Table of Contents
Prior to Spring Security 2.0, securing MethodInvocation
s needed quite a
lot of boiler plate configuration. Now the recommended approach for method security
is to use namespace configuration.
This way the method security infrastructure beans are configured automatically for you so you don't really need to
know about the implementation classes. We'll just provide a quick overview of the classes that are involved here.
Method security in enforced using a MethodSecurityInterceptor
, which secures
MethodInvocation
s. Depending on the configuration approach, an interceptor may be specific to a single
bean or shared between multiple beans. The interceptor uses a MethodDefinitionSource
instance to obtain the configuration attributes that apply to a particular method invocation.
MapBasedMethodDefinitionSource
is used to store configuration attributes keyed by method names
(which can be wildcarded) and will be used internally when the attributes are defined in the application context using
the <intercept-methods>
or <protect-point>
elements. Other implementations
will be used to handle annotation-based configuration.
You can of course configure a MethodSecurityIterceptor
directly in your application context
for use with one of Spring AOP's proxying mechanisms:
<bean id="bankManagerSecurity" class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager"/> <property name="accessDecisionManager" ref="accessDecisionManager"/> <property name="afterInvocationManager" ref="afterInvocationManager"/> <property name="objectDefinitionSource"> <value> org.springframework.security.context.BankManager.delete*=ROLE_SUPERVISOR org.springframework.security.context.BankManager.getBalance=ROLE_TELLER,ROLE_SUPERVISOR </value> </property> </bean>