org.springframework.security.config.annotation.method.configuration

Class GlobalMethodSecurityConfiguration

java.lang.Object

org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration

All Implemented Interfaces:

org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanFactoryAware, org.springframework.beans.factory.SmartInitializingSingleton, org.springframework.context.annotation.ImportAware

@Configuration(proxyBeanMethods=false)
 @Role(value=2)
public class GlobalMethodSecurityConfiguration
extends java.lang.Object
implements org.springframework.context.annotation.ImportAware, org.springframework.beans.factory.SmartInitializingSingleton, org.springframework.beans.factory.BeanFactoryAware

Base Configuration for enabling global method security. Classes may extend this class to customize the defaults, but must be sure to specify the EnableGlobalMethodSecurity annotation on the subclass.

Since:

3.2

See Also:

EnableGlobalMethodSecurity

Constructor Summary

Constructors

Constructor and Description
GlobalMethodSecurityConfiguration()

Method Summary

Modifier and Type	Method and Description
protected org.springframework.security.access.AccessDecisionManager	accessDecisionManager() Allows subclasses to provide a custom AccessDecisionManager.
protected org.springframework.security.access.intercept.AfterInvocationManager	afterInvocationManager() Provide a custom AfterInvocationManager for the default implementation of methodSecurityInterceptor(MethodSecurityMetadataSource).
void	afterSingletonsInstantiated()
protected org.springframework.security.authentication.AuthenticationManager	authenticationManager() Allows providing a custom AuthenticationManager.
protected void	configure(AuthenticationManagerBuilder auth) Sub classes can override this method to register different types of authentication.
protected org.springframework.security.access.expression.method.MethodSecurityExpressionHandler	createExpressionHandler() Provide a MethodSecurityExpressionHandler that is registered with the ExpressionBasedPreInvocationAdvice.
protected org.springframework.security.access.method.MethodSecurityMetadataSource	customMethodSecurityMetadataSource() Provides a custom MethodSecurityMetadataSource that is registered with the methodSecurityMetadataSource().
protected org.springframework.security.access.expression.method.MethodSecurityExpressionHandler	getExpressionHandler() Gets the MethodSecurityExpressionHandler or creates it using expressionHandler.
org.aopalliance.intercept.MethodInterceptor	methodSecurityInterceptor(org.springframework.security.access.method.MethodSecurityMetadataSource methodSecurityMetadataSource) Creates the default MethodInterceptor which is a MethodSecurityInterceptor using the following methods to construct it.
org.springframework.security.access.method.MethodSecurityMetadataSource	methodSecurityMetadataSource() Provides the default MethodSecurityMetadataSource that will be used.
org.springframework.security.access.prepost.PreInvocationAuthorizationAdvice	preInvocationAuthorizationAdvice() Creates the PreInvocationAuthorizationAdvice to be used.
protected org.springframework.security.access.intercept.RunAsManager	runAsManager() Provide a custom RunAsManager for the default implementation of methodSecurityInterceptor(MethodSecurityMetadataSource).
void	setBeanFactory(org.springframework.beans.factory.BeanFactory beanFactory)
void	setImportMetadata(org.springframework.core.type.AnnotationMetadata importMetadata) Obtains the attributes from EnableGlobalMethodSecurity if this class was imported using the EnableGlobalMethodSecurity annotation.
void	setMethodSecurityExpressionHandler(java.util.List<org.springframework.security.access.expression.method.MethodSecurityExpressionHandler> handlers)
void	setObjectPostProcessor(ObjectPostProcessor<java.lang.Object> objectPostProcessor)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

GlobalMethodSecurityConfiguration

public GlobalMethodSecurityConfiguration()

Method Detail

methodSecurityInterceptor

@Bean
public org.aopalliance.intercept.MethodInterceptor methodSecurityInterceptor(org.springframework.security.access.method.MethodSecurityMetadataSource methodSecurityMetadataSource)

Creates the default MethodInterceptor which is a MethodSecurityInterceptor using the following methods to construct it.

• accessDecisionManager()
• afterInvocationManager()
• authenticationManager()
• runAsManager()

Subclasses can override this method to provide a different MethodInterceptor.

Parameters:

methodSecurityMetadataSource - the default MethodSecurityMetadataSource.

Returns:

the MethodInterceptor.

afterSingletonsInstantiated

public void afterSingletonsInstantiated()

Specified by:

afterSingletonsInstantiated in interface org.springframework.beans.factory.SmartInitializingSingleton

afterInvocationManager

protected org.springframework.security.access.intercept.AfterInvocationManager afterInvocationManager()

Provide a custom AfterInvocationManager for the default implementation of methodSecurityInterceptor(MethodSecurityMetadataSource). The default is null if pre post is not enabled. Otherwise, it returns a AfterInvocationProviderManager.

Subclasses should override this method to provide a custom AfterInvocationManager

Returns:

the AfterInvocationManager to use

runAsManager

protected org.springframework.security.access.intercept.RunAsManager runAsManager()

Provide a custom RunAsManager for the default implementation of methodSecurityInterceptor(MethodSecurityMetadataSource). The default is null.

Returns:

the RunAsManager to use

accessDecisionManager

protected org.springframework.security.access.AccessDecisionManager accessDecisionManager()

Allows subclasses to provide a custom AccessDecisionManager. The default is a AffirmativeBased with the following voters:

• PreInvocationAuthorizationAdviceVoter
• RoleVoter
• AuthenticatedVoter

Returns:

the AccessDecisionManager to use

createExpressionHandler

protected org.springframework.security.access.expression.method.MethodSecurityExpressionHandler createExpressionHandler()

Provide a MethodSecurityExpressionHandler that is registered with the ExpressionBasedPreInvocationAdvice. The default is DefaultMethodSecurityExpressionHandler which optionally will Autowire an AuthenticationTrustResolver.

Subclasses may override this method to provide a custom MethodSecurityExpressionHandler

Returns:

the MethodSecurityExpressionHandler to use

getExpressionHandler

protected final org.springframework.security.access.expression.method.MethodSecurityExpressionHandler getExpressionHandler()

Gets the MethodSecurityExpressionHandler or creates it using expressionHandler.

Returns:

a non null MethodSecurityExpressionHandler

customMethodSecurityMetadataSource

protected org.springframework.security.access.method.MethodSecurityMetadataSource customMethodSecurityMetadataSource()

Provides a custom MethodSecurityMetadataSource that is registered with the methodSecurityMetadataSource(). Default is null.

Returns:

a custom MethodSecurityMetadataSource that is registered with the methodSecurityMetadataSource()

authenticationManager

protected org.springframework.security.authentication.AuthenticationManager authenticationManager()
                                                                                           throws java.lang.Exception

Allows providing a custom AuthenticationManager. The default is to use any authentication mechanisms registered by configure(AuthenticationManagerBuilder). If configure(AuthenticationManagerBuilder) was not overridden, then an AuthenticationManager is attempted to be autowired by type.

Returns:

the AuthenticationManager to use

Throws:

java.lang.Exception

configure

protected void configure(AuthenticationManagerBuilder auth)
                  throws java.lang.Exception

Sub classes can override this method to register different types of authentication. If not overridden, configure(AuthenticationManagerBuilder) will attempt to autowire by type.

Parameters:

auth - the AuthenticationManagerBuilder used to register different authentication mechanisms for the global method security.

Throws:

java.lang.Exception

methodSecurityMetadataSource

@Bean
public org.springframework.security.access.method.MethodSecurityMetadataSource methodSecurityMetadataSource()

Provides the default MethodSecurityMetadataSource that will be used. It creates a DelegatingMethodSecurityMetadataSource based upon customMethodSecurityMetadataSource() and the attributes on EnableGlobalMethodSecurity.

Returns:

the MethodSecurityMetadataSource

preInvocationAuthorizationAdvice

@Bean
public org.springframework.security.access.prepost.PreInvocationAuthorizationAdvice preInvocationAuthorizationAdvice()

Creates the PreInvocationAuthorizationAdvice to be used. The default is ExpressionBasedPreInvocationAdvice.

Returns:

the PreInvocationAuthorizationAdvice

setImportMetadata

public final void setImportMetadata(org.springframework.core.type.AnnotationMetadata importMetadata)

Obtains the attributes from EnableGlobalMethodSecurity if this class was imported using the EnableGlobalMethodSecurity annotation.

Specified by:

setImportMetadata in interface org.springframework.context.annotation.ImportAware

setObjectPostProcessor

@Autowired(required=false)
public void setObjectPostProcessor(ObjectPostProcessor<java.lang.Object> objectPostProcessor)

setMethodSecurityExpressionHandler

@Autowired(required=false)
public void setMethodSecurityExpressionHandler(java.util.List<org.springframework.security.access.expression.method.MethodSecurityExpressionHandler> handlers)

setBeanFactory

public void setBeanFactory(org.springframework.beans.factory.BeanFactory beanFactory)
                    throws org.springframework.beans.BeansException

Specified by:

setBeanFactory in interface org.springframework.beans.factory.BeanFactoryAware

Throws:

org.springframework.beans.BeansException