org.springframework.security.access.vote.RoleVoter Maven / Gradle / Ivy
/*
* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.access.vote;
import java.util.Collection;
import org.springframework.security.access.AccessDecisionVoter;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
/**
* Votes if any {@link ConfigAttribute#getAttribute()} starts with a prefix indicating
* that it is a role. The default prefix string is ROLE_
, but this may be
* overridden to any value. It may also be set to empty, which means that essentially any
* attribute will be voted on. As described further below, the effect of an empty prefix
* may not be quite desirable.
*
* Abstains from voting if no configuration attribute commences with the role prefix.
* Votes to grant access if there is an exact matching
* {@link org.springframework.security.core.GrantedAuthority} to a
* ConfigAttribute
starting with the role prefix. Votes to deny access if
* there is no exact matching GrantedAuthority
to a
* ConfigAttribute
starting with the role prefix.
*
* An empty role prefix means that the voter will vote for every ConfigAttribute. When
* there are different categories of ConfigAttributes used, this will not be optimal since
* the voter will be voting for attributes which do not represent roles. However, this
* option may be of some use when using pre-existing role names without a prefix, and no
* ability exists to prefix them with a role prefix on reading them in, such as provided
* for example in {@link org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl}.
*
* All comparisons and prefixes are case sensitive.
*
* @author Ben Alex
* @author colin sampaleanu
*/
public class RoleVoter implements AccessDecisionVoter