📄 abstractsecurityinterceptor.java
字号:
logger.info("Validated configuration attributes"); } } protected InterceptorStatusToken beforeInvocation(Object object) { Assert.notNull(object, "Object was null"); if (!getSecureObjectClass().isAssignableFrom(object.getClass())) { throw new IllegalArgumentException("Security invocation attempted for object " + object.getClass().getName() + " but AbstractSecurityInterceptor only configured to support secure objects of type: " + getSecureObjectClass()); } ConfigAttributeDefinition attr = this.obtainObjectDefinitionSource().getAttributes(object); if (attr == null) { if (rejectPublicInvocations) { throw new IllegalArgumentException( "No public invocations are allowed via this AbstractSecurityInterceptor. " + "This indicates a configuration error because the " + "AbstractSecurityInterceptor.rejectPublicInvocations property is set to 'true'"); } if (logger.isDebugEnabled()) { logger.debug("Public object - authentication not attempted"); } publishEvent(new PublicInvocationEvent(object)); return null; // no further work post-invocation } if (logger.isDebugEnabled()) { logger.debug("Secure object: " + object.toString() + "; ConfigAttributes: " + attr.toString()); } if (SecurityContextHolder.getContext().getAuthentication() == null) { credentialsNotFound(messages.getMessage("AbstractSecurityInterceptor.authenticationNotFound", "An Authentication object was not found in the SecurityContext"), object, attr); } // Attempt authentication if not already authenticated, or user always // wants reauthentication Authentication authenticated; if (!SecurityContextHolder.getContext().getAuthentication().isAuthenticated() || alwaysReauthenticate) { try { authenticated = this.authenticationManager.authenticate(SecurityContextHolder.getContext() .getAuthentication()); } catch (AuthenticationException authenticationException) { throw authenticationException; } // We don't authenticated.setAuthentication(true), because each // provider should do that if (logger.isDebugEnabled()) { logger.debug("Successfully Authenticated: " + authenticated.toString()); } SecurityContextHolder.getContext().setAuthentication(authenticated); } else { authenticated = SecurityContextHolder.getContext().getAuthentication(); if (logger.isDebugEnabled()) { logger.debug("Previously Authenticated: " + authenticated.toString()); } } // Attempt authorization try { this.accessDecisionManager.decide(authenticated, object, attr); } catch (AccessDeniedException accessDeniedException) { AuthorizationFailureEvent event = new AuthorizationFailureEvent(object, attr, authenticated, accessDeniedException); publishEvent(event); throw accessDeniedException; } if (logger.isDebugEnabled()) { logger.debug("Authorization successful"); } AuthorizedEvent event = new AuthorizedEvent(object, attr, authenticated); publishEvent(event); // Attempt to run as a different user Authentication runAs = this.runAsManager.buildRunAs(authenticated, object, attr); if (runAs == null) { if (logger.isDebugEnabled()) { logger.debug("RunAsManager did not change Authentication object"); } // no further work post-invocation return new InterceptorStatusToken(authenticated, false, attr, object); } else { if (logger.isDebugEnabled()) { logger.debug("Switching to RunAs Authentication: " + runAs.toString()); } SecurityContextHolder.getContext().setAuthentication(runAs); // revert to token.Authenticated post-invocation return new InterceptorStatusToken(authenticated, true, attr, object); } } /** * Helper method which generates an exception containing the passed reason, * and publishes an event to the application context. * <p> * Always throws an exception. * </p> * * @param reason to be provided in the exception detail * @param secureObject that was being called * @param configAttribs that were defined for the secureObject */ private void credentialsNotFound(String reason, Object secureObject, ConfigAttributeDefinition configAttribs) { AuthenticationCredentialsNotFoundException exception = new AuthenticationCredentialsNotFoundException(reason); AuthenticationCredentialsNotFoundEvent event = new AuthenticationCredentialsNotFoundEvent(secureObject, configAttribs, exception); publishEvent(event); throw exception; } public AccessDecisionManager getAccessDecisionManager() { return accessDecisionManager; } public AfterInvocationManager getAfterInvocationManager() { return afterInvocationManager; } public AuthenticationManager getAuthenticationManager() { return this.authenticationManager; } public RunAsManager getRunAsManager() { return runAsManager; } /** * Indicates the type of secure objects the subclass will be presenting to * the abstract parent for processing. This is used to ensure collaborators * wired to the <code>AbstractSecurityInterceptor</code> all support the * indicated secure object class. * * @return the type of secure object the subclass provides services for */ public abstract Class getSecureObjectClass(); public boolean isAlwaysReauthenticate() { return alwaysReauthenticate; } public boolean isRejectPublicInvocations() { return rejectPublicInvocations; } public boolean isValidateConfigAttributes() { return validateConfigAttributes; } public abstract ObjectDefinitionSource obtainObjectDefinitionSource(); public void setAccessDecisionManager(AccessDecisionManager accessDecisionManager) { this.accessDecisionManager = accessDecisionManager; } public void setAfterInvocationManager(AfterInvocationManager afterInvocationManager) { this.afterInvocationManager = afterInvocationManager; } /** * Indicates whether the <code>AbstractSecurityInterceptor</code> should * ignore the {@link Authentication#isAuthenticated()} property. Defaults to * <code>false</code>, meaning by default the * <code>Authentication.isAuthenticated()</code> property is trusted and * re-authentication will not occur if the principal has already been * authenticated. * * @param alwaysReauthenticate <code>true</code> to force * <code>AbstractSecurityInterceptor</code> to disregard the value of * <code>Authentication.isAuthenticated()</code> and always * re-authenticate the request (defaults to <code>false</code>). */ public void setAlwaysReauthenticate(boolean alwaysReauthenticate) { this.alwaysReauthenticate = alwaysReauthenticate; } public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) { this.eventPublisher = applicationEventPublisher; } public void setAuthenticationManager(AuthenticationManager newManager) { this.authenticationManager = newManager; } public void setMessageSource(MessageSource messageSource) { this.messages = new MessageSourceAccessor(messageSource); } /** * By rejecting public invocations (and setting this property to * <code>true</code>), essentially you are ensuring that every secure * object invocation advised by <code>AbstractSecurityInterceptor</code> * has a configuration attribute defined. This is useful to ensure a "fail * safe" mode where undeclared secure objects will be rejected and * configuration omissions detected early. An * <code>IllegalArgumentException</code> will be thrown by the * <code>AbstractSecurityInterceptor</code> if you set this property to * <code>true</code> and an attempt is made to invoke a secure object that * has no configuration attributes. * * @param rejectPublicInvocations set to <code>true</code> to reject * invocations of secure objects that have no configuration attributes (by * default it is <code>false</code> which treats undeclared secure objects * as "public" or unauthorized) */ public void setRejectPublicInvocations(boolean rejectPublicInvocations) { this.rejectPublicInvocations = rejectPublicInvocations; } public void setRunAsManager(RunAsManager runAsManager) { this.runAsManager = runAsManager; } public void setValidateConfigAttributes(boolean validateConfigAttributes) { this.validateConfigAttributes = validateConfigAttributes; } private void publishEvent(ApplicationEvent event) { if (this.eventPublisher != null) { this.eventPublisher.publishEvent(event); } }}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -