevents the coordinating * {@code AccessDecisionManager} from counting votes from those * {@code AccessDecisionVoter}s without a legitimate interest in the access control * decision. *
* Whilst the secured object (such as a {@code MethodInvocation}) is passed as a
* parameter to maximise flexibility in making access control decisions, implementing
* classes should not modify it or cause the represented invocation to take place (for
* example, by calling {@code MethodInvocation.proceed()}).
* @param authentication the caller making the invocation
* @param object the secured object being invoked
* @param attributes the configuration attributes associated with the secured object
* @return either {@link #ACCESS_GRANTED}, {@link #ACCESS_ABSTAIN} or
* {@link #ACCESS_DENIED}
*/
int vote(Authentication authentication, S object, Collection
* This allows the
* When an
* {@link org.springframework.security.access.intercept.AbstractSecurityInterceptor} is
* set up, a list of configuration attributes is defined for secure object patterns. These
* configuration attributes have special meaning to a {@link RunAsManager},
* {@link AccessDecisionManager} or
* Stored at runtime with other
* If the
* This is used by the {@link AbstractSecurityInterceptor} to perform startup time
* validation of each {@code ConfigAttribute} configured against it.
* @return the {@code ConfigAttribute}s or {@code null} if unsupported
*/
CollectionAfterInvocationProvider is able to participate
* in a decision involving the passed ConfigAttribute.
* AbstractSecurityInterceptor to check every
* configuration attribute can be consumed by the configured
* AccessDecisionManager and/or RunAsManager and/or
* AccessDecisionManager.
* AbstractSecurityInterceptor
* @return true if this AfterInvocationProvider can support the passed
* configuration attribute
*/
boolean supports(ConfigAttribute attribute);
/**
* Indicates whether the AfterInvocationProvider is able to provide
* "after invocation" processing for the indicated secured object type.
* @param clazz the class of secure object that is being queried
* @return true if the implementation can process the indicated class
*/
boolean supports(Class clazz);
}
================================================
FILE: access/src/main/java/org/springframework/security/access/ConfigAttribute.java
================================================
/*
* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.access;
import java.io.Serializable;
import org.jspecify.annotations.NullUnmarked;
import org.springframework.security.access.intercept.RunAsManager;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.core.annotation.SecurityAnnotationScanner;
/**
* Stores a security system related configuration attribute.
*
* AccessDecisionManager delegate.
*
* ConfigAttributes for the same secure object
* target.
*
* @author Ben Alex
* @deprecated In modern Spring Security APIs, each API manages its own configuration
* context. As such there is no direct replacement for this interface. In the case of
* method security, please see {@link SecurityAnnotationScanner} and
* {@link AuthorizationManager}. In the case of channel security, please see
* {@code HttpsRedirectFilter}. In the case of web security, please see
* {@link AuthorizationManager}.
*/
@Deprecated
@NullUnmarked
public interface ConfigAttribute extends Serializable {
/**
* If the ConfigAttribute can be represented as a String and
* that String is sufficient in precision to be relied upon as a
* configuration parameter by a {@link RunAsManager}, {@link AccessDecisionManager} or
* AccessDecisionManager delegate, this method should return such a
* String.
* ConfigAttribute cannot be expressed with sufficient precision
* as a String, null should be returned. Returning
* null will require any relying classes to specifically support the
* ConfigAttribute implementation, so returning null should
* be avoided unless actually required.
* @return a representation of the configuration attribute (or null if
* the configuration attribute cannot be expressed as a String with
* sufficient precision).
*/
String getAttribute();
}
================================================
FILE: access/src/main/java/org/springframework/security/access/SecurityConfig.java
================================================
/*
* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.access;
import java.io.Serial;
import java.util.ArrayList;
import java.util.List;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.core.annotation.SecurityAnnotationScanner;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
/**
* Stores a {@link ConfigAttribute} as a String.
*
* @author Ben Alex
* @deprecated In modern Spring Security APIs, each API manages its own configuration
* context. As such there is no direct replacement for this interface. In the case of
* method security, please see {@link SecurityAnnotationScanner} and
* {@link AuthorizationManager}. In the case of channel security, please see
* {@code HttpsRedirectFilter}. In the case of web security, please see
* {@link AuthorizationManager}.
*/
@Deprecated
public class SecurityConfig implements ConfigAttribute {
@Serial
private static final long serialVersionUID = -7138084564199804304L;
private final String attrib;
public SecurityConfig(String config) {
Assert.hasText(config, "You must provide a configuration attribute");
this.attrib = config;
}
@Override
public boolean equals(Object obj) {
if (obj instanceof ConfigAttribute attr) {
return this.attrib.equals(attr.getAttribute());
}
return false;
}
@Override
public String getAttribute() {
return this.attrib;
}
@Override
public int hashCode() {
return this.attrib.hashCode();
}
@Override
public String toString() {
return this.attrib;
}
public static ListSecurityMetadataSource implementation
*/
Collection