@Configuration public class GlobalMethodSecurityConfiguration extends Object implements ImportAware
Configuration
for enabling global method security. Classes may
extend this class to customize the defaults, but must be sure to specify the
EnableGlobalMethodSecurity
annotation on the subclass.EnableGlobalMethodSecurity
Constructor and Description |
---|
GlobalMethodSecurityConfiguration() |
Modifier and Type | Method and Description |
---|---|
protected org.springframework.security.access.AccessDecisionManager |
accessDecisionManager()
Allows subclasses to provide a custom
AccessDecisionManager . |
protected org.springframework.security.access.intercept.AfterInvocationManager |
afterInvocationManager()
Provide a custom
AfterInvocationManager for the default
implementation of methodSecurityInterceptor() . |
protected org.springframework.security.authentication.AuthenticationManager |
authenticationManager()
Allows providing a custom
AuthenticationManager . |
protected void |
configure(AuthenticationManagerBuilder auth)
Sub classes can override this method to register different types of authentication.
|
protected org.springframework.security.access.expression.method.MethodSecurityExpressionHandler |
createExpressionHandler()
Provide a
MethodSecurityExpressionHandler that is registered with
the ExpressionBasedPreInvocationAdvice . |
protected org.springframework.security.access.method.MethodSecurityMetadataSource |
customMethodSecurityMetadataSource()
Provides a custom
MethodSecurityMetadataSource that is registered
with the methodSecurityMetadataSource() . |
protected org.springframework.security.access.expression.method.MethodSecurityExpressionHandler |
getExpressionHandler()
Gets the
MethodSecurityExpressionHandler or creates it using expressionHandler . |
org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor |
metaDataSourceAdvisor()
Obtains the
MethodSecurityMetadataSourceAdvisor to be used. |
org.aopalliance.intercept.MethodInterceptor |
methodSecurityInterceptor()
Creates the default MethodInterceptor which is a MethodSecurityInterceptor using the following methods to
construct it.
|
org.springframework.security.access.method.MethodSecurityMetadataSource |
methodSecurityMetadataSource()
Provides the default
MethodSecurityMetadataSource that will be
used. |
org.springframework.security.access.prepost.PreInvocationAuthorizationAdvice |
preInvocationAuthorizationAdvice()
Creates the
PreInvocationAuthorizationAdvice to be used. |
protected org.springframework.security.access.intercept.RunAsManager |
runAsManager()
Provide a custom
RunAsManager for the default implementation of
methodSecurityInterceptor() . |
void |
setAuthenticationConfiguration(AuthenticationConfiguration authenticationConfiguration) |
void |
setAuthenticationTrustResolver(org.springframework.security.authentication.AuthenticationTrustResolver trustResolver) |
void |
setImportMetadata(AnnotationMetadata importMetadata)
Obtains the attributes from
EnableGlobalMethodSecurity if this class was imported using the EnableGlobalMethodSecurity annotation. |
void |
setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcessor) |
void |
setPermissionEvaluator(List<org.springframework.security.access.PermissionEvaluator> permissionEvaluators) |
@Bean public org.aopalliance.intercept.MethodInterceptor methodSecurityInterceptor() throws Exception
accessDecisionManager()
afterInvocationManager()
authenticationManager()
methodSecurityMetadataSource()
runAsManager()
Subclasses can override this method to provide a different MethodInterceptor
.
Exception
protected org.springframework.security.access.intercept.AfterInvocationManager afterInvocationManager()
AfterInvocationManager
for the default
implementation of methodSecurityInterceptor()
. The default is
null if pre post is not enabled. Otherwise, it returns a AfterInvocationProviderManager
.
Subclasses should override this method to provide a custom AfterInvocationManager
protected org.springframework.security.access.intercept.RunAsManager runAsManager()
RunAsManager
for the default implementation of
methodSecurityInterceptor()
. The default is null.protected org.springframework.security.access.AccessDecisionManager accessDecisionManager()
AccessDecisionManager
. The default is a AffirmativeBased
with the following voters:
PreInvocationAuthorizationAdviceVoter
RoleVoter
AuthenticatedVoter
protected org.springframework.security.access.expression.method.MethodSecurityExpressionHandler createExpressionHandler()
MethodSecurityExpressionHandler
that is registered with
the ExpressionBasedPreInvocationAdvice
. The default is
DefaultMethodSecurityExpressionHandler
which optionally will
Autowire an AuthenticationTrustResolver
.
Subclasses may override this method to provide a custom
MethodSecurityExpressionHandler
protected final org.springframework.security.access.expression.method.MethodSecurityExpressionHandler getExpressionHandler()
MethodSecurityExpressionHandler
or creates it using expressionHandler
.null
MethodSecurityExpressionHandler
protected org.springframework.security.access.method.MethodSecurityMetadataSource customMethodSecurityMetadataSource()
MethodSecurityMetadataSource
that is registered
with the methodSecurityMetadataSource()
. Default is null.MethodSecurityMetadataSource
that is registered
with the methodSecurityMetadataSource()
protected org.springframework.security.authentication.AuthenticationManager authenticationManager() throws Exception
AuthenticationManager
. The default is
to use any authentication mechanisms registered by configure(AuthenticationManagerBuilder)
. If
configure(AuthenticationManagerBuilder)
was not overridden, then an AuthenticationManager
is attempted to be autowired by type.Exception
protected void configure(AuthenticationManagerBuilder auth) throws Exception
configure(AuthenticationManagerBuilder)
will attempt to autowire by type.auth
- the AuthenticationManagerBuilder
used to register different authentication mechanisms for the
global method security.Exception
@Bean public org.springframework.security.access.method.MethodSecurityMetadataSource methodSecurityMetadataSource()
MethodSecurityMetadataSource
that will be
used. It creates a DelegatingMethodSecurityMetadataSource
based
upon customMethodSecurityMetadataSource()
and the attributes on
EnableGlobalMethodSecurity
.@Bean public org.springframework.security.access.prepost.PreInvocationAuthorizationAdvice preInvocationAuthorizationAdvice()
PreInvocationAuthorizationAdvice
to be used. The
default is ExpressionBasedPreInvocationAdvice
.@Role(value=2) @Bean public org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor metaDataSourceAdvisor()
MethodSecurityMetadataSourceAdvisor
to be used.public final void setImportMetadata(AnnotationMetadata importMetadata)
EnableGlobalMethodSecurity
if this class was imported using the EnableGlobalMethodSecurity
annotation.setImportMetadata
in interface ImportAware
@Autowired(required=false) public void setAuthenticationTrustResolver(org.springframework.security.authentication.AuthenticationTrustResolver trustResolver)
@Autowired(required=false) public void setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcessor)
@Autowired(required=false) public void setPermissionEvaluator(List<org.springframework.security.access.PermissionEvaluator> permissionEvaluators)
@Autowired(required=false) public void setAuthenticationConfiguration(AuthenticationConfiguration authenticationConfiguration)