diff --git a/src/docbkx/authorization-common.xml b/src/docbkx/authorization-common.xml index 0aadb002a7..6352410371 100644 --- a/src/docbkx/authorization-common.xml +++ b/src/docbkx/authorization-common.xml @@ -1,4 +1,4 @@ - + Common Authorization Concepts
@@ -52,16 +52,25 @@
- Pre-Invocation Handling + + Pre-Invocation Handling + + + As we'll see in the Technical Overview chapter, Spring + Security provides interceptors which control access to secure objects such as method invocations + or web requests. A pre-invocation decision on whether the invocation is allowed to proceed is made by + the AccessDecisionManager. + - +
+ The AccessDecisionManager The AccessDecisionManager is called by the AbstractSecurityInterceptor and is responsible for making final access control decisions. The AccessDecisionManager interface contains three methods: - void decide(Authentication authentication, Object object, ConfigAttributeDefinition config) throws AccessDeniedException; + void decide(Authentication authentication, Object secureObject, ConfigAttributeDefinition config) throws AccessDeniedException; boolean supports(ConfigAttribute attribute); boolean supports(Class clazz); @@ -89,10 +98,10 @@ AccessDecisionManager supports the type of secure object that the security interceptor will present. - Whilst users can implement their own - AccessDecisionManager to control all aspects of - authorization, Spring Security includes several - AccessDecisionManager implementations that are +
+ Voting-Based AccessDecisionManager Implementations + Whilst users can implement their own AccessDecisionManager to control all aspects of + authorization, Spring Security includes several AccessDecisionManager implementations that are based on voting. illustrates the relevant classes.
Voting Decision Manager @@ -137,7 +146,7 @@ boolean supports(Class clazz); event of an equality of votes or if all votes are abstain. The AffirmativeBased implementation will grant access if one or more ACCESS_GRANTED votes were received - (ie a deny vote will be ignored, provided there was at least one grant + (i.e. a deny vote will be ignored, provided there was at least one grant vote). Like the ConsensusBased implementation, there is a parameter that controls the behavior if all voters abstain. The UnanimousBased provider expects unanimous @@ -154,21 +163,28 @@ boolean supports(Class clazz); weighting, whilst a deny vote from a particular voter may have a veto effect. - There are two concrete AccessDecisionVoter - implementations provided with Spring Security. The - RoleVoter class will vote if any ConfigAttribute - begins with ROLE_. It will vote to grant access if - there is a GrantedAuthority which returns a - String representation (via the - getAuthority() method) exactly equal to one or more - ConfigAttributes starting with - ROLE_. If there is no exact match of any - ConfigAttribute starting with - ROLE_, the RoleVoter will vote - to deny access. If no ConfigAttribute begins with - ROLE_, the voter will abstain. - RoleVoter is case sensitive on comparisons as well - as the ROLE_ prefix. +
+ <classname>RoleVoter</classname> + + The most commonly used AccessDecisionVoter + provided with Spring Security is the simple RoleVoter, which treats + configuration attributes as simple role names and votes to grant access if the user has been assigned + that role. + It will vote if any ConfigAttribute begins with the prefix ROLE_. + It will vote to grant access if there is a GrantedAuthority which returns a + String representation (via the + getAuthority() method) exactly equal to one or more + ConfigAttributes starting with + ROLE_. If there is no exact match of any + ConfigAttribute starting with + ROLE_, the RoleVoter will vote + to deny access. If no ConfigAttribute begins with + ROLE_, the voter will abstain. + RoleVoter is case sensitive on comparisons as well + as the ROLE_ prefix. +
+ + + + +
+ Custom Voters It is also possible to implement a custom AccessDecisionVoter. Several examples are provided in Spring Security unit tests, including @@ -245,10 +269,9 @@ boolean supports(Class clazz); Authentication object presented. All of this is achieved with relatively few lines of code and demonstrates the flexibility of the authorization model. - - TODO: Remove references to the old ACL package when it's - deprecated, and have all references to the replacement package limited - to the chapter describing the new ACL implementation. +
+
+
@@ -394,8 +417,8 @@ boolean supports(Class clazz); AfterInvocationProviders.
-
ACL-Aware AfterInvocationProviders (old ACL module) - +
+ ACL-Aware AfterInvocationProviders (old ACL module) PLEASE NOTE: Acegi Security 1.0.3 contains a preview of a new ACL module. The new ACL module is a significant rewrite of the