void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException;
使用投票器投票。
AffirmativeBased实现类
public class AffirmativeBased {
// 默认全弃权抛异常。 全弃权抛异常开关
private boolean allowIfAllAbstainDecisions = false;
// 初始化投票器。decisionVoters不能为null
public AffirmativeBased(List<AccessDecisionVoter<?>> decisionVoters) {
super(decisionVoters);
}
// 投票逻辑:1.只要有一个投票器投通过,通过
// 2.(全弃权)及allowIfAllAbstainDecisions=false:
// 也会抛accessDenied
public void decide(Authentication authentication, Object object,
Collection<ConfigAttribute> configAttributes)
throws AccessDeniedException {
// 初始deny=0
int deny = 0;
// 循环投票器
for (AccessDecisionVoter voter : getDecisionVoters()) {
int result = voter.vote(authentication, object, configAttributes);
switch (result) {
// result = AccessDecisionVoter.ACCESS_GRANTED,返回
case AccessDecisionVoter.ACCESS_GRANTED:
return;
// result = AccessDecisionVoter.ACCESS_DENIED, deny++
case AccessDecisionVoter.ACCESS_DENIED:
deny++;
break;
// result = AccessDecisionVoter.ACCESS_ABSTAIN, nodoing
default:
break;
}
}
// 所有投票器没有一个投AccessDecisionVoter.ACCESS_GRANTED
// 且deny>0时,抛出异常
if (deny > 0) {
throw new AccessDeniedException(
this.messages.getMessage("AbstractAccessDecisionManager.accessDenied",
"Access is denied"));
}
// To get this far, every AccessDecisionVoter abstained
// deny ==0
checkAllowIfAllAbstainDecisions();
}
}
public interface AccessDecisionVoter<S> {
// 通过
int ACCESS_GRANTED = 1;
// 弃权
int ACCESS_ABSTAIN = 0;
// 拒绝
int ACCESS_DENIED = -1;
}
ConsensusBased实现类
public class ConsensusBased {
// 票数相等时,allowIfEqualGrantedDeniedDecisions = true默认通过。
// allowIfEqualGrantedDeniedDecisions = false 抛出异常
private boolean allowIfEqualGrantedDeniedDecisions = true;
// 投票逻辑:1.少数服从多数。2.都弃权,默认拒绝3.票数相等,默认通过
public void decide(Authentication authentication, Object object,
Collection<ConfigAttribute> configAttributes)
throws AccessDeniedException {
int grant = 0;
int deny = 0;
for (AccessDecisionVoter voter : getDecisionVoters()) {
int result = voter.vote(authentication, object, configAttributes);
switch (result) {
// result=1,grant++
case AccessDecisionVoter.ACCESS_GRANTED:
grant++;
break;
// result=-1,deny++
case AccessDecisionVoter.ACCESS_DENIED:
deny++;
break;
default:
break;
}
}
// 全部投票器,投完后。grant>deny,返回
if (grant > deny) {
return;
}
// grant<deny。抛异常
if (deny > grant) {
throw new AccessDeniedException(
this.messages.getMessage("AbstractAccessDecisionManager.accessDenied",
"Access is denied"));
}
// 票数相等时
if ((grant == deny) && (grant != 0)) {
if (this.allowIfEqualGrantedDeniedDecisions) {
return;
}
throw new AccessDeniedException(
this.messages.getMessage("AbstractAccessDecisionManager.accessDenied", "Access is denied"));
}
// To get this far, every AccessDecisionVoter abstained
// 全为弃权票
checkAllowIfAllAbstainDecisions();
}
}
UnanimousBased实现类
public class UnanimousBased {
// 投票逻辑:1.所有投票器全投通过,则通过2.全弃权,则拒绝。3.存在一个拒绝,则拒绝
public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> attributes)
throws AccessDeniedException {
int grant = 0;
List<ConfigAttribute> singleAttributeList = new ArrayList<>(1);
singleAttributeList.add(null);
for (ConfigAttribute attribute : attributes) {
singleAttributeList.set(0, attribute);
for (AccessDecisionVoter voter : getDecisionVoters()) {
int result = voter.vote(authentication, object, singleAttributeList);
switch (result) {
case AccessDecisionVoter.ACCESS_GRANTED:
grant++;
break;
case AccessDecisionVoter.ACCESS_DENIED:
throw new AccessDeniedException(
this.messages.getMessage("AbstractAccessDecisionManager.accessDenied", "Access is denied"));
default:
break;
}
}
}
// To get this far, there were no deny votes
if (grant > 0) {
return;
}
// To get this far, every AccessDecisionVoter abstained
checkAllowIfAllAbstainDecisions();
}