public class ScopeVoter extends Object implements org.springframework.security.access.AccessDecisionVoter<Object>
Votes if any ConfigAttribute.getAttribute() starts with a prefix indicating that it is an OAuth2 scope. The
default prefix string is SCOPE_, but this may be overridden to any value. Can also be used to deny
access to an OAuth2 client by explicitly specifying an attribute value DENY_OAUTH. Typically you would
want to explicitly deny access to all non-public resources that are not part of any scope.
Abstains from voting if no configuration attribute commences with the scope prefix, or if the current
Authentication is not a OAuth2Authentication or the current client authentication is not a
AuthorizationRequest (which contains the scope data). Votes to grant access if there is an exact matching
authorized scope to a ConfigAttribute starting with the scope
prefix. Votes to deny access if there is no exact matching authorized scope to a ConfigAttribute
starting with the scope prefix.
All comparisons and prefixes are case insensitive so you can use (e.g.) SCOPE_READ for simple
Facebook-like scope names that might be lower case in the resource definition, or
scope=https://my.company.com/scopes/read/ (scopePrefix="scope=") for Google-like URI scope
names.
| Constructor and Description |
|---|
ScopeVoter() |
| Modifier and Type | Method and Description |
|---|---|
void |
setDenyAccess(String denyAccess)
The name of the config attribute that can be used to deny access to OAuth2 client.
|
void |
setScopePrefix(String scopePrefix)
Allows the default role prefix of
SCOPE_ to be overridden. |
void |
setThrowException(boolean throwException)
Flag to determine the behaviour on access denied.
|
boolean |
supports(Class<?> clazz)
This implementation supports any type of class, because it does not query the presented secure object.
|
boolean |
supports(org.springframework.security.access.ConfigAttribute attribute) |
int |
vote(org.springframework.security.core.Authentication authentication,
Object object,
Collection<org.springframework.security.access.ConfigAttribute> attributes) |
public void setThrowException(boolean throwException)
InsufficientScopeException
instead of returning AccessDecisionVoter.ACCESS_DENIED. This is unconventional for an access decision
voter because it vetos the other voters in the chain, but it enables us to pass a message to the caller with
information about the required scope.throwException - the flag to set (default true)public void setScopePrefix(String scopePrefix)
SCOPE_ to be overridden. May be set to an empty value, although
this is usually not desirable.scopePrefix - the new prefixpublic void setDenyAccess(String denyAccess)
DENY_OAUTH.denyAccess - the deny access attribute value to setpublic boolean supports(org.springframework.security.access.ConfigAttribute attribute)
supports in interface org.springframework.security.access.AccessDecisionVoter<Object>public boolean supports(Class<?> clazz)
supports in interface org.springframework.security.access.AccessDecisionVoter<Object>clazz - the secure objecttruepublic int vote(org.springframework.security.core.Authentication authentication,
Object object,
Collection<org.springframework.security.access.ConfigAttribute> attributes)
vote in interface org.springframework.security.access.AccessDecisionVoter<Object>Copyright © 2019. All rights reserved.