what is the actual type of object parameter in vote method of spring security access decision voter

Question

I am currently working on a simple role based access control in Spring. I am using an implementation of AccessDecisionVoter. So i wonder what is the Object o parameter in the

public int vote(Authentication authentication, Object o, Collection<ConfigAttribute> configAttributes) { 

method? Spring documentation says it is "the secured object". I use intercept-urls and this voter gets called, so is it a controller? Or is it just a string of the url?

Thanks in advance.

Answer 1

If you are using Spring Security 3.1 AccessDecisionVoter should already be generic, with <S> parameter used as second argument in vote method. You can browse AccessDecisionVoter implementations source code (for ex. WebExpressionVoter which implements AccessDecisionVoter<FilterInvocation>) to understand the concept. Some of these implementations uses Object as generic parameter because they don't need to use secured object at all (for ex. RoleVoter).

In your case what you probably need is to override supports(Class<?>) method (from docs: It indicates whether the AccessDecisionVoter implementation is able to provide access control votes for the indicated secured object type.) to get FilterInvokation as secured object like WebExpressionVoter does:

@Override
public boolean supports(Class<?> clazz) {
    return clazz.isAssignableFrom(FilterInvocation.class);
}

and then your vote implementation could be:

@Override
public int vote(Authentication authentication, FilterInvocation fi,
    Collection<ConfigAttribute> attributes) {
  String url = fi.getRequestUrl();
  // rest of code, you can also fetch request / response from fi