org.springframework.security.oauth2.provider.expression
Class OAuth2SecurityExpressionMethods

java.lang.Object
  extended by org.springframework.security.oauth2.provider.expression.OAuth2SecurityExpressionMethods

public class OAuth2SecurityExpressionMethods
extends Object

A convenience object for security expressions in OAuth2 protected resources, providing public methods that act on the current authentication.

Author:
Dave Syer, Rob Winch

Constructor Summary
OAuth2SecurityExpressionMethods(org.springframework.security.core.Authentication authentication, boolean throwExceptionOnInvalidScope)
           
 
Method Summary
 boolean clientHasAnyRole(String... roles)
          Check if the OAuth2 client (not the user) has one of the roles specified.
 boolean clientHasRole(String role)
          Check if the OAuth2 client (not the user) has the role specified.
 boolean denyOAuthClient()
          Deny access to oauth requests, so used for example to only allow web UI users to access a resource.
 boolean hasAnyScope(String... scopes)
          Check if the current OAuth2 authentication has one of the scopes specified.
 boolean hasScope(String scope)
          Check if the current OAuth2 authentication has one of the scopes specified.
 boolean isClient()
          Check if the current authentication is acting as an authenticated client application not on behalf of a user.
 boolean isUser()
          Check if the current authentication is acting on behalf of an authenticated user.
 void setThrowExceptionOnInvalidScope(boolean throwExceptionOnInvalidScope)
          A flag to indicate that an exception should be thrown if a scope decision is negative.
 boolean sufficientScope(boolean decision)
          Check if any scope decisions have been denied in the current context and throw an exception if so.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

OAuth2SecurityExpressionMethods

public OAuth2SecurityExpressionMethods(org.springframework.security.core.Authentication authentication,
                                       boolean throwExceptionOnInvalidScope)
Method Detail

sufficientScope

public boolean sufficientScope(boolean decision)
Check if any scope decisions have been denied in the current context and throw an exception if so. Example usage:
 access = "#oauth2.sufficientScope(#oauth2.hasScope('read') or (#oauth2.hasScope('other') and hasRole('ROLE_USER')))"
 

Parameters:
decision - the existing access decision
Returns:
true if the OAuth2 token has one of these scopes
Throws:
InsufficientScopeException - if the scope is invalid and we the flag is set to throw the exception

clientHasRole

public boolean clientHasRole(String role)
Check if the OAuth2 client (not the user) has the role specified. To check the user's roles see #hasRole(String).

Parameters:
role - the role to check
Returns:
true if the OAuth2 client has this role

clientHasAnyRole

public boolean clientHasAnyRole(String... roles)
Check if the OAuth2 client (not the user) has one of the roles specified. To check the user's roles see #hasAnyRole(String).

Parameters:
roles - the roles to check
Returns:
true if the OAuth2 client has one of these roles

hasScope

public boolean hasScope(String scope)
Check if the current OAuth2 authentication has one of the scopes specified.

Parameters:
scope - the scope to check
Returns:
true if the OAuth2 authentication has the required scope

hasAnyScope

public boolean hasAnyScope(String... scopes)
Check if the current OAuth2 authentication has one of the scopes specified.

Parameters:
roles - the scopes to check
Returns:
true if the OAuth2 token has one of these scopes
Throws:
org.springframework.security.access.AccessDeniedException - if the scope is invalid and we the flag is set to throw the exception

denyOAuthClient

public boolean denyOAuthClient()
Deny access to oauth requests, so used for example to only allow web UI users to access a resource.

Returns:
true if the current authentication is not an OAuth2 type

isUser

public boolean isUser()
Check if the current authentication is acting on behalf of an authenticated user.

Returns:
true if the current authentication represents a user

isClient

public boolean isClient()
Check if the current authentication is acting as an authenticated client application not on behalf of a user.

Returns:
true if the current authentication represents a client application

setThrowExceptionOnInvalidScope

public void setThrowExceptionOnInvalidScope(boolean throwExceptionOnInvalidScope)
A flag to indicate that an exception should be thrown if a scope decision is negative.

Parameters:
throwExceptionOnInvalidScope - flag value (default true)


Copyright © 2012. All Rights Reserved.