org.springframework.security.oauth2.provider.vote
Class ScopeVoter

java.lang.Object
  extended by org.springframework.security.oauth2.provider.vote.ScopeVoter
All Implemented Interfaces:
org.springframework.security.access.AccessDecisionVoter<Object>

public class ScopeVoter
extends Object
implements org.springframework.security.access.AccessDecisionVoter<Object>

Votes if any ConfigAttribute.getAttribute() starts with a prefix indicating that it is an OAuth2 scope. The default prefix string is SCOPE_, but this may be overridden to any value. Can also be used to deny access to an OAuth2 client by explicitly specifying an attribute value DENY_OAUTH. Typically you would want to explicitly deny access to all non-public resources that are not part of any scope.

Abstains from voting if no configuration attribute commences with the scope prefix, or if the current Authentication is not a OAuth2Authentication or the current client authentication is not a AuthorizationRequest (which contains teh scope data). Votes to grant access if there is an exact matching authorized scope to a ConfigAttribute starting with the scope prefix. Votes to deny access if there is no exact matching authorized scope to a ConfigAttribute starting with the scope prefix.

All comparisons and prefixes are case insensitive so you can use (e.g.) SCOPE_READ for simple Facebook-like scope names that might be lower case in the resource definition, or scope=http://my.company.com/scopes/read/ (scopePrefix="scope=") for Google-like URI scope names.

Author:
Dave Syer

Field Summary
 
Fields inherited from interface org.springframework.security.access.AccessDecisionVoter
ACCESS_ABSTAIN, ACCESS_DENIED, ACCESS_GRANTED
 
Constructor Summary
ScopeVoter()
           
 
Method Summary
 void setDenyAccess(String denyAccess)
          The name of the config attribute that can be used to deny access to OAuth2 client.
 void setScopePrefix(String scopePrefix)
          Allows the default role prefix of SCOPE_ to be overridden.
 void setThrowException(boolean throwException)
          Flag to determine the behaviour on access denied.
 boolean supports(Class<?> clazz)
          This implementation supports any type of class, because it does not query the presented secure object.
 boolean supports(org.springframework.security.access.ConfigAttribute attribute)
           
 int vote(org.springframework.security.core.Authentication authentication, Object object, Collection<org.springframework.security.access.ConfigAttribute> attributes)
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

ScopeVoter

public ScopeVoter()
Method Detail

setThrowException

public void setThrowException(boolean throwException)
Flag to determine the behaviour on access denied. If set then we throw an InsufficientScopeException instead of returning AccessDecisionVoter.ACCESS_DENIED. This is unconventional for an access decision voter because it vetos the other voters in the chain, but it enables us to pass a message to the caller with information about the required scope.

Parameters:
throwException - the flag to set (default true)

setScopePrefix

public void setScopePrefix(String scopePrefix)
Allows the default role prefix of SCOPE_ to be overridden. May be set to an empty value, although this is usually not desirable.

Parameters:
scopePrefix - the new prefix

setDenyAccess

public void setDenyAccess(String denyAccess)
The name of the config attribute that can be used to deny access to OAuth2 client. Defaults to DENY_OAUTH.

Parameters:
denyAccess - the deny access attribute value to set

supports

public boolean supports(org.springframework.security.access.ConfigAttribute attribute)
Specified by:
supports in interface org.springframework.security.access.AccessDecisionVoter<Object>

supports

public boolean supports(Class<?> clazz)
This implementation supports any type of class, because it does not query the presented secure object.

Specified by:
supports in interface org.springframework.security.access.AccessDecisionVoter<Object>
Parameters:
clazz - the secure object
Returns:
always true

vote

public int vote(org.springframework.security.core.Authentication authentication,
                Object object,
                Collection<org.springframework.security.access.ConfigAttribute> attributes)
Specified by:
vote in interface org.springframework.security.access.AccessDecisionVoter<Object>


Copyright © 2012. All Rights Reserved.