SEC-18: Class to verify authorization before invoking method #279
Comments
|
Ben Alex said: It will be necessary to ensure the class emphasises to users that the consequences of the AfterInvocationManager are unable to be used in the allowed(MethodInvocation, Authentication) method. Alternatively, an overloaded version might be: public boolean allowed(MethodInvocation, Authentication, Object) The final argument could be passed to the AfterInvocationManager. This is useful if the response Object is known to be a particular domain object instance (perhaps an Object argument included within the MethodInvocation), as this enables the AfterInvocationManager’s ability to thrown an AccessDeniedException to be tested pre-invocation. |
|
Ben Alex said: Checked in CVS. Unit tests all still pass. |
|
Ben Alex said: Checked in change so SEC-113 changes do not conflict. |
spring-projects-issues
added
in: core
and others
Ben Alex(Migrated from SEC-18) said:
http://forum.springframework.org/viewtopic.php?t=6085
Provide a simple MethodInvocationPrivilegeEvaluator class that has the ObjectDefinitionSource and AccessDecisionManager as collaborators. It would have a single method:
public boolean allowed(MethodInvocation, Authentication);
This allows testing of privileges before calling a method – particularly useful in the case of domain object instance security.
See also SEC-113 for a related helper class.
The text was updated successfully, but these errors were encountered: