Class AuthorizationManagerWebInvocationPrivilegeEvaluator

java.lang.Object
org.springframework.security.web.access.AuthorizationManagerWebInvocationPrivilegeEvaluator
All Implemented Interfaces:
org.springframework.beans.factory.Aware, WebInvocationPrivilegeEvaluator, org.springframework.web.context.ServletContextAware

public final class AuthorizationManagerWebInvocationPrivilegeEvaluator extends Object implements WebInvocationPrivilegeEvaluator, org.springframework.web.context.ServletContextAware
An implementation of WebInvocationPrivilegeEvaluator which delegates the checks to an instance of AuthorizationManager
Since:
5.5.5
  • Constructor Details

    • AuthorizationManagerWebInvocationPrivilegeEvaluator

      public AuthorizationManagerWebInvocationPrivilegeEvaluator(AuthorizationManager<jakarta.servlet.http.HttpServletRequest> authorizationManager)
  • Method Details

    • isAllowed

      public boolean isAllowed(String uri, Authentication authentication)
      Description copied from interface: WebInvocationPrivilegeEvaluator
      Determines whether the user represented by the supplied Authentication object is allowed to invoke the supplied URI.
      Specified by:
      isAllowed in interface WebInvocationPrivilegeEvaluator
      Parameters:
      uri - the URI excluding the context path (a default context path setting will be used)
    • isAllowed

      public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication)
      Description copied from interface: WebInvocationPrivilegeEvaluator
      Determines whether the user represented by the supplied Authentication object is allowed to invoke the supplied URI, with the given .

      Note the default implementation of FilterInvocationSecurityMetadataSource disregards the contextPath when evaluating which secure object metadata applies to a given request URI, so generally the contextPath is unimportant unless you are using a custom FilterInvocationSecurityMetadataSource.

      Specified by:
      isAllowed in interface WebInvocationPrivilegeEvaluator
      Parameters:
      contextPath - the context path (may be null).
      uri - the URI excluding the context path
      method - the HTTP method (or null, for any method)
      authentication - the Authentication instance whose authorities should be used in evaluation whether access should be granted.
      Returns:
      true if access is allowed, false if denied
    • setServletContext

      public void setServletContext(jakarta.servlet.ServletContext servletContext)
      Specified by:
      setServletContext in interface org.springframework.web.context.ServletContextAware