Package org.springframework.security.acls

Class AclEntryVoter

java.lang.Object

org.springframework.security.access.vote.AbstractAclVoter

org.springframework.security.acls.AclEntryVoter

All Implemented Interfaces:

org.springframework.security.access.AccessDecisionVoter<org.aopalliance.intercept.MethodInvocation>

@Deprecated
public class AclEntryVoter
extends org.springframework.security.access.vote.AbstractAclVoter

Deprecated.

please use AclPermissionEvaluator instead. Spring Method Security annotations may also prove useful, for example @PreAuthorize("hasPermission(#id, ObjectsReturnType.class, read)")

Given a domain object instance passed as a method argument, ensures the principal has appropriate permission as indicated by the AclService.

The AclService is used to retrieve the access control list (ACL) permissions associated with a domain object instance for the current Authentication object.

The voter will vote if any ConfigAttribute.getAttribute() matches the processConfigAttribute. The provider will then locate the first method argument of type AbstractAclVoter.processDomainObjectClass. Assuming that method argument is non-null, the provider will then lookup the ACLs from the AclManager and ensure the principal is Acl.isGranted(List, List, boolean) when presenting the requirePermission array to that method.

If the method argument is null, the voter will abstain from voting. If the method argument could not be found, an AuthorizationServiceException will be thrown.

In practical terms users will typically setup a number of AclEntryVoters. Each will have a different processDomainObjectClass, processConfigAttribute and requirePermission combination. For example, a small application might employ the following instances of AclEntryVoter:

• Process domain object class BankAccount, configuration attribute VOTE_ACL_BANK_ACCONT_READ, require permission BasePermission.READ
• Process domain object class BankAccount, configuration attribute VOTE_ACL_BANK_ACCOUNT_WRITE, require permission list BasePermission.WRITE and BasePermission.CREATE (allowing the principal to have either of these two permissions)
• Process domain object class Customer, configuration attribute VOTE_ACL_CUSTOMER_READ, require permission BasePermission.READ
• Process domain object class Customer, configuration attribute VOTE_ACL_CUSTOMER_WRITE, require permission list BasePermission.WRITE and BasePermission.CREATE

Alternatively, you could have used a common superclass or interface for the AbstractAclVoter.processDomainObjectClass if both BankAccount and Customer had common parents.

If the principal does not have sufficient permissions, the voter will vote to deny access.

All comparisons and prefixes are case sensitive.

Field Summary

Fields inherited from interface org.springframework.security.access.AccessDecisionVoter

ACCESS_ABSTAIN, ACCESS_DENIED, ACCESS_GRANTED

Constructor Summary

Constructors

Constructor	Description
AclEntryVoter(AclService aclService, String processConfigAttribute, Permission[] requirePermission)	Deprecated.

Method Summary

Modifier and Type	Method	Description
protected String	getInternalMethod()	Deprecated. Optionally specifies a method of the domain object that will be used to obtain a contained domain object.
protected String	getProcessConfigAttribute()	Deprecated.
void	setInternalMethod(String internalMethod)	Deprecated.
void	setObjectIdentityRetrievalStrategy(ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy)	Deprecated.
void	setSidRetrievalStrategy(SidRetrievalStrategy sidRetrievalStrategy)	Deprecated.
boolean	supports(org.springframework.security.access.ConfigAttribute attribute)	Deprecated.
int	vote(org.springframework.security.core.Authentication authentication, org.aopalliance.intercept.MethodInvocation object, Collection<org.springframework.security.access.ConfigAttribute> attributes)	Deprecated.

Methods inherited from class org.springframework.security.access.vote.AbstractAclVoter

getDomainObjectInstance, getProcessDomainObjectClass, setProcessDomainObjectClass, supports

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

AclEntryVoter

public AclEntryVoter(AclService aclService,
 String processConfigAttribute,
 Permission[] requirePermission)

Deprecated.

Method Details

getInternalMethod

protected String getInternalMethod()

Deprecated.

Optionally specifies a method of the domain object that will be used to obtain a contained domain object. That contained domain object will be used for the ACL evaluation. This is useful if a domain object contains a parent that an ACL evaluation should be targeted for, instead of the child domain object (which perhaps is being created and as such does not yet have any ACL permissions)

Returns:

null to use the domain object, or the name of a method (that requires no arguments) that should be invoked to obtain an Object which will be the domain object used for ACL evaluation

setInternalMethod

public void setInternalMethod(String internalMethod)

Deprecated.

getProcessConfigAttribute

protected String getProcessConfigAttribute()

Deprecated.

setObjectIdentityRetrievalStrategy

public void setObjectIdentityRetrievalStrategy(ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy)

Deprecated.

setSidRetrievalStrategy

public void setSidRetrievalStrategy(SidRetrievalStrategy sidRetrievalStrategy)

Deprecated.

supports

public boolean supports(org.springframework.security.access.ConfigAttribute attribute)

Deprecated.

vote

public int vote(org.springframework.security.core.Authentication authentication,
 org.aopalliance.intercept.MethodInvocation object,
 Collection<org.springframework.security.access.ConfigAttribute> attributes)

Deprecated.