Overview  Package   Class  Use  Deprecated  Index
Home >> All >> org >> acegisecurity >> [ intercept overview ]	PREV CLASS  NEXT CLASS
SUMMARY:  JAVADOC |  SOURCE |  DOWNLOAD | NESTED | FIELD | CONSTR | METHOD	DETAIL: FIELD | CONSTR | METHOD

---

org.acegisecurity.intercept
Class AbstractSecurityInterceptor  

java.lang.Object
  org.acegisecurity.intercept.AbstractSecurityInterceptor

All Implemented Interfaces:

org.springframework.context.ApplicationEventPublisherAware, org.springframework.beans.factory.InitializingBean, org.springframework.context.MessageSourceAware

---

public abstract class AbstractSecurityInterceptor

extends java.lang.Object

implements org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.MessageSourceAware

Abstract class that implements security interception for secure objects.

The AbstractSecurityInterceptor will ensure the proper startup configuration of the security interceptor. It will also implement the proper handling of secure object invocations, being:

1. Obtain the org.acegisecurity.Authentication object from the SecurityContextHolder.
2. Determine if the request relates to a secured or public invocation by looking up the secure object request against the ObjectDefinitionSource.
3. For an invocation that is secured (there is a ConfigAttributeDefinition for the secure object invocation):
   1. If either the Authentication.isAuthenticated()>Authentication.isAuthenticated() 55 returns false, or the alwaysReauthenticate 55 is true, authenticate the request against the configured org.acegisecurity.AuthenticationManager. When authenticated, replace the Authentication object on the SecurityContextHolder with the returned value.
   2. Authorize the request against the configured org.acegisecurity.AccessDecisionManager.
   3. Perform any run-as replacement via the configured org.acegisecurity.RunAsManager.
   4. Pass control back to the concrete subclass, which will actually proceed with executing the object. A InterceptorStatusToken is returned so that after the subclass has finished proceeding with execution of the object, its finally clause can ensure the AbstractSecurityInterceptor is re-called and tidies up correctly.
   5. The concrete subclass will re-call the AbstractSecurityInterceptor via the afterInvocation(InterceptorStatusToken, Object) 55 method.
   6. If the RunAsManager replaced the Authentication object, return the SecurityContextHolder to the object that existed after the call to AuthenticationManager.
   7. If an AfterInvocationManager is defined, invoke the invocation manager and allow it to replace the object due to be returned to the caller.
4. For an invocation that is public (there is no ConfigAttributeDefinition for the secure object invocation):
   1. As described above, the concrete subclass will be returned an InterceptorStatusToken which is subsequently re-presented to the AbstractSecurityInterceptor after the secure object has been executed. The AbstractSecurityInterceptor will take no further action when its afterInvocation(InterceptorStatusToken, Object) 55 is called.
5. Control again returns to the concrete subclass, along with the Object that should be returned to the caller. The subclass will then return that result or exception to the original caller.

---

Field Summary
private  org.acegisecurity.AccessDecisionManager	accessDecisionManager
private  org.acegisecurity.AfterInvocationManager	afterInvocationManager
private  boolean	alwaysReauthenticate
private  org.acegisecurity.AuthenticationManager	authenticationManager
private  org.springframework.context.ApplicationEventPublisher	eventPublisher
protected static org.apache.commons.logging.Log	logger
protected  org.springframework.context.support.MessageSourceAccessor	messages
private  boolean	rejectPublicInvocations
private  org.acegisecurity.RunAsManager	runAsManager
private  boolean	validateConfigAttributes

 

Constructor Summary

AbstractSecurityInterceptor()

 

Method Summary
protected  java.lang.Object	afterInvocation(InterceptorStatusToken token, java.lang.Object returnedObject)           Completes the work of the AbstractSecurityInterceptor after the secure object invocation has been complete
void	afterPropertiesSet()           Invoked by a BeanFactory after it has set all bean properties supplied (and satisfied BeanFactoryAware and ApplicationContextAware).
protected  InterceptorStatusToken	beforeInvocation(java.lang.Object object)
private  void	credentialsNotFound(java.lang.String reason, java.lang.Object secureObject, ConfigAttributeDefinition configAttribs)           Helper method which generates an exception containing the passed reason, and publishes an event to the application context.
org.acegisecurity.AccessDecisionManager	getAccessDecisionManager()
org.acegisecurity.AfterInvocationManager	getAfterInvocationManager()
org.acegisecurity.AuthenticationManager	getAuthenticationManager()
org.acegisecurity.RunAsManager	getRunAsManager()
abstract  java.lang.Class	getSecureObjectClass()           Indicates the type of secure objects the subclass will be presenting to the abstract parent for processing.
boolean	isAlwaysReauthenticate()
boolean	isRejectPublicInvocations()
boolean	isValidateConfigAttributes()
abstract  ObjectDefinitionSource	obtainObjectDefinitionSource()
void	setAccessDecisionManager(org.acegisecurity.AccessDecisionManager accessDecisionManager)
void	setAfterInvocationManager(org.acegisecurity.AfterInvocationManager afterInvocationManager)
void	setAlwaysReauthenticate(boolean alwaysReauthenticate)           Indicates whether the AbstractSecurityInterceptor should ignore the Authentication.isAuthenticated()>Authentication.isAuthenticated() 55 property.
void	setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher eventPublisher)           Set the ApplicationEventPublisher that this object runs in.
void	setAuthenticationManager(org.acegisecurity.AuthenticationManager newManager)
void	setMessageSource(org.springframework.context.MessageSource messageSource)           Set the MessageSource that this object runs in.
void	setRejectPublicInvocations(boolean rejectPublicInvocations)           By rejecting public invocations (and setting this property to true), essentially you are ensuring that every secure object invocation advised by AbstractSecurityInterceptor has a configuration attribute defined.
void	setRunAsManager(org.acegisecurity.RunAsManager runAsManager)
void	setValidateConfigAttributes(boolean validateConfigAttributes)

 

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

 

Field Detail

logger

protected static final org.apache.commons.logging.Log logger

---

accessDecisionManager

private org.acegisecurity.AccessDecisionManager accessDecisionManager

---

afterInvocationManager

private org.acegisecurity.AfterInvocationManager afterInvocationManager

---

eventPublisher

private org.springframework.context.ApplicationEventPublisher eventPublisher

---

authenticationManager

private org.acegisecurity.AuthenticationManager authenticationManager

---

messages

protected org.springframework.context.support.MessageSourceAccessor messages

---

runAsManager

private org.acegisecurity.RunAsManager runAsManager

---

alwaysReauthenticate

private boolean alwaysReauthenticate

---

rejectPublicInvocations

private boolean rejectPublicInvocations

---

validateConfigAttributes

private boolean validateConfigAttributes

Constructor Detail

AbstractSecurityInterceptor

public AbstractSecurityInterceptor()

Method Detail

afterInvocation

protected java.lang.Object afterInvocation(InterceptorStatusToken token,
                                           java.lang.Object returnedObject)

Completes the work of the AbstractSecurityInterceptor after the secure object invocation has been complete

---

afterPropertiesSet

public void afterPropertiesSet()
                        throws java.lang.Exception

Description copied from interface: org.springframework.beans.factory.InitializingBean

Invoked by a BeanFactory after it has set all bean properties supplied (and satisfied BeanFactoryAware and ApplicationContextAware).

This method allows the bean instance to perform initialization only possible when all bean properties have been set and to throw an exception in the event of misconfiguration.

Specified by:

afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean

---

beforeInvocation

protected InterceptorStatusToken beforeInvocation(java.lang.Object object)

---

credentialsNotFound

private void credentialsNotFound(java.lang.String reason,
                                 java.lang.Object secureObject,
                                 ConfigAttributeDefinition configAttribs)

Helper method which generates an exception containing the passed reason, and publishes an event to the application context.

Always throws an exception.

---

getAccessDecisionManager

public org.acegisecurity.AccessDecisionManager getAccessDecisionManager()

---

getAfterInvocationManager

public org.acegisecurity.AfterInvocationManager getAfterInvocationManager()

---

getAuthenticationManager

public org.acegisecurity.AuthenticationManager getAuthenticationManager()

---

getRunAsManager

public org.acegisecurity.RunAsManager getRunAsManager()

---

getSecureObjectClass

public abstract java.lang.Class getSecureObjectClass()

Indicates the type of secure objects the subclass will be presenting to the abstract parent for processing. This is used to ensure collaborators wired to the AbstractSecurityInterceptor all support the indicated secure object class.

---

isAlwaysReauthenticate

public boolean isAlwaysReauthenticate()

---

isRejectPublicInvocations

public boolean isRejectPublicInvocations()

---

isValidateConfigAttributes

public boolean isValidateConfigAttributes()

---

obtainObjectDefinitionSource

public abstract ObjectDefinitionSource obtainObjectDefinitionSource()

---

setAccessDecisionManager

public void setAccessDecisionManager(org.acegisecurity.AccessDecisionManager accessDecisionManager)

---

setAfterInvocationManager

public void setAfterInvocationManager(org.acegisecurity.AfterInvocationManager afterInvocationManager)

---

setAlwaysReauthenticate

public void setAlwaysReauthenticate(boolean alwaysReauthenticate)

Indicates whether the AbstractSecurityInterceptor should ignore the Authentication.isAuthenticated()>Authentication.isAuthenticated() 55 property. Defaults to false, meaning by default the Authentication.isAuthenticated() property is trusted and re-authentication will not occur if the principal has already been authenticated.

---

setApplicationEventPublisher

public void setApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher eventPublisher)

Description copied from interface: org.springframework.context.ApplicationEventPublisherAware

Set the ApplicationEventPublisher that this object runs in.

Invoked after population of normal bean properties but before an init callback like InitializingBean's afterPropertiesSet or a custom init-method. Invoked before ApplicationContextAware's setApplicationContext.

Specified by:

setApplicationEventPublisher in interface org.springframework.context.ApplicationEventPublisherAware

---

setAuthenticationManager

public void setAuthenticationManager(org.acegisecurity.AuthenticationManager newManager)

---

setMessageSource

public void setMessageSource(org.springframework.context.MessageSource messageSource)

Description copied from interface: org.springframework.context.MessageSourceAware

Set the MessageSource that this object runs in.

Invoked after population of normal bean properties but before an init callback like InitializingBean's afterPropertiesSet or a custom init-method. Invoked before ApplicationContextAware's setApplicationContext.

Specified by:

setMessageSource in interface org.springframework.context.MessageSourceAware

---

setRejectPublicInvocations

public void setRejectPublicInvocations(boolean rejectPublicInvocations)

By rejecting public invocations (and setting this property to true), essentially you are ensuring that every secure object invocation advised by AbstractSecurityInterceptor has a configuration attribute defined. This is useful to ensure a "fail safe" mode where undeclared secure objects will be rejected and configuration omissions detected early. An IllegalArgumentException will be thrown by the AbstractSecurityInterceptor if you set this property to true and an attempt is made to invoke a secure object that has no configuration attributes.

---

setRunAsManager

public void setRunAsManager(org.acegisecurity.RunAsManager runAsManager)

---

setValidateConfigAttributes

public void setValidateConfigAttributes(boolean validateConfigAttributes)

---

Overview  Package   Class  Use  Deprecated  Index
Home >> All >> org >> acegisecurity >> [ intercept overview ]	PREV CLASS  NEXT CLASS
SUMMARY:  JAVADOC |  SOURCE |  DOWNLOAD | NESTED | FIELD | CONSTR | METHOD	DETAIL: FIELD | CONSTR | METHOD

---