Clarify WebInvocationPrivilegeEvaluator JavaDoc

ngocnhan-tran1996 · sjohnr · commit ab6e9d2d1f63 · 2025-03-20T14:38:10.000-05:00
Closes gh-16529 Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
diff --git a/web/src/main/java/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.java b/web/src/main/java/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.java
@@ -29,20 +29,28 @@ public interface WebInvocationPrivilegeEvaluator {
 	/**
 	 * Determines whether the user represented by the supplied <tt>Authentication</tt>
 	 * object is allowed to invoke the supplied URI.
+	 * <p>
+	 * Note this will only match authorization rules that don't require a certain
+	 * {@code HttpMethod}.
 	 * @param uri the URI excluding the context path (a default context path setting will
 	 * be used)
 	 */
 	boolean isAllowed(String uri, Authentication authentication);
 
 	/**
 	 * Determines whether the user represented by the supplied <tt>Authentication</tt>
-	 * object is allowed to invoke the supplied URI, with the given .
+	 * object is allowed to invoke the supplied URI, with the given parameters.
 	 * <p>
-	 * Note the default implementation of <tt>FilterInvocationSecurityMetadataSource</tt>
+	 * Note:
+	 * <ul>
+	 * <li>The default implementation of <tt>FilterInvocationSecurityMetadataSource</tt>
 	 * disregards the <code>contextPath</code> when evaluating which secure object
 	 * metadata applies to a given request URI, so generally the <code>contextPath</code>
 	 * is unimportant unless you are using a custom
-	 * <code>FilterInvocationSecurityMetadataSource</code>.
+	 * <code>FilterInvocationSecurityMetadataSource</code>.</li>
+	 * <li>this will only match authorization rules that don't require a certain
+	 * {@code HttpMethod}.</li>
+	 * </ul>
 	 * @param uri the URI excluding the context path
 	 * @param contextPath the context path (may be null).
 	 * @param method the HTTP method (or null, for any method)
