/** * Cleans up the work of the <tt>AbstractSecurityInterceptor</tt> after the secure * object invocation has been completed. This method should be invoked after the * secure object invocation and before afterInvocation regardless of the secure object * invocation returning successfully (i.e. it should be done in a finally block). * * @param token as returned by the {@link #beforeInvocation(Object)} method */ protected void finallyInvocation(InterceptorStatusToken token) { if (token != null && token.isContextHolderRefreshRequired()) { if (logger.isDebugEnabled()) { logger.debug("Reverting to original Authentication: " + token.getSecurityContext().getAuthentication()); } SecurityContextHolder.setContext(token.getSecurityContext()); } }
/** * Cleans up the work of the <tt>AbstractSecurityInterceptor</tt> after the secure * object invocation has been completed. This method should be invoked after the * secure object invocation and before afterInvocation regardless of the secure object * invocation returning successfully (i.e. it should be done in a finally block). * * @param token as returned by the {@link #beforeInvocation(Object)} method */ protected void finallyInvocation(InterceptorStatusToken token) { if (token != null && token.isContextHolderRefreshRequired()) { if (logger.isDebugEnabled()) { logger.debug("Reverting to original Authentication: " + token.getSecurityContext().getAuthentication()); } SecurityContextHolder.setContext(token.getSecurityContext()); } }
returnedObject = afterInvocationManager.decide(token.getSecurityContext() .getAuthentication(), token.getSecureObject(), token .getAttributes(), returnedObject); AuthorizationFailureEvent event = new AuthorizationFailureEvent( token.getSecureObject(), token.getAttributes(), token .getSecurityContext().getAuthentication(), accessDeniedException); publishEvent(event);
returnedObject = afterInvocationManager.decide(token.getSecurityContext() .getAuthentication(), token.getSecureObject(), token .getAttributes(), returnedObject); AuthorizationFailureEvent event = new AuthorizationFailureEvent( token.getSecureObject(), token.getAttributes(), token .getSecurityContext().getAuthentication(), accessDeniedException); publishEvent(event);
@Test public void testOperation() { List<ConfigAttribute> attr = SecurityConfig.createList("FOO"); MethodInvocation mi = new SimpleMethodInvocation(); SecurityContext ctx = SecurityContextHolder.createEmptyContext(); InterceptorStatusToken token = new InterceptorStatusToken(ctx, true, attr, mi); assertThat(token.isContextHolderRefreshRequired()).isTrue(); assertThat(token.getAttributes()).isEqualTo(attr); assertThat(token.getSecureObject()).isEqualTo(mi); assertThat(token.getSecurityContext()).isSameAs(ctx); } }
/** * Cleans up the work of the <tt>AbstractSecurityInterceptor</tt> after the secure object invocation has been * completed. This method should be invoked after the secure object invocation and before afterInvocation regardless * of the secure object invocation returning successfully (i.e. it should be done in a finally block). * * @param token as returned by the {@link #beforeInvocation(Object)} method */ protected void finallyInvocation(InterceptorStatusToken token) { if (token != null && token.isContextHolderRefreshRequired()) { if (logger.isDebugEnabled()) { logger.debug("Reverting to original Authentication: " + token.getSecurityContext().getAuthentication()); } SecurityContextHolder.setContext(token.getSecurityContext()); } }
/** * Cleans up the work of the <tt>AbstractSecurityInterceptor</tt> after the secure * object invocation has been completed. This method should be invoked after the * secure object invocation and before afterInvocation regardless of the secure object * invocation returning successfully (i.e. it should be done in a finally block). * * @param token as returned by the {@link #beforeInvocation(Object)} method */ protected void finallyInvocation(InterceptorStatusToken token) { if (token != null && token.isContextHolderRefreshRequired()) { if (logger.isDebugEnabled()) { logger.debug("Reverting to original Authentication: " + token.getSecurityContext().getAuthentication()); } SecurityContextHolder.setContext(token.getSecurityContext()); } }
returnedObject = afterInvocationManager.decide(token.getSecurityContext() .getAuthentication(), token.getSecureObject(), token .getAttributes(), returnedObject); AuthorizationFailureEvent event = new AuthorizationFailureEvent( token.getSecureObject(), token.getAttributes(), token .getSecurityContext().getAuthentication(), accessDeniedException); publishEvent(event);
/** * Completes the work of the <tt>AbstractSecurityInterceptor</tt> after the secure object invocation has been * completed. * * @param token as returned by the {@link #beforeInvocation(Object)}} method * @param returnedObject any object returned from the secure object invocation (may be <tt>null</tt>) * @return the object the secure object invocation should ultimately return to its caller (may be <tt>null</tt>) */ protected Object afterInvocation(InterceptorStatusToken token, Object returnedObject) { if (token == null) { // public object return returnedObject; } finallyInvocation(token); // continue to clean in this method for passivity if (afterInvocationManager != null) { // Attempt after invocation handling try { returnedObject = afterInvocationManager.decide(token.getSecurityContext().getAuthentication(), token.getSecureObject(), token.getAttributes(), returnedObject); } catch (AccessDeniedException accessDeniedException) { AuthorizationFailureEvent event = new AuthorizationFailureEvent(token.getSecureObject(), token .getAttributes(), token.getSecurityContext().getAuthentication(), accessDeniedException); publishEvent(event); throw accessDeniedException; } } return returnedObject; }