Class DefaultMethodSecurityExpressionHandler

java.lang.Object
org.springframework.security.access.expression.AbstractSecurityExpressionHandler<org.aopalliance.intercept.MethodInvocation>
org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler
All Implemented Interfaces:
org.springframework.aop.framework.AopInfrastructureBean, org.springframework.beans.factory.Aware, org.springframework.context.ApplicationContextAware, MethodSecurityExpressionHandler, SecurityExpressionHandler<org.aopalliance.intercept.MethodInvocation>

public class DefaultMethodSecurityExpressionHandler extends AbstractSecurityExpressionHandler<org.aopalliance.intercept.MethodInvocation> implements MethodSecurityExpressionHandler
The standard implementation of MethodSecurityExpressionHandler.

A single instance should usually be shared amongst the beans that require expression support.

Since:
3.0
  • Field Details

    • logger

      protected final org.apache.commons.logging.Log logger
  • Constructor Details

    • DefaultMethodSecurityExpressionHandler

      public DefaultMethodSecurityExpressionHandler()
  • Method Details

    • createEvaluationContextInternal

      public org.springframework.expression.spel.support.StandardEvaluationContext createEvaluationContextInternal(Authentication auth, org.aopalliance.intercept.MethodInvocation mi)
      Uses a MethodSecurityEvaluationContext as the EvaluationContext implementation.
      Overrides:
      createEvaluationContextInternal in class AbstractSecurityExpressionHandler<org.aopalliance.intercept.MethodInvocation>
      Parameters:
      auth - the current authentication object
      mi - the invocation (filter, method, channel)
      Returns:
      A StandardEvaluationContext or potentially a custom subclass if overridden.
    • createEvaluationContext

      public org.springframework.expression.EvaluationContext createEvaluationContext(Supplier<Authentication> authentication, org.aopalliance.intercept.MethodInvocation mi)
      Description copied from interface: SecurityExpressionHandler
      Provides an evaluation context in which to evaluate security expressions for the invocation type. You can override this method in order to provide a custom implementation that uses lazy initialization of the Authentication object. By default, this method uses eager initialization of the Authentication object.
      Specified by:
      createEvaluationContext in interface SecurityExpressionHandler<org.aopalliance.intercept.MethodInvocation>
      Parameters:
      authentication - the Supplier of the Authentication to use
      mi - the SecurityExpressionHandler to use
      Returns:
      the EvaluationContext to use
    • createSecurityExpressionRoot

      protected MethodSecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, org.aopalliance.intercept.MethodInvocation invocation)
      Creates the root object for expression evaluation.
      Specified by:
      createSecurityExpressionRoot in class AbstractSecurityExpressionHandler<org.aopalliance.intercept.MethodInvocation>
      Parameters:
      authentication - the current authentication object
      invocation - the invocation (filter, method, channel)
      Returns:
      the object
    • filter

      public Object filter(Object filterTarget, org.springframework.expression.Expression filterExpression, org.springframework.expression.EvaluationContext ctx)
      Filters the filterTarget object (which must be either a collection, array, map or stream), by evaluating the supplied expression.

      If a Collection or Map is used, the original instance will be modified to contain the elements for which the permission expression evaluates to true. For an array, a new array instance will be returned.

      Specified by:
      filter in interface MethodSecurityExpressionHandler
      Parameters:
      filterTarget - the array or collection to be filtered.
      filterExpression - the expression which should be used as the filter condition. If it returns false on evaluation, the object will be removed from the returned collection
      ctx - the current evaluation context (as created through a call to SecurityExpressionHandler.createEvaluationContext(org.springframework.security.core.Authentication, Object)
      Returns:
      the filtered collection or array
    • setTrustResolver

      public void setTrustResolver(AuthenticationTrustResolver trustResolver)
      Parameters:
      trustResolver - the AuthenticationTrustResolver to use. Cannot be null.
    • getTrustResolver

      protected AuthenticationTrustResolver getTrustResolver()
      Returns:
      The current AuthenticationTrustResolver
    • setParameterNameDiscoverer

      public void setParameterNameDiscoverer(org.springframework.core.ParameterNameDiscoverer parameterNameDiscoverer)
      Sets the ParameterNameDiscoverer to use. The default is DefaultSecurityParameterNameDiscoverer.
      Parameters:
      parameterNameDiscoverer -
    • getParameterNameDiscoverer

      protected org.springframework.core.ParameterNameDiscoverer getParameterNameDiscoverer()
      Returns:
      The current ParameterNameDiscoverer
    • setPermissionCacheOptimizer

      public void setPermissionCacheOptimizer(PermissionCacheOptimizer permissionCacheOptimizer)
    • setReturnObject

      public void setReturnObject(Object returnObject, org.springframework.expression.EvaluationContext ctx)
      Description copied from interface: MethodSecurityExpressionHandler
      Used to inform the expression system of the return object for the given evaluation context. Only applies to method invocations.
      Specified by:
      setReturnObject in interface MethodSecurityExpressionHandler
      Parameters:
      returnObject - the return object value
      ctx - the context within which the object should be set (as created through a call to SecurityExpressionHandler.createEvaluationContext(org.springframework.security.core.Authentication, Object)
    • setDefaultRolePrefix

      public void setDefaultRolePrefix(String defaultRolePrefix)

      Sets the default prefix to be added to SecurityExpressionRoot.hasAnyRole(String...) or SecurityExpressionRoot.hasRole(String). For example, if hasRole("ADMIN") or hasRole("ROLE_ADMIN") is passed in, then the role ROLE_ADMIN will be used when the defaultRolePrefix is "ROLE_" (default).

      If null or empty, then no default role prefix is used.

      Parameters:
      defaultRolePrefix - the default prefix to add to roles. Default "ROLE_".
    • getDefaultRolePrefix

      protected String getDefaultRolePrefix()
      Returns:
      The default role prefix