org.springframework.security.access.method.AbstractFallbackMethodSecurityMetadataSource.java Source code

Java tutorial

  1. HOME
  2. Java
  3. org.springframework.security.access.method.AbstractFallbackMethodSecurityMetadataSource.java

Introduction

Here is the source code for org.springframework.security.access.method.AbstractFallbackMethodSecurityMetadataSource.java

Source

/*
 * Copyright 2002-2016 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.springframework.security.access.method;

import java.lang.reflect.Method;
import java.util.*;

import org.springframework.aop.support.AopUtils;
import org.springframework.security.access.ConfigAttribute;

/**
 * Abstract implementation of {@link MethodSecurityMetadataSource} that supports both
 * Spring AOP and AspectJ and performs attribute resolution from: 1. specific target
 * method; 2. target class; 3. declaring method; 4. declaring class/interface. Use with
 * {@link DelegatingMethodSecurityMetadataSource} for caching support.
 * <p>
 * This class mimics the behaviour of Spring's
 * <tt>AbstractFallbackTransactionAttributeSource</tt> class.
 * <p>
 * Note that this class cannot extract security metadata where that metadata is expressed
 * by way of a target method/class (i.e. #1 and #2 above) AND the target method/class is
 * encapsulated in another proxy object. Spring Security does not walk a proxy chain to
 * locate the concrete/final target object. Consider making Spring Security your final
 * advisor (so it advises the final target, as opposed to another proxy), move the
 * metadata to declared methods or interfaces the proxy implements, or provide your own
 * replacement <tt>MethodSecurityMetadataSource</tt>.
 *
 * @author Ben Alex
 * @author Luke taylor
 * @since 2.0
 */
public abstract class AbstractFallbackMethodSecurityMetadataSource extends AbstractMethodSecurityMetadataSource {

    public Collection<ConfigAttribute> getAttributes(Method method, Class<?> targetClass) {
        // The method may be on an interface, but we need attributes from the target
        // class.
        // If the target class is null, the method will be unchanged.
        Method specificMethod = AopUtils.getMostSpecificMethod(method, targetClass);
        // First try is the method in the target class.
        Collection<ConfigAttribute> attr = findAttributes(specificMethod, targetClass);
        if (attr != null) {
            return attr;
        }

        // Second try is the config attribute on the target class.
        attr = findAttributes(specificMethod.getDeclaringClass());
        if (attr != null) {
            return attr;
        }

        if (specificMethod != method || targetClass == null) {
            // Fallback is to look at the original method.
            attr = findAttributes(method, method.getDeclaringClass());
            if (attr != null) {
                return attr;
            }
            // Last fallback is the class of the original method.
            return findAttributes(method.getDeclaringClass());
        }
        return Collections.emptyList();
    }

    /**
     * Obtains the security metadata applicable to the specified method invocation.
     *
     * <p>
     * Note that the {@link Method#getDeclaringClass()} may not equal the
     * <code>targetClass</code>. Both parameters are provided to assist subclasses which
     * may wish to provide advanced capabilities related to method metadata being
     * "registered" against a method even if the target class does not declare the method
     * (i.e. the subclass may only inherit the method).
     *
     * @param method the method for the current invocation (never <code>null</code>)
     * @param targetClass the target class for the invocation (may be <code>null</code>)
     * @return the security metadata (or null if no metadata applies)
     */
    protected abstract Collection<ConfigAttribute> findAttributes(Method method, Class<?> targetClass);

    /**
     * Obtains the security metadata registered against the specified class.
     *
     * <p>
     * Subclasses should only return metadata expressed at a class level. Subclasses
     * should NOT aggregate metadata for each method registered against a class, as the
     * abstract superclass will separate invoke {@link #findAttributes(Method, Class)} for
     * individual methods as appropriate.
     *
     * @param clazz the target class for the invocation (never <code>null</code>)
     * @return the security metadata (or null if no metadata applies)
     */
    protected abstract Collection<ConfigAttribute> findAttributes(Class<?> clazz);

}