1 package org.springframework.security.oauth2.provider.vote;
2
3 import java.util.Collection;
4 import java.util.Set;
5
6 import org.springframework.security.access.AccessDecisionVoter;
7 import org.springframework.security.access.AccessDeniedException;
8 import org.springframework.security.access.ConfigAttribute;
9 import org.springframework.security.core.Authentication;
10 import org.springframework.security.core.authority.AuthorityUtils;
11 import org.springframework.security.oauth2.common.exceptions.InsufficientScopeException;
12 import org.springframework.security.oauth2.provider.ClientDetails;
13 import org.springframework.security.oauth2.provider.ClientDetailsService;
14 import org.springframework.security.oauth2.provider.OAuth2Authentication;
15 import org.springframework.security.oauth2.provider.OAuth2Request;
16
17
18
19
20
21
22
23
24
25 public class ClientScopeVoter implements AccessDecisionVoter<Object> {
26
27 private String clientHasScope = "CLIENT_HAS_SCOPE";
28
29 private boolean throwException = true;
30
31 private ClientDetailsService clientDetailsService;
32
33 private boolean clientAuthoritiesAreScopes = true;
34
35
36
37
38
39
40 public void setClientDetailsService(ClientDetailsService clientDetailsService) {
41 this.clientDetailsService = clientDetailsService;
42 }
43
44
45
46
47
48
49
50
51
52 public void setThrowException(boolean throwException) {
53 this.throwException = throwException;
54 }
55
56
57
58
59
60
61 public void setClientAuthoritiesAreScopes(boolean clientAuthoritiesAreScopes) {
62 this.clientAuthoritiesAreScopes = clientAuthoritiesAreScopes;
63 }
64
65
66
67
68
69
70
71 public void setDenyAccess(String denyAccess) {
72 this.clientHasScope = denyAccess;
73 }
74
75 public boolean supports(ConfigAttribute attribute) {
76 if (clientHasScope.equals(attribute.getAttribute())) {
77 return true;
78 }
79 else {
80 return false;
81 }
82 }
83
84
85
86
87
88
89
90
91 public boolean supports(Class<?> clazz) {
92 return true;
93 }
94
95 public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
96
97 int result = ACCESS_ABSTAIN;
98
99 if (!(authentication instanceof OAuth2Authentication)) {
100 return result;
101 }
102
103 OAuth2Authentication oauth2Authentication = (OAuth2Authentication) authentication;
104 OAuth2Request clientAuthentication = oauth2Authentication.getOAuth2Request();
105 ClientDetails client = clientDetailsService.loadClientByClientId(clientAuthentication.getClientId());
106 Set<String> scopes = clientAuthentication.getScope();
107 if (oauth2Authentication.isClientOnly() && clientAuthoritiesAreScopes) {
108 scopes = AuthorityUtils.authorityListToSet(clientAuthentication.getAuthorities());
109 }
110
111 for (ConfigAttribute attribute : attributes) {
112 if (this.supports(attribute)) {
113
114 result = ACCESS_GRANTED;
115
116 for (String scope : scopes) {
117 if (!client.getScope().contains(scope)) {
118 result = ACCESS_DENIED;
119 break;
120 }
121 }
122
123 if (result == ACCESS_DENIED && throwException) {
124 InsufficientScopeException failure = new InsufficientScopeException(
125 "Insufficient scope for this resource", client.getScope());
126 throw new AccessDeniedException(failure.getMessage(), failure);
127 }
128
129 return result;
130 }
131 }
132
133 return result;
134 }
135
136 }