Access Control
The Spring Security framework defines the AuthorizationManager interface for access control strategy implementation. The access decision logic is based on the Authentication object to access authenticated principal and Object, which is protected. The verify() method determines if access should be granted by calling check() method..
@FunctionalInterface
public interface AuthorizationManager<T> {
default void verify(Supplier<Authentication> authentication, T object) {
AuthorizationDecision decision = check(authentication, object);
if (decision != null && !decision.isGranted()) {
throw new AccessDeniedException("Access Denied");
}
}
@Nullable
AuthorizationDecision check(Supplier<Authentication> authentication, T object);
}
The Authentication also holds the list of GrantedAuthority objects which are granted to principal. You can imagine granted authority as role (e.g. ROLE_ADMIN), or any other claim. The access decision is applied by Interceptors provided by the Spring Security framework. Interceptors can intercept any (configured) method invocation, web request, or message. There are several AuthorizationManager implementation provided by the framework. You can even implement your own.
- AuthorityAuthorizationManager
- AuthenticatedAuthorizationManager
