Using access decision manager to support authorization

You can see that AccessDecisionManager is used to make the access decision.

The following diagram shows how AccessDecisionManager works:

AccessDecisionManager talks with multiple AccessDecisionVoter implementations.

Each voter chooses one of three results:

  • ACCESS_GRANTED: A positive vote
  • ACCESS_ABSTAIN: Not participating in the vote
  • ACCESS_DENIED: A negative vote

There are three default implementations of AccessDecisionManager:

  • AffirmativeBased: Provides access even if one of the voters returns a positive vote.
  • ConsensusBased: Decides access based on the majority vote. If the positive votes are greater than the negative votes, access is granted. If positive and negative votes are equal, access is decided based on a configured flag, allowIfEqualGrantedDeniedDecisions.
  • UnanimousBased: Access is denied even if one voter casts a negative vote. If there are no positive votes, the access decision is based on a configured flag, allowIfAllAbstainDecisions.

The interface for AccessDecisionManager is as follows:

public interface AccessDecisionManager {

    void decide(Authentication authentication, Object object,
        Collection < ConfigAttribute > configAttributes)
    throws AccessDeniedException, InsufficientAuthenticationException;

}

Each AccessDecisionManager has a logic similar to this. They talk to all the AccessDecisionVoter, and make a decision:

for (AccessDecisionVoter voter: getDecisionVoters()) {
    int result = voter.vote(authentication, object, configAttributes);
    //Other Logic
}

The interface for AccessDecisionVoter is shown in the following code. As discussed earlier, each voter returns one of the three statuses—ACCESS_GRANTED , ACCESS_ABSTAIN, or ACCESS_DENIED:

public interface AccessDecisionVoter < S > {

    boolean supports(ConfigAttribute attribute);

    boolean supports(Class << ? > clazz);

    int vote(Authentication authentication, S object,
        Collection < ConfigAttribute > attributes);
}

The following screenshot shows the different implementations of AccessDecisionVoter:

Some of the important implementations are as follows:

  • RoleVoter: Votes based on the role of the user. Does the user role have access to the requested resource?
  • AuthenticatedVoter: Votes based on the authentication status of the user. Is the user anonymous, is the user already authenticated, or are they a remember me user?
  • Jsr250Voter: Votes based on JSR-250 annotations. We will talk about JSR-250 a little later.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset