Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-25 13:32:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added exta sub-headings to facilitate searching for particular topics from content page

Browse Source
This commit is contained in:
Luke Taylor 2008-07-11 13:27:19 +00:00
parent 7039bfdfbe
commit 768219af81
1 changed files with 54 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
src/docbkx/authorization-common.xml
View File

@ -1,4 +1,4 @@
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="authorization-common"> <chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="authorization-common" xmlns:xlink="http://www.w3.org/1999/xlink">
<info><title>Common Authorization Concepts</title></info> <info><title>Common Authorization Concepts</title></info>
<section xml:id="authorities"> <section xml:id="authorities">
@ -52,16 +52,25 @@
</section> </section>
<section xml:id="pre-invocation"> <section xml:id="pre-invocation">
<info><title>Pre-Invocation Handling</title></info> <info>
<title>Pre-Invocation Handling</title>
</info>
<para>
As we'll see in the <link xlink:href="#secure-objects" >Technical Overview</link> chapter, Spring
Security provides interceptors which control access to secure objects such as method invocations
or web requests. A pre-invocation decision on whether the invocation is allowed to proceed is made by
the <interfacename>AccessDecisionManager</interfacename>.
</para>
<section>
<title>The AccessDecisionManager</title>
<para>The <literal>AccessDecisionManager</literal> is called by the <para>The <literal>AccessDecisionManager</literal> is called by the
<literal>AbstractSecurityInterceptor</literal> and is responsible for <literal>AbstractSecurityInterceptor</literal> and is responsible for
making final access control decisions. The making final access control decisions. The
<literal>AccessDecisionManager</literal> interface contains three <literal>AccessDecisionManager</literal> interface contains three
methods: methods:
<programlisting> <programlisting>
void decide(Authentication authentication, Object object, ConfigAttributeDefinition config) throws AccessDeniedException; void decide(Authentication authentication, Object secureObject, ConfigAttributeDefinition config) throws AccessDeniedException;
boolean supports(ConfigAttribute attribute); boolean supports(ConfigAttribute attribute);
boolean supports(Class clazz); boolean supports(Class clazz);
</programlisting> </programlisting>
@ -89,10 +98,10 @@
<literal>AccessDecisionManager</literal> supports the type of secure <literal>AccessDecisionManager</literal> supports the type of secure
object that the security interceptor will present.</para> object that the security interceptor will present.</para>
<para>Whilst users can implement their own <section>
<literal>AccessDecisionManager</literal> to control all aspects of <title>Voting-Based AccessDecisionManager Implementations</title>
authorization, Spring Security includes several <para>Whilst users can implement their own <literal>AccessDecisionManager</literal> to control all aspects of
<literal>AccessDecisionManager</literal> implementations that are authorization, Spring Security includes several <literal>AccessDecisionManager</literal> implementations that are
based on voting. <xref linkend="authz-access-voting"/> illustrates the relevant classes.</para> based on voting. <xref linkend="authz-access-voting"/> illustrates the relevant classes.</para>
<figure xml:id="authz-access-voting"> <figure xml:id="authz-access-voting">
<title>Voting Decision Manager</title> <title>Voting Decision Manager</title>
@ -137,7 +146,7 @@ boolean supports(Class clazz);
event of an equality of votes or if all votes are abstain. The event of an equality of votes or if all votes are abstain. The
<literal>AffirmativeBased</literal> implementation will grant access <literal>AffirmativeBased</literal> implementation will grant access
if one or more <literal>ACCESS_GRANTED</literal> votes were received if one or more <literal>ACCESS_GRANTED</literal> votes were received
(ie a deny vote will be ignored, provided there was at least one grant (i.e. a deny vote will be ignored, provided there was at least one grant
vote). Like the <literal>ConsensusBased</literal> implementation, vote). Like the <literal>ConsensusBased</literal> implementation,
there is a parameter that controls the behavior if all voters abstain. there is a parameter that controls the behavior if all voters abstain.
The <literal>UnanimousBased</literal> provider expects unanimous The <literal>UnanimousBased</literal> provider expects unanimous
@ -154,11 +163,15 @@ boolean supports(Class clazz);
weighting, whilst a deny vote from a particular voter may have a veto weighting, whilst a deny vote from a particular voter may have a veto
effect.</para> effect.</para>
<para>There are two concrete <literal>AccessDecisionVoter</literal> <section>
implementations provided with Spring Security. The <title><classname>RoleVoter</classname></title>
<literal>RoleVoter</literal> class will vote if any ConfigAttribute <para>
begins with <literal>ROLE_</literal>. It will vote to grant access if The most commonly used <literal>AccessDecisionVoter</literal>
there is a <literal>GrantedAuthority</literal> which returns a provided with Spring Security is the simple <classname>RoleVoter</classname>, which treats
configuration attributes as simple role names and votes to grant access if the user has been assigned
that role.</para>
<para>It will vote if any ConfigAttribute begins with the prefix <literal>ROLE_</literal>.
It will vote to grant access if there is a <literal>GrantedAuthority</literal> which returns a
<literal>String</literal> representation (via the <literal>String</literal> representation (via the
<literal>getAuthority()</literal> method) exactly equal to one or more <literal>getAuthority()</literal> method) exactly equal to one or more
<literal>ConfigAttributes</literal> starting with <literal>ConfigAttributes</literal> starting with
@ -169,6 +182,9 @@ boolean supports(Class clazz);
<literal>ROLE_</literal>, the voter will abstain. <literal>ROLE_</literal>, the voter will abstain.
<literal>RoleVoter</literal> is case sensitive on comparisons as well <literal>RoleVoter</literal> is case sensitive on comparisons as well
as the <literal>ROLE_</literal> prefix.</para> as the <literal>ROLE_</literal> prefix.</para>
</section>
<!--
<para><literal>BasicAclEntryVoter</literal> is the other concrete <para><literal>BasicAclEntryVoter</literal> is the other concrete
voter included with Spring Security. It integrates with Spring voter included with Spring Security. It integrates with Spring
@ -226,7 +242,15 @@ boolean supports(Class clazz);
and how best to apply them, please see the ACL and "After Invocation" and how best to apply them, please see the ACL and "After Invocation"
sections of this reference guide, and the Contacts sample sections of this reference guide, and the Contacts sample
application.</para> application.</para>
-->
<!--
<para>TODO: Remove references to the old ACL package when it's
deprecated, and have all references to the replacement package limited
to the chapter describing the new ACL implementation.</para>
-->
<section>
<title>Custom Voters</title>
<para>It is also possible to implement a custom <para>It is also possible to implement a custom
<literal>AccessDecisionVoter</literal>. Several examples are provided <literal>AccessDecisionVoter</literal>. Several examples are provided
in Spring Security unit tests, including in Spring Security unit tests, including
@ -245,10 +269,9 @@ boolean supports(Class clazz);
<literal>Authentication</literal> object presented. All of this is <literal>Authentication</literal> object presented. All of this is
achieved with relatively few lines of code and demonstrates the achieved with relatively few lines of code and demonstrates the
flexibility of the authorization model.</para> flexibility of the authorization model.</para>
</section>
<para>TODO: Remove references to the old ACL package when it's </section>
deprecated, and have all references to the replacement package limited </section>
to the chapter describing the new ACL implementation.</para>
</section> </section>
<section xml:id="after-invocation"> <section xml:id="after-invocation">
@ -394,8 +417,8 @@ boolean supports(Class clazz);
<literal>AfterInvocationProvider</literal>s.</para> <literal>AfterInvocationProvider</literal>s.</para>
</section> </section>
<section xml:id="after-invocation-acl-aware-old"><info><title>ACL-Aware AfterInvocationProviders (old ACL module)</title></info> <section xml:id="after-invocation-acl-aware-old">
<info><title>ACL-Aware AfterInvocationProviders (old ACL module)</title></info>
<para>PLEASE NOTE: Acegi Security 1.0.3 contains a preview of a new <para>PLEASE NOTE: Acegi Security 1.0.3 contains a preview of a new
ACL module. The new ACL module is a significant rewrite of the ACL module. The new ACL module is a significant rewrite of the