Package org.springframework.security.acls.afterinvocation

Class AclEntryAfterInvocationProvider

java.lang.Object

org.springframework.security.acls.afterinvocation.AbstractAclProvider

org.springframework.security.acls.afterinvocation.AclEntryAfterInvocationProvider

All Implemented Interfaces:

org.springframework.beans.factory.Aware, org.springframework.context.MessageSourceAware, AfterInvocationProvider

public class AclEntryAfterInvocationProvider
extends AbstractAclProvider
implements org.springframework.context.MessageSourceAware

Given a domain object instance returned from a secure object invocation, ensures the principal has appropriate permission as defined by the AclService.

The AclService is used to retrieve the access control list (ACL) permissions associated with a domain object instance for the current Authentication object.

This after invocation provider will fire if any ConfigAttribute.getAttribute() matches the AbstractAclProvider.processConfigAttribute. The provider will then lookup the ACLs from the AclService and ensure the principal is Acl.isGranted(List, List, boolean) when presenting the AbstractAclProvider.requirePermission array to that method.

Often users will set up an AclEntryAfterInvocationProvider with a AbstractAclProvider.processConfigAttribute of AFTER_ACL_READ and a AbstractAclProvider.requirePermission of BasePermission.READ. These are also the defaults.

If the principal does not have sufficient permissions, an AccessDeniedException will be thrown.

If the provided returnedObject is null, permission will always be granted and null will be returned.

All comparisons and prefixes are case sensitive.

Field Summary

Fields

Modifier and Type	Field	Description
protected static final org.apache.commons.logging.Log	logger
protected org.springframework.context.support.MessageSourceAccessor	messages

Fields inherited from class org.springframework.security.acls.afterinvocation.AbstractAclProvider

aclService, objectIdentityRetrievalStrategy, processConfigAttribute, processDomainObjectClass, requirePermission, sidRetrievalStrategy

Constructor Summary

Constructors

Constructor	Description
AclEntryAfterInvocationProvider(AclService aclService, String processConfigAttribute, List<Permission> requirePermission)
AclEntryAfterInvocationProvider(AclService aclService, List<Permission> requirePermission)

Method Summary

Modifier and Type	Method	Description
Object	decide(Authentication authentication, Object object, Collection<ConfigAttribute> config, Object returnedObject)
void	setMessageSource(org.springframework.context.MessageSource messageSource)

Methods inherited from class org.springframework.security.acls.afterinvocation.AbstractAclProvider

getProcessDomainObjectClass, hasPermission, setObjectIdentityRetrievalStrategy, setProcessConfigAttribute, setProcessDomainObjectClass, setSidRetrievalStrategy, supports, supports

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

logger

protected static final org.apache.commons.logging.Log logger

messages

protected org.springframework.context.support.MessageSourceAccessor messages

Constructor Details

AclEntryAfterInvocationProvider

public AclEntryAfterInvocationProvider(AclService aclService,
 List<Permission> requirePermission)

AclEntryAfterInvocationProvider

public AclEntryAfterInvocationProvider(AclService aclService,
 String processConfigAttribute,
 List<Permission> requirePermission)

Method Details

decide

public Object decide(Authentication authentication,
 Object object,
 Collection<ConfigAttribute> config,
 Object returnedObject)
              throws AccessDeniedException

Specified by:

decide in interface AfterInvocationProvider

Throws:

AccessDeniedException

setMessageSource

public void setMessageSource(org.springframework.context.MessageSource messageSource)

Specified by:

setMessageSource in interface org.springframework.context.MessageSourceAware