org.springframework.richclient.security.support
Class UserRoleSecurityController

java.lang.Object
  extended by org.springframework.richclient.security.support.AbstractSecurityController
      extended by org.springframework.richclient.security.support.UserRoleSecurityController
All Implemented Interfaces:
InitializingBean, AuthenticationAware, SecurityController

public class UserRoleSecurityController
extends AbstractSecurityController

This class controls the authorization of other objects, that implement the Authorizable, according to the roles held by the currently authenticated user. If the current user holds one or more of the configured roles, then the associated objects are authorized. Otherwise, they are not authorized.

The roles on which to authorize the controlled objects are specified via the roles property. It should be a comma-separated list of role names.

No secured object is used in preparing the ConfigAttributeDefinition. This means that the configuration is not specific to a given object (no per-object ACL's). The access decision is made strictly on the roles held by the user.

The default access decision manager is an AffirmativeBased instance using a plain RoleVoter. You can override this by setting the accessDecisionManager property.

Below is an example configuration for this class:

   <bean id="adminController"
         class="org.springframework.richclient.security.support.UserRoleSecurityController">
       <property name="authorizingRoles" value="ROLE_ADMIN" />
   </bean>
 
   <bean id="writeController"
         class="org.springframework.richclient.security.support.UserRoleSecurityController">
       <property name="authorizingRoles" value="ROLE_WRITE,ROLE_ADMIN" />
   </bean>
 
 

Author:
Larry Streepy

Field Summary
 
Fields inherited from class org.springframework.richclient.security.support.AbstractSecurityController
VISIBLE_TRACKS_AUTHORIZED_ACTION
 
Constructor Summary
UserRoleSecurityController()
          Constructor.
 
Method Summary
 String getAuthorizingRoles()
          Get the config attributes.
protected  org.acegisecurity.ConfigAttributeDefinition getConfigAttributeDefinition(Object securedObject)
          Get the ConfigAttributeDefinition for the secured object.
protected  Object getSecuredObject()
          Get the secured object on which we are making the authorization decision.
 void setAuthorizingRoles(String roles)
          Set the roles to compare against the current user's authenticated roles.
 
Methods inherited from class org.springframework.richclient.security.support.AbstractSecurityController
addControlledObject, afterPropertiesSet, doPostProcessorAction, getAccessDecisionManager, getLastAuthentication, getPostProcessorActionsToRun, registerPostProcessorAction, removeControlledObject, runAuthorization, runPostProcessorActions, setAccessDecisionManager, setAuthenticationToken, setControlledObjects, setLastAuthentication, setPostProcessorActionsToRun, shouldAuthorize, updateControlledObject
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

UserRoleSecurityController

public UserRoleSecurityController()
Constructor.

Method Detail

setAuthorizingRoles

public void setAuthorizingRoles(String roles)
Set the roles to compare against the current user's authenticated roles. The secured objects will be authorized if the user holds one or more of these roles. This should be specified as a simple list of comma separated role names.

Parameters:
roles -

getAuthorizingRoles

public String getAuthorizingRoles()
Get the config attributes.

Returns:
config attrributes

getSecuredObject

protected Object getSecuredObject()
Get the secured object on which we are making the authorization decision. We return null as no specific object is to be considered in the decision.

Specified by:
getSecuredObject in class AbstractSecurityController
Returns:
secured object

getConfigAttributeDefinition

protected org.acegisecurity.ConfigAttributeDefinition getConfigAttributeDefinition(Object securedObject)
Get the ConfigAttributeDefinition for the secured object. This will provide the authorization information to the access decision manager.

Specified by:
getConfigAttributeDefinition in class AbstractSecurityController
Parameters:
securedObject - Secured object for whom the config attribute definition is to be retrieved. This may be null.
Returns:
attribute definition for the provided secured object


Copyright © 2004-2008 The Spring Framework. All Rights Reserved.