Update document
Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
This commit is contained in:
Tran Ngoc Nhan
parent
ee4d971db8
commit
d1c4351eb8
|
|
@ -308,7 +308,7 @@ Java::
|
|||
@Component
|
||||
public class MyPreAuthorizeAuthorizationManager implements ReactiveAuthorizationManager<MethodInvocation> {
|
||||
@Override
|
||||
public Mono<AuthorizationDecision> check(Supplier<Authentication> authentication, MethodInvocation invocation) {
|
||||
public Mono<AuthorizationResult> authorize(Supplier<Authentication> authentication, MethodInvocation invocation) {
|
||||
// ... authorization logic
|
||||
}
|
||||
|
||||
|
|
@ -321,7 +321,7 @@ Kotlin::
|
|||
----
|
||||
@Component
|
||||
class MyPreAuthorizeAuthorizationManager : ReactiveAuthorizationManager<MethodInvocation> {
|
||||
override fun check(authentication: Supplier<Authentication>, invocation: MethodInvocation): Mono<AuthorizationDecision> {
|
||||
override fun authorize(authentication: Supplier<Authentication>, invocation: MethodInvocation): Mono<AuthorizationResult> {
|
||||
// ... authorization logic
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -544,7 +544,7 @@ public class DynamicAuthorizationManager implements AuthorizationManager<Request
|
|||
// ...
|
||||
|
||||
@Override
|
||||
public AuthorizationDecision check(Supplier<Authentication> authentication, RequestAuthorizationContext context) {
|
||||
public AuthorizationResult authorize(Supplier<Authentication> authentication, RequestAuthorizationContext context) {
|
||||
// query the external service
|
||||
}
|
||||
}
|
||||
|
|
@ -565,7 +565,7 @@ class DynamicAuthorizationManager : AuthorizationManager<RequestAuthorizationCon
|
|||
|
||||
// ...
|
||||
|
||||
override fun check(authentication: Supplier<Authentication?>?, context: RequestAuthorizationContext?): AuthorizationDecision {
|
||||
override fun authorize(authentication: Supplier<Authentication?>?, context: RequestAuthorizationContext?): AuthorizationResult {
|
||||
// look up rules from the database
|
||||
}
|
||||
}
|
||||
|
|
@ -595,7 +595,7 @@ public class DynamicAuthorizationManager implements AuthorizationManager<MethodI
|
|||
// ...
|
||||
|
||||
@Override
|
||||
public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation invocation) {
|
||||
public AuthorizationResult authorize(Supplier<Authentication> authentication, MethodInvocation invocation) {
|
||||
// query the external service
|
||||
}
|
||||
}
|
||||
|
|
@ -617,7 +617,7 @@ class DynamicAuthorizationManager : AuthorizationManager<MethodInvocation?> {
|
|||
private val authz: MyExternalAuthorizationService? = null
|
||||
|
||||
// ...
|
||||
override fun check(authentication: Supplier<Authentication?>?, invocation: MethodInvocation?): AuthorizationDecision {
|
||||
override fun authorize(authentication: Supplier<Authentication?>?, invocation: MethodInvocation?): AuthorizationResult {
|
||||
// query the external service
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -99,7 +99,7 @@ The `AuthorizationManager` interface contains two methods:
|
|||
|
||||
[source,java]
|
||||
----
|
||||
AuthorizationDecision check(Supplier<Authentication> authentication, Object secureObject);
|
||||
AuthorizationResult authorize(Supplier<Authentication> authentication, Object secureObject);
|
||||
|
||||
default void verify(Supplier<Authentication> authentication, Object secureObject)
|
||||
throws AccessDeniedException {
|
||||
|
|
@ -113,7 +113,7 @@ For example, let's assume the secure object was a `MethodInvocation`.
|
|||
It would be easy to query the `MethodInvocation` for any `Customer` argument, and then implement some sort of security logic in the `AuthorizationManager` to ensure the principal is permitted to operate on that customer.
|
||||
Implementations are expected to return a positive `AuthorizationDecision` if access is granted, negative `AuthorizationDecision` if access is denied, and a null `AuthorizationDecision` when abstaining from making a decision.
|
||||
|
||||
`verify` calls `check` and subsequently throws an `AccessDeniedException` in the case of a negative `AuthorizationDecision`.
|
||||
`verify` calls `authorize` and subsequently throws an `AccessDeniedException` in the case of a negative `AuthorizationDecision`.
|
||||
|
||||
[[authz-delegate-authorization-manager]]
|
||||
=== Delegate-based AuthorizationManager Implementations
|
||||
|
|
@ -180,7 +180,7 @@ public class AccessDecisionManagerAuthorizationManagerAdapter implements Authori
|
|||
private final SecurityMetadataSource securityMetadataSource;
|
||||
|
||||
@Override
|
||||
public AuthorizationDecision check(Supplier<Authentication> authentication, Object object) {
|
||||
public AuthorizationResult authorize(Supplier<Authentication> authentication, Object object) {
|
||||
try {
|
||||
Collection<ConfigAttribute> attributes = this.securityMetadataSource.getAttributes(object);
|
||||
this.accessDecisionManager.decide(authentication.get(), object, attributes);
|
||||
|
|
@ -216,7 +216,7 @@ public class AccessDecisionVoterAuthorizationManagerAdapter implements Authoriza
|
|||
private final SecurityMetadataSource securityMetadataSource;
|
||||
|
||||
@Override
|
||||
public AuthorizationDecision check(Supplier<Authentication> authentication, Object object) {
|
||||
public AuthorizationResult authorize(Supplier<Authentication> authentication, Object object) {
|
||||
Collection<ConfigAttribute> attributes = this.securityMetadataSource.getAttributes(object);
|
||||
int decision = this.accessDecisionVoter.vote(authentication.get(), object, attributes);
|
||||
switch (decision) {
|
||||
|
|
|
|||
|
|
@ -861,7 +861,7 @@ Java::
|
|||
@Component
|
||||
public final class OpenPolicyAgentAuthorizationManager implements AuthorizationManager<RequestAuthorizationContext> {
|
||||
@Override
|
||||
public AuthorizationDecision check(Supplier<Authentication> authentication, RequestAuthorizationContext context) {
|
||||
public AuthorizationResult authorize(Supplier<Authentication> authentication, RequestAuthorizationContext context) {
|
||||
// make request to Open Policy Agent
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -95,31 +95,30 @@ public class MyAuthorizationEventPublisher implements AuthorizationEventPublishe
|
|||
|
||||
@Override
|
||||
public <T> void publishAuthorizationEvent(Supplier<Authentication> authentication,
|
||||
T object, AuthorizationDecision decision) {
|
||||
if (decision == null) {
|
||||
T object, AuthorizationResult result) {
|
||||
if (result == null) {
|
||||
return;
|
||||
}
|
||||
if (!decision.isGranted()) {
|
||||
this.delegate.publishAuthorizationEvent(authentication, object, decision);
|
||||
if (!result.isGranted()) {
|
||||
this.delegate.publishAuthorizationEvent(authentication, object, result);
|
||||
return;
|
||||
}
|
||||
if (shouldThisEventBePublished(decision)) {
|
||||
if (shouldThisEventBePublished(result)) {
|
||||
AuthorizationGrantedEvent granted = new AuthorizationGrantedEvent(
|
||||
authentication, object, decision);
|
||||
authentication, object, result);
|
||||
this.publisher.publishEvent(granted);
|
||||
}
|
||||
}
|
||||
|
||||
private boolean shouldThisEventBePublished(AuthorizationDecision decision) {
|
||||
if (!(decision instanceof AuthorityAuthorizationDecision)) {
|
||||
return false;
|
||||
}
|
||||
Collection<GrantedAuthority> authorities = ((AuthorityAuthorizationDecision) decision).getAuthorities();
|
||||
private boolean shouldThisEventBePublished(AuthorizationResult result) {
|
||||
if (result instanceof AuthorityAuthorizationDecision authorityAuthorizationDecision) {
|
||||
Collection<GrantedAuthority> authorities = authorityAuthorizationDecision.getAuthorities();
|
||||
for (GrantedAuthority authority : authorities) {
|
||||
if ("ROLE_ADMIN".equals(authority.getAuthority())) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
@ -137,22 +136,22 @@ class MyAuthorizationEventPublisher(val publisher: ApplicationEventPublisher,
|
|||
override fun <T : Any?> publishAuthorizationEvent(
|
||||
authentication: Supplier<Authentication>?,
|
||||
`object`: T,
|
||||
decision: AuthorizationDecision?
|
||||
result: AuthorizationResult?
|
||||
) {
|
||||
if (decision == null) {
|
||||
if (result == null) {
|
||||
return
|
||||
}
|
||||
if (!decision.isGranted) {
|
||||
this.delegate.publishAuthorizationEvent(authentication, `object`, decision)
|
||||
if (!result.isGranted) {
|
||||
this.delegate.publishAuthorizationEvent(authentication, `object`, result)
|
||||
return
|
||||
}
|
||||
if (shouldThisEventBePublished(decision)) {
|
||||
val granted = AuthorizationGrantedEvent(authentication, `object`, decision)
|
||||
if (shouldThisEventBePublished(result)) {
|
||||
val granted = AuthorizationGrantedEvent(authentication, `object`, result)
|
||||
this.publisher.publishEvent(granted)
|
||||
}
|
||||
}
|
||||
|
||||
private fun shouldThisEventBePublished(decision: AuthorizationDecision): Boolean {
|
||||
private fun shouldThisEventBePublished(result: AuthorizationResult): Boolean {
|
||||
if (decision !is AuthorityAuthorizationDecision) {
|
||||
return false
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1371,12 +1371,12 @@ Java::
|
|||
@Component
|
||||
public class MyAuthorizationManager implements AuthorizationManager<MethodInvocation>, AuthorizationManager<MethodInvocationResult> {
|
||||
@Override
|
||||
public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation invocation) {
|
||||
public AuthorizationResult authorize(Supplier<Authentication> authentication, MethodInvocation invocation) {
|
||||
// ... authorization logic
|
||||
}
|
||||
|
||||
@Override
|
||||
public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocationResult invocation) {
|
||||
public AuthorizationResult authorize(Supplier<Authentication> authentication, MethodInvocationResult invocation) {
|
||||
// ... authorization logic
|
||||
}
|
||||
}
|
||||
|
|
@ -1388,11 +1388,11 @@ Kotlin::
|
|||
----
|
||||
@Component
|
||||
class MyAuthorizationManager : AuthorizationManager<MethodInvocation>, AuthorizationManager<MethodInvocationResult> {
|
||||
override fun check(authentication: Supplier<Authentication>, invocation: MethodInvocation): AuthorizationDecision {
|
||||
override fun authorize(authentication: Supplier<Authentication>, invocation: MethodInvocation): AuthorizationResult {
|
||||
// ... authorization logic
|
||||
}
|
||||
|
||||
override fun check(authentication: Supplier<Authentication>, invocation: MethodInvocationResult): AuthorizationDecision {
|
||||
override fun authorize(authentication: Supplier<Authentication>, invocation: MethodInvocationResult): AuthorizationResult {
|
||||
// ... authorization logic
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -227,7 +227,7 @@ public final class MessageExpressionAuthorizationManager implements Authorizatio
|
|||
}
|
||||
|
||||
@Override
|
||||
public AuthorizationDecision check(Supplier<Authentication> authentication, MessageAuthorizationContext<?> context) {
|
||||
public AuthorizationResult authorize(Supplier<Authentication> authentication, MessageAuthorizationContext<?> context) {
|
||||
EvaluationContext ctx = this.expressionHandler.createEvaluationContext(authentication, context.getMessage());
|
||||
boolean granted = ExpressionUtils.evaluateAsBoolean(this.expression, ctx);
|
||||
return new ExpressionAuthorizationDecision(granted, this.expression);
|
||||
|
|
|
|||
Loading…
Reference in New Issue