From f0ec1eeabd45cd690195e7b85ae5b94c88cc32c6 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Sat, 9 Feb 2008 15:39:16 +0000 Subject: [PATCH] Tidying. --- .../AbstractSecurityInterceptor.java | 88 ++++++------------- 1 file changed, 27 insertions(+), 61 deletions(-) diff --git a/core/src/main/java/org/springframework/security/intercept/AbstractSecurityInterceptor.java b/core/src/main/java/org/springframework/security/intercept/AbstractSecurityInterceptor.java index 5a94339b7a..f3f7e8c218 100644 --- a/core/src/main/java/org/springframework/security/intercept/AbstractSecurityInterceptor.java +++ b/core/src/main/java/org/springframework/security/intercept/AbstractSecurityInterceptor.java @@ -56,60 +56,46 @@ import java.util.Collection; /** * Abstract class that implements security interception for secure objects. - *

+ *

* The AbstractSecurityInterceptor will ensure the proper startup configuration of the security * interceptor. It will also implement the proper handling of secure object invocations, namely: *

    *
  1. Obtain the {@link Authentication} object from the {@link SecurityContextHolder}.
    2. - *

    *

  2. Determine if the request relates to a secured or public invocation by ooking up the secure object request * against the {@link ObjectDefinitionSource}.
    3. - *

    *

  3. For an invocation that is secured (there is a * ConfigAttributeDefinition for the secure object invocation): - *

    *

      - *

      *

    1. If either the {@link org.springframework.security.Authentication#isAuthenticated()} * returns false, or the {@link #alwaysReauthenticate} is * true, authenticate the request against the configured {@link AuthenticationManager}. * When authenticated, replace the Authentication object on the * SecurityContextHolder with the returned value.
      2. - *

      *

    2. Authorize the request against the configured {@link AccessDecisionManager}.
      3. - *

      *

    3. Perform any run-as replacement via the configured {@link RunAsManager}.
      4. - *

      *

    4. Pass control back to the concrete subclass, which will actually proceed with executing the object. * A {@link InterceptorStatusToken} is returned so that after the subclass has finished proceeding with * execution of the object, its finally clause can ensure the AbstractSecurityInterceptor * is re-called and tidies up correctly.
      5. - *

      *

    5. The concrete subclass will re-call the AbstractSecurityInterceptor via the * {@link #afterInvocation(InterceptorStatusToken, Object)} method.
      6. - *

      *

    6. If the RunAsManager replaced the Authentication object, return the * SecurityContextHolder to the object that existed after the call to * AuthenticationManager.
      7. - *

      *

    7. If an AfterInvocationManager is defined, invoke the * invocation manager and allow it to replace the object due to be returned to * the caller.
      8. *
    - *

    *

    4. - *

    *

  4. For an invocation that is public (there is no ConfigAttributeDefinition for the secure object * invocation): *
      - *

      *

    1. As described above, the concrete subclass will be returned an InterceptorStatusToken which is * subsequently re-presented to the AbstractSecurityInterceptor after the secure object has been executed. * The AbstractSecurityInterceptor will take no further action when its * {@link #afterInvocation(InterceptorStatusToken, Object)} is called.
      2. *
    *
    5. - *

    *

  5. Control again returns to the concrete subclass, along with the Object that should be returned to * the caller. The subclass will then return that result or exception to the original caller.
    6. *
@@ -124,34 +110,27 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A protected static final Log logger = LogFactory.getLog(AbstractSecurityInterceptor.class); //~ Instance fields ================================================================================================ - - private AccessDecisionManager accessDecisionManager; - - private AfterInvocationManager afterInvocationManager; - - private ApplicationEventPublisher eventPublisher; - - private AuthenticationManager authenticationManager; - + protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor(); - + private ApplicationEventPublisher eventPublisher; + private AccessDecisionManager accessDecisionManager; + private AfterInvocationManager afterInvocationManager; + private AuthenticationManager authenticationManager; private RunAsManager runAsManager = new NullRunAsManager(); private boolean alwaysReauthenticate = false; - private boolean rejectPublicInvocations = false; - private boolean validateConfigAttributes = true; //~ Methods ======================================================================================================== /** - * Completes the work of the AbstractSecurityInterceptor - * after the secure object invocation has been complete + * Completes the work of the AbstractSecurityInterceptor after the secure object invocation has been + * completed. * * @param token as returned by the {@link #beforeInvocation(Object)}} method - * @param returnedObject any object returned from the secure object invocation (may benull) - * @return the object the secure object invocation should ultimately return to its caller (may be null) + * @param returnedObject any object returned from the secure object invocation (may benull) + * @return the object the secure object invocation should ultimately return to its caller (may be null) */ protected Object afterInvocation(InterceptorStatusToken token, Object returnedObject) { if (token == null) { @@ -187,23 +166,15 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A public void afterPropertiesSet() throws Exception { Assert.notNull(getSecureObjectClass(), "Subclass must provide a non-null response to getSecureObjectClass()"); - Assert.notNull(this.messages, "A message source must be set"); - Assert.notNull(this.authenticationManager, "An AuthenticationManager is required"); - Assert.notNull(this.accessDecisionManager, "An AccessDecisionManager is required"); - Assert.notNull(this.runAsManager, "A RunAsManager is required"); - Assert.notNull(this.obtainObjectDefinitionSource(), "An ObjectDefinitionSource is required"); - Assert.isTrue(this.obtainObjectDefinitionSource().supports(getSecureObjectClass()), "ObjectDefinitionSource does not support secure object class: " + getSecureObjectClass()); - Assert.isTrue(this.runAsManager.supports(getSecureObjectClass()), "RunAsManager does not support secure object class: " + getSecureObjectClass()); - Assert.isTrue(this.accessDecisionManager.supports(getSecureObjectClass()), "AccessDecisionManager does not support secure object class: " + getSecureObjectClass()); @@ -445,25 +416,20 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A } /** - * By rejecting public invocations (and setting this property to - * true), essentially you are ensuring that every secure - * object invocation advised by AbstractSecurityInterceptor - * has a configuration attribute defined. This is useful to ensure a "fail - * safe" mode where undeclared secure objects will be rejected and - * configuration omissions detected early. An - * IllegalArgumentException will be thrown by the - * AbstractSecurityInterceptor if you set this property to - * true and an attempt is made to invoke a secure object that - * has no configuration attributes. - * - * @param rejectPublicInvocations set to true to reject - * invocations of secure objects that have no configuration attributes (by - * default it is false which treats undeclared secure objects - * as "public" or unauthorized) + * By rejecting public invocations (and setting this property to true), essentially you are ensuring + * that every secure object invocation advised by AbstractSecurityInterceptor has a configuration + * attribute defined. This is useful to ensure a "fail safe" mode where undeclared secure objects will be rejected + * and configuration omissions detected early. An IllegalArgumentException will be thrown by the + * AbstractSecurityInterceptor if you set this property to true and an attempt is made to invoke + * a secure object that has no configuration attributes. + * + * @param rejectPublicInvocations set to true to reject invocations of secure objects that have no + * configuration attributes (by default it is false which treats undeclared secure objects + * as "public" or unauthorized). */ - public void setRejectPublicInvocations(boolean rejectPublicInvocations) { - this.rejectPublicInvocations = rejectPublicInvocations; - } + public void setRejectPublicInvocations(boolean rejectPublicInvocations) { + this.rejectPublicInvocations = rejectPublicInvocations; + } public void setRunAsManager(RunAsManager runAsManager) { this.runAsManager = runAsManager; @@ -474,8 +440,8 @@ public abstract class AbstractSecurityInterceptor implements InitializingBean, A } private void publishEvent(ApplicationEvent event) { - if (this.eventPublisher != null) { - this.eventPublisher.publishEvent(event); - } - } + if (this.eventPublisher != null) { + this.eventPublisher.publishEvent(event); + } + } }