Package org.springframework.web.servlet.handler

Class UserRoleAuthorizationInterceptor

java.lang.Object

org.springframework.web.servlet.handler.UserRoleAuthorizationInterceptor

All Implemented Interfaces:

HandlerInterceptor

public class UserRoleAuthorizationInterceptor
extends Object
implements HandlerInterceptor

Interceptor that checks the authorization of the current user via the user's roles, as evaluated by HttpServletRequest's isUserInRole method.

Since:

20.06.2003

Author:

Juergen Hoeller

See Also:

• HttpServletRequest.isUserInRole(java.lang.String)

Constructor Summary

Constructors

Constructor	Description
UserRoleAuthorizationInterceptor()

Method Summary

Modifier and Type	Method	Description
protected void	handleNotAuthorized(HttpServletRequest request, HttpServletResponse response, Object handler)	Handle a request that is not authorized according to this interceptor.
final boolean	preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)	Interception point before the execution of a handler.
final void	setAuthorizedRoles(String... authorizedRoles)	Set the roles that this interceptor should treat as authorized.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.springframework.web.servlet.HandlerInterceptor

afterCompletion, postHandle

Constructor Details

UserRoleAuthorizationInterceptor

public UserRoleAuthorizationInterceptor()

Method Details

setAuthorizedRoles

public final void setAuthorizedRoles(String... authorizedRoles)

Set the roles that this interceptor should treat as authorized.

Parameters:

authorizedRoles - array of role names

preHandle

public final boolean preHandle(HttpServletRequest request,
 HttpServletResponse response,
 Object handler)
                        throws ServletException,
IOException

Description copied from interface: HandlerInterceptor

Interception point before the execution of a handler. Called after HandlerMapping determined an appropriate handler object, but before HandlerAdapter invokes the handler.

DispatcherServlet processes a handler in an execution chain, consisting of any number of interceptors, with the handler itself at the end. With this method, each interceptor can decide to abort the execution chain, typically sending an HTTP error or writing a custom response.

Note: special considerations apply for asynchronous request processing. For more details see AsyncHandlerInterceptor.

The default implementation returns true.

Specified by:

preHandle in interface HandlerInterceptor

Parameters:

request - current HTTP request

response - current HTTP response

handler - chosen handler to execute, for type and/or instance evaluation

Returns:

true if the execution chain should proceed with the next interceptor or the handler itself. Else, DispatcherServlet assumes that this interceptor has already dealt with the response itself.

Throws:

ServletException

IOException

handleNotAuthorized

protected void handleNotAuthorized(HttpServletRequest request,
 HttpServletResponse response,
 Object handler)
                            throws ServletException,
IOException

Handle a request that is not authorized according to this interceptor. Default implementation sends HTTP status code 403 ("forbidden").

This method can be overridden to write a custom message, forward or redirect to some error page or login page, or throw a ServletException.

Parameters:

request - current HTTP request

response - current HTTP response

handler - chosen handler to execute, for type and/or instance evaluation

Throws:

ServletException - if there is an internal error

IOException - in case of an I/O error when writing the response