org.springframework.security.oauth2.provider.vote

Class ClientScopeVoter

java.lang.Object

org.springframework.security.oauth2.provider.vote.ClientScopeVoter

All Implemented Interfaces:

org.springframework.security.access.AccessDecisionVoter<Object>

public class ClientScopeVoter
extends Object
implements org.springframework.security.access.AccessDecisionVoter<Object>

This voter checks scope in request is consistent with that held by the client. If there is no user in the request (client_credentials grant) it checks against authorities of client instead of scopes by default. Activate by adding CLIENT_HAS_SCOPE to security attributes.

Author:

Dave Syer

Field Summary

Fields inherited from interface org.springframework.security.access.AccessDecisionVoter

ACCESS_ABSTAIN, ACCESS_DENIED, ACCESS_GRANTED

Constructor Summary

Constructors

Constructor and Description
ClientScopeVoter()

Method Summary

Modifier and Type	Method and Description
void	setClientAuthoritiesAreScopes(boolean clientAuthoritiesAreScopes) Flag to signal that when there is no user authentication client authorities are to be treated as scopes.
void	setClientDetailsService(ClientDetailsService clientDetailsService) ClientDetailsService for looking up clients by ID.
void	setDenyAccess(String denyAccess) The name of the config attribute that can be used to deny access to OAuth2 client.
void	setThrowException(boolean throwException) Flag to determine the behaviour on access denied.
boolean	supports(Class<?> clazz) This implementation supports any type of class, because it does not query the presented secure object.
boolean	supports(org.springframework.security.access.ConfigAttribute attribute)
int	vote(org.springframework.security.core.Authentication authentication, Object object, Collection<org.springframework.security.access.ConfigAttribute> attributes)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ClientScopeVoter

public ClientScopeVoter()

Method Detail

setClientDetailsService

public void setClientDetailsService(ClientDetailsService clientDetailsService)

ClientDetailsService for looking up clients by ID.

Parameters:

clientDetailsService - the client details service (mandatory)

setThrowException

public void setThrowException(boolean throwException)

Flag to determine the behaviour on access denied. If set then we throw an InsufficientScopeException instead of returning AccessDecisionVoter.ACCESS_DENIED. This is unconventional for an access decision voter because it vetos the other voters in the chain, but it enables us to pass a message to the caller with information about the required scope.

Parameters:

throwException - the flag to set (default true)

setClientAuthoritiesAreScopes

public void setClientAuthoritiesAreScopes(boolean clientAuthoritiesAreScopes)

Flag to signal that when there is no user authentication client authorities are to be treated as scopes.

Parameters:

clientAuthoritiesAreScopes - the flag value (default true)

setDenyAccess

public void setDenyAccess(String denyAccess)

The name of the config attribute that can be used to deny access to OAuth2 client. Defaults to DENY_OAUTH.

Parameters:

denyAccess - the deny access attribute value to set

supports

public boolean supports(org.springframework.security.access.ConfigAttribute attribute)

Specified by:

supports in interface org.springframework.security.access.AccessDecisionVoter<Object>

supports

public boolean supports(Class<?> clazz)

This implementation supports any type of class, because it does not query the presented secure object.

Specified by:

supports in interface org.springframework.security.access.AccessDecisionVoter<Object>

Parameters:

clazz - the secure object

Returns:

always true

vote

public int vote(org.springframework.security.core.Authentication authentication,
                Object object,
                Collection<org.springframework.security.access.ConfigAttribute> attributes)

Specified by:

vote in interface org.springframework.security.access.AccessDecisionVoter<Object>