org.acegisecurity.vote.AbstractAclVoter
|
||||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | |||||||||
java.lang.Object
public abstract class AbstractAclVoter
Given a domain object instance passed as a method argument, ensures the
principal has appropriate permission as defined by the AclManager.
The AclManager is used to retrieve the access control list
(ACL) permissions associated with a domain object instance for the current
Authentication object. This class is designed to process
AclEntrys that are subclasses of BasicAclEntry only. Generally these are
obtained by using the BasicAclProvider.
The voter will vote if any ConfigAttribute.getAttribute() matches
the #processConfigAttribute. The provider will then locate the
first method argument of type processDomainObjectClass. Assuming
that method argument is non-null, the provider will then lookup the ACLs
from the AclManager and ensure the principal is BasicAclEntry.isPermitted(int) for at least
one of the #requirePermissions.
If the method argument is null, the voter will abstain from
voting. If the method argument could not be found, an AuthorizationServiceException will be thrown.
In practical terms users will typically setup a number of
BasicAclEntryVoters. Each will have a different processDomainObjectClass, #processConfigAttribute and #requirePermission combination. For example, a small application might
employ the following instances of BasicAclEntryVoter:
BankAccount, configuration
attribute VOTE_ACL_BANK_ACCONT_READ, require permission
SimpleAclEntry.READ
BankAccount, configuration
attribute VOTE_ACL_BANK_ACCOUNT_WRITE, require permission list
SimpleAclEntry.WRITE and SimpleAclEntry.CREATE
(allowing the principal to have either of these two permissions
Customer, configuration attribute
VOTE_ACL_CUSTOMER_READ, require permission
SimpleAclEntry.READ
Customer, configuration attribute
VOTE_ACL_CUSTOMER_WRITE, require permission list
SimpleAclEntry.WRITE and SimpleAclEntry.CREATE
processDomainObjectClass if both BankAccount and
Customer had common parents.
If the principal does not have sufficient permissions, the voter will vote to deny access.
The AclManager is allowed to return any implementations of
AclEntry it wishes. However, this provider will only be able
to validate against AbstractBasicAclEntrys, and thus a vote to
deny access will be made if no AclEntry is of type
AbstractBasicAclEntry.
All comparisons and prefixes are case sensitive.
| Field Summary |
|---|
| Fields inherited from interface org.acegisecurity.vote.AccessDecisionVoter |
|---|
ACCESS_ABSTAIN, ACCESS_DENIED, ACCESS_GRANTED |
| Constructor Summary | |
|---|---|
AbstractAclVoter()
|
|
| Method Summary | |
|---|---|
protected Object |
getDomainObjectInstance(Object secureObject)
|
Class |
getProcessDomainObjectClass()
|
void |
setProcessDomainObjectClass(Class processDomainObjectClass)
|
boolean |
supports(Class clazz)
This implementation supports only MethodSecurityInterceptor, because it queries the
presented MethodInvocation. |
| Methods inherited from class java.lang.Object |
|---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
| Methods inherited from interface org.acegisecurity.vote.AccessDecisionVoter |
|---|
supports, vote |
| Constructor Detail |
|---|
public AbstractAclVoter()
| Method Detail |
|---|
public void setProcessDomainObjectClass(Class processDomainObjectClass)
public Class getProcessDomainObjectClass()
public boolean supports(Class clazz)
MethodSecurityInterceptor, because it queries the
presented MethodInvocation.
supports in interface AccessDecisionVoterclazz - the secure object
true if the secure object is
MethodInvocation, false otherwiseprotected Object getDomainObjectInstance(Object secureObject)
|
||||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | |||||||||