public class ScopeVoter extends Object implements org.springframework.security.access.AccessDecisionVoter<Object>
Votes if any
ConfigAttribute.getAttribute() starts with a prefix indicating that it is an OAuth2 scope. The
default prefix string is
SCOPE_, but this may be overridden to any value. Can also be used to deny
access to an OAuth2 client by explicitly specifying an attribute value
DENY_OAUTH. Typically you would
want to explicitly deny access to all non-public resources that are not part of any scope.
Abstains from voting if no configuration attribute commences with the scope prefix, or if the current
Authentication is not a
OAuth2Authentication or the current client authentication is not a
AuthorizationRequest (which contains the scope data). Votes to grant access if there is an exact matching
authorized scope to a
ConfigAttribute starting with the scope
prefix. Votes to deny access if there is no exact matching authorized scope to a
starting with the scope prefix.
All comparisons and prefixes are case insensitive so you can use (e.g.)
SCOPE_READ for simple
Facebook-like scope names that might be lower case in the resource definition, or
scopePrefix="scope=") for Google-like URI scope
|Constructor and Description|
|Modifier and Type||Method and Description|
The name of the config attribute that can be used to deny access to OAuth2 client.
Allows the default role prefix of
Flag to determine the behaviour on access denied.
This implementation supports any type of class, because it does not query the presented secure object.
public void setThrowException(boolean throwException)
InsufficientScopeExceptioninstead of returning
AccessDecisionVoter.ACCESS_DENIED. This is unconventional for an access decision voter because it vetos the other voters in the chain, but it enables us to pass a message to the caller with information about the required scope.
throwException- the flag to set (default true)
public void setScopePrefix(String scopePrefix)
SCOPE_to be overridden. May be set to an empty value, although this is usually not desirable.
scopePrefix- the new prefix
public void setDenyAccess(String denyAccess)
denyAccess- the deny access attribute value to set
public boolean supports(org.springframework.security.access.ConfigAttribute attribute)
public boolean supports(Class<?> clazz)
clazz- the secure object
Copyright © 2014. All rights reserved.