org.acegisecurity.AfterInvocationManager Maven / Gradle / Ivy
/* Copyright 2004 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.acegisecurity;
/**
* Reviews the Object returned from a secure object invocation,
* being able to modify the Object or throw an {@link
* AccessDeniedException}.
*
*
* Typically used to ensure the principal is permitted to access the domain
* object instance returned by a service layer bean. Can also be used to
* mutate the domain object instance so the principal is only able to access
* authorised bean properties or Collection elements. Often used
* in conjunction with an {@link org.acegisecurity.acl.AclManager} to
* obtain the access control list applicable for the domain object instance.
*
*
*
* Special consideration should be given to using an
* AfterInvocationManager on bean methods that modify a database.
* Typically an AfterInvocationManager is used with read-only
* methods, such as public DomainObject getById(id). If used with
* methods that modify a database, a transaction manager should be used to
* ensure any AccessDeniedException will cause a rollback of the
* changes made by the transaction.
*
*
* @author Ben Alex
* @version $Id: AfterInvocationManager.java,v 1.2 2005/11/17 00:55:49 benalex Exp $
*/
public interface AfterInvocationManager {
//~ Methods ================================================================
/**
* Given the details of a secure object invocation including its returned
* Object, make an access control decision or optionally
* modify the returned Object.
*
* @param authentication the caller that invoked the method
* @param object the secured object that was called
* @param config the configuration attributes associated with the secured
* object that was invoked
* @param returnedObject the Object that was returned from the
* secure object invocation
*
* @return the Object that will ultimately be returned to the
* caller (if an implementation does not wish to modify the object
* to be returned to the caller, the implementation should simply
* return the same object it was passed by the
* returnedObject method argument)
*
* @throws AccessDeniedException if access is denied
*/
public Object decide(Authentication authentication, Object object,
ConfigAttributeDefinition config, Object returnedObject)
throws AccessDeniedException;
/**
* Indicates whether this AfterInvocationManager is able to
* process "after invocation" requests presented with the passed
* ConfigAttribute.
*
*
* This allows the AbstractSecurityInterceptor to check every
* configuration attribute can be consumed by the configured
* AccessDecisionManager and/or RunAsManager
* and/or AfterInvocationManager.
*
*
* @param attribute a configuration attribute that has been configured
* against the AbstractSecurityInterceptor
*
* @return true if this AfterInvocationManager can support the
* passed configuration attribute
*/
public boolean supports(ConfigAttribute attribute);
/**
* Indicates whether the AfterInvocationManager implementation
* is able to provide access control decisions for the indicated secured
* object type.
*
* @param clazz the class that is being queried
*
* @return true if the implementation can process the
* indicated class
*/
public boolean supports(Class clazz);
}