// Check for an external SecurityMetadataSource, which takes priority over other sources
String metaDataSourceId = element.getAttribute(ATT_META_DATA_SOURCE_REF);
if (StringUtils.hasText(metaDataSourceId)) {
delegates.add(new RuntimeBeanReference(metaDataSourceId));
}
if (prePostAnnotationsEnabled) {
Element prePostElt = DomUtils.getChildElementByTagName(element, INVOCATION_HANDLING);
Element expressionHandlerElt = DomUtils.getChildElementByTagName(element, EXPRESSION_HANDLER);
if (prePostElt != null && expressionHandlerElt != null) {
pc.getReaderContext().error(INVOCATION_HANDLING + " and " +
EXPRESSION_HANDLER + " cannot be used together ", source);
}
BeanDefinitionBuilder preInvocationVoterBldr = BeanDefinitionBuilder.rootBeanDefinition(PreInvocationAuthorizationAdviceVoter.class);
// After-invocation provider to handle post-invocation filtering and authorization expression annotations.
BeanDefinitionBuilder afterInvocationBldr = BeanDefinitionBuilder.rootBeanDefinition(PostInvocationAdviceProvider.class);
// The metadata source for the security interceptor
BeanDefinitionBuilder mds = BeanDefinitionBuilder.rootBeanDefinition(PrePostAnnotationSecurityMetadataSource.class);
if (prePostElt != null) {
// Customized override of expression handling system
String attributeFactoryRef =
DomUtils.getChildElementByTagName(prePostElt, INVOCATION_ATTRIBUTE_FACTORY).getAttribute("ref");
String preAdviceRef =
DomUtils.getChildElementByTagName(prePostElt, PRE_INVOCATION_ADVICE).getAttribute("ref");
String postAdviceRef =
DomUtils.getChildElementByTagName(prePostElt, POST_INVOCATION_ADVICE).getAttribute("ref");
mds.addConstructorArgReference(attributeFactoryRef);
preInvocationVoterBldr.addConstructorArgReference(preAdviceRef);
afterInvocationBldr.addConstructorArgReference(postAdviceRef);
} else {
// The default expression-based system
String expressionHandlerRef = expressionHandlerElt == null ? null : expressionHandlerElt.getAttribute("ref");
if (StringUtils.hasText(expressionHandlerRef)) {
logger.info("Using bean '" + expressionHandlerRef + "' as method ExpressionHandler implementation");
RootBeanDefinition lazyInitPP = new RootBeanDefinition(LazyInitBeanDefinitionRegistryPostProcessor.class);
lazyInitPP.getConstructorArgumentValues().addGenericArgumentValue(expressionHandlerRef);
pc.getReaderContext().registerWithGeneratedName(lazyInitPP);
BeanDefinitionBuilder lazyMethodSecurityExpressionHandlerBldr = BeanDefinitionBuilder.rootBeanDefinition(LazyInitTargetSource.class);
lazyMethodSecurityExpressionHandlerBldr.addPropertyValue("targetBeanName", expressionHandlerRef);
BeanDefinitionBuilder expressionHandlerProxyBldr = BeanDefinitionBuilder.rootBeanDefinition(ProxyFactoryBean.class);
expressionHandlerProxyBldr.addPropertyValue("targetSource", lazyMethodSecurityExpressionHandlerBldr.getBeanDefinition());
expressionHandlerProxyBldr.addPropertyValue("proxyInterfaces", MethodSecurityExpressionHandler.class);
expressionHandlerRef = pc.getReaderContext().generateBeanName(expressionHandlerProxyBldr.getBeanDefinition());
pc.registerBeanComponent(new BeanComponentDefinition(expressionHandlerProxyBldr.getBeanDefinition(), expressionHandlerRef));
} else {
BeanDefinition expressionHandler = new RootBeanDefinition(DefaultMethodSecurityExpressionHandler.class);
expressionHandlerRef = pc.getReaderContext().generateBeanName(expressionHandler);
pc.registerBeanComponent(new BeanComponentDefinition(expressionHandler, expressionHandlerRef));
logger.info("Expressions were enabled for method security but no SecurityExpressionHandler was configured. " +
"All hasPermision() expressions will evaluate to false.");
}
BeanDefinitionBuilder expressionPreAdviceBldr = BeanDefinitionBuilder.rootBeanDefinition(ExpressionBasedPreInvocationAdvice.class);
expressionPreAdviceBldr.addPropertyReference("expressionHandler", expressionHandlerRef);
preInvocationVoterBldr.addConstructorArgValue(expressionPreAdviceBldr.getBeanDefinition());
BeanDefinitionBuilder expressionPostAdviceBldr = BeanDefinitionBuilder.rootBeanDefinition(ExpressionBasedPostInvocationAdvice.class);
expressionPostAdviceBldr.addConstructorArgReference(expressionHandlerRef);
afterInvocationBldr.addConstructorArgValue(expressionPostAdviceBldr.getBeanDefinition());
BeanDefinitionBuilder annotationInvocationFactory = BeanDefinitionBuilder.rootBeanDefinition(ExpressionBasedAnnotationAttributeFactory.class);
annotationInvocationFactory.addConstructorArgReference(expressionHandlerRef);
mds.addConstructorArgValue(annotationInvocationFactory.getBeanDefinition());
}
preInvocationVoter = preInvocationVoterBldr.getBeanDefinition();
afterInvocationProviders.add(afterInvocationBldr.getBeanDefinition());
delegates.add(mds.getBeanDefinition());
}
if (useSecured) {
delegates.add(BeanDefinitionBuilder.rootBeanDefinition(SecuredAnnotationSecurityMetadataSource.class).getBeanDefinition());
}
if (jsr250Enabled) {
delegates.add(BeanDefinitionBuilder.rootBeanDefinition(Jsr250MethodSecurityMetadataSource.class).getBeanDefinition());
}
// Now create a Map<String, ConfigAttribute> for each <protect-pointcut> sub-element
Map<String, List<ConfigAttribute>> pointcutMap = parseProtectPointcuts(pc,
DomUtils.getChildElementsByTagName(element, PROTECT_POINTCUT));
if (pointcutMap.size() > 0) {
if (useAspectJ) {
pc.getReaderContext().error("You can't use AspectJ mode with protect-pointcut definitions", source);
}
// Only add it if there are actually any pointcuts defined.
BeanDefinition mapBasedMetadataSource = new RootBeanDefinition(MapBasedMethodSecurityMetadataSource.class);
BeanReference ref = new RuntimeBeanReference(pc.getReaderContext().generateBeanName(mapBasedMetadataSource));
delegates.add(ref);
pc.registerBeanComponent(new BeanComponentDefinition(mapBasedMetadataSource, ref.getBeanName()));
registerProtectPointcutPostProcessor(pc, pointcutMap, ref, source);
}
BeanReference metadataSource = registerDelegatingMethodSecurityMetadataSource(pc, delegates, source);
// Check for additional after-invocation-providers..
List<Element> afterInvocationElts = DomUtils.getChildElementsByTagName(element, Elements.AFTER_INVOCATION_PROVIDER);
for (Element elt : afterInvocationElts) {
afterInvocationProviders.add(new RuntimeBeanReference(elt.getAttribute(ATT_REF)));
}
String accessManagerId = element.getAttribute(ATT_ACCESS_MGR);
if (!StringUtils.hasText(accessManagerId)) {