Abstract class that implements security interception for secure objects.
The
AbstractSecurityInterceptor will ensure the proper startup configuration of the security interceptor.
It will also implement the proper handling of secure object invocations, being:
Determine if the request relates to a secured or public invocation by looking up the secure object
request against the ObjectDefinitionSource .
For an invocation that is secured (there is a ConfigAttributeDefinition for the secure
object invocation):
If either the isAuthenticated() returns
false, or the alwaysReauthenticate is true, authenticate the request
against the configured AuthenticationManager . When authenticated, replace the
Authentication object on the SecurityContextHolder with the returned value.
Perform any run-as replacement via the configured RunAsManager .
Pass control back to the concrete subclass, which will actually proceed with executing the
object. A InterceptorStatusToken is returned so that after the subclass has finished proceeding
with execution of the object, its finally clause can ensure the AbstractSecurityInterceptor
is re-called and tidies up correctly.
If the RunAsManager replaced the Authentication object, return
the SecurityContextHolder to the object that existed after the call to
AuthenticationManager.
If an AfterInvocationManager is defined, invoke the invocation manager and
allow it to replace the object due to be returned to the caller.
For an invocation that is public (there is no ConfigAttributeDefinition for the secure
object invocation):
As described above, the concrete subclass will be returned an
InterceptorStatusToken which is subsequently re-presented to the
AbstractSecurityInterceptor after the secure object has been executed. The
AbstractSecurityInterceptor will take no further action when its afterInvocation(InterceptorStatusToken, Object) is called.
Control again returns to the concrete subclass, along with the Object that should be
returned to the caller. The subclass will then return that result or exception to the original caller.
The
AbstractSecurityInterceptorwill ensure the proper startup configuration of the security interceptor. It will also implement the proper handling of secure object invocations, being:ConfigAttributeDefinitionfor the secure object invocation):false, or the alwaysReauthenticate istrue, authenticate the request against the configured AuthenticationManager . When authenticated, replace theAuthenticationobject on theSecurityContextHolderwith the returned value.AbstractSecurityInterceptoris re-called and tidies up correctly.AbstractSecurityInterceptorvia the afterInvocation(InterceptorStatusToken, Object) method.RunAsManagerreplaced theAuthenticationobject, return theSecurityContextHolderto the object that existed after the call toAuthenticationManager.AfterInvocationManageris defined, invoke the invocation manager and allow it to replace the object due to be returned to the caller.ConfigAttributeDefinitionfor the secure object invocation):InterceptorStatusTokenwhich is subsequently re-presented to theAbstractSecurityInterceptorafter the secure object has been executed. TheAbstractSecurityInterceptorwill take no further action when its afterInvocation(InterceptorStatusToken, Object) is called.Objectthat should be returned to the caller. The subclass will then return that result or exception to the original caller.