1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 package org.acegisecurity.vote;
17
18 import org.acegisecurity.Authentication;
19 import org.acegisecurity.ConfigAttribute;
20 import org.acegisecurity.ConfigAttributeDefinition;
21
22
23 /***
24 * Indicates a class is responsible for voting on authorization decisions.
25 *
26 * <p>
27 * The coordination of voting (ie polling <code>AccessDecisionVoter</code>s,
28 * tallying their responses, and making the final authorization decision) is
29 * performed by an {@link org.acegisecurity.AccessDecisionManager}.
30 * </p>
31 *
32 * @author Ben Alex
33 * @version $Id: AccessDecisionVoter.java,v 1.5 2005/11/17 00:55:47 benalex Exp $
34 */
35 public interface AccessDecisionVoter {
36
37
38 public static final int ACCESS_GRANTED = 1;
39 public static final int ACCESS_ABSTAIN = 0;
40 public static final int ACCESS_DENIED = -1;
41
42
43
44 /***
45 * Indicates whether this <code>AccessDecisionVoter</code> is able to vote
46 * on the passed <code>ConfigAttribute</code>.
47 *
48 * <p>
49 * This allows the <code>AbstractSecurityInterceptor</code> to check every
50 * configuration attribute can be consumed by the configured
51 * <code>AccessDecisionManager</code> and/or <code>RunAsManager</code>
52 * and/or <code>AccessDecisionManager</code>.
53 * </p>
54 *
55 * @param attribute a configuration attribute that has been configured
56 * against the <code>AbstractSecurityInterceptor</code>
57 *
58 * @return true if this <code>AccessDecisionVoter</code> can support the
59 * passed configuration attribute
60 */
61 public boolean supports(ConfigAttribute attribute);
62
63 /***
64 * Indicates whether the <code>AccessDecisionVoter</code> implementation is
65 * able to provide access control votes for the indicated secured object
66 * type.
67 *
68 * @param clazz the class that is being queried
69 *
70 * @return true if the implementation can process the indicated class
71 */
72 public boolean supports(Class clazz);
73
74 /***
75 * Indicates whether or not access is granted.
76 *
77 * <p>
78 * The decision must be affirmative (<code>ACCESS_GRANTED</code>), negative
79 * (<code>ACCESS_DENIED</code>) or the <code>AccessDecisionVoter</code>
80 * can abstain (<code>ACCESS_ABSTAIN</code>) from voting. Under no
81 * circumstances should implementing classes return any other value. If a
82 * weighting of results is desired, this should be handled in a custom
83 * {@link org.acegisecurity.AccessDecisionManager} instead.
84 * </p>
85 *
86 * <P>
87 * Unless an <code>AccessDecisionVoter</code> is specifically intended to
88 * vote on an access control decision due to a passed method invocation or
89 * configuration attribute parameter, it must return
90 * <code>ACCESS_ABSTAIN</code>. This prevents the coordinating
91 * <code>AccessDecisionManager</code> from counting votes from those
92 * <code>AccessDecisionVoter</code>s without a legitimate interest in the
93 * access control decision.
94 * </p>
95 *
96 * <p>
97 * Whilst the method invocation is passed as a parameter to maximise
98 * flexibility in making access control decisions, implementing classes
99 * must never modify the behaviour of the method invocation (such as
100 * calling <Code>MethodInvocation.proceed()</code>).
101 * </p>
102 *
103 * @param authentication the caller invoking the method
104 * @param object the secured object
105 * @param config the configuration attributes associated with the method
106 * being invoked
107 *
108 * @return either {@link #ACCESS_GRANTED}, {@link #ACCESS_ABSTAIN} or
109 * {@link #ACCESS_DENIED}
110 */
111 public int vote(Authentication authentication, Object object,
112 ConfigAttributeDefinition config);
113 }