Announcement Announcement Module
Collapse
No announcement yet.
Restrict Consumer URLs in OAuth1 Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Restrict Consumer URLs in OAuth1

    Hi,

    I know we can restrict the access to the users using the url matching, but I need to do this to Consumers too.

    I need to also restrict which urls a specific consumer has access to.

    Somebody has good ideas one how to implement it? This is the last piece of my puzzle here.

    Thanks in advance!

    Maralc

  • #2
    Hi

    Today I discovered the ConsumerSecurityVoter and the @ConsumerKeysAllowed annotation. They seem to do exactly what I need.

    I did setup the Voter, but the annotations are never processed.

    I saw that the ConsumerSecurityMetadataSource is responsible for processing these annotations, but it's never called and there is no reference to it anywhere (code, google, etc...).

    Someone can please give some ideas on how to make it work? I could not found any documentation at all about this.

    Thanks a lot.

    Marcelo

    Comment


    • #3
      Nobody?

      Sorry for bumping this thread...but it looks like with a couple of lines of help it would solve everything here for me.

      The Spring OAuth team cannot give a hand?

      I could offer to document this feature after I can make it work.

      Thanks again.

      Maralc

      Comment


      • #4
        Does this help? It tells you how to wire in custom voters:

        http://blog.springsource.com/2009/01...-in-real-time/

        Comment


        • #5
          No it doesn't.

          In fact there is already a Voter and a set of annotations that theorically do exaclty what I want. I just cannot find a way to trigger the annotation processing.

          Just seems not right to have to write a Voter if the functionality seems to be already there.

          Thanks anyway.

          Comment


          • #6
            If I understand correctly, you've got your decision voter wired in correctly, right? You just need to wire in your attributes to the MethodSecurityInterceptor. So the config will look like something like this:

            Code:
            ...
            
            <bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
              <property name="decisionVoters">
                <list>
                  <bean class="org.codehaus.enunciate.modules.spring_app.JSR250Voter" />
                  <bean class="org.springframework.security.oauth.provider.attributes.ConsumerSecurityVoter" />
                </list>
              </property>
            </bean>
            
            <bean id="securityMetadataSource" class="org.springframework.security.intercept.method.MethodDefinitionAttributes">
              <constructor-arg>
                <list>
                  <bean class="org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource" />
                  <bean class="org.springframework.security.oauth.provider.attributes.ConsumerSecurityMetadataSource" />
                </list>
              </constructor-arg>
            </bean>
            
            <bean id="method-security-interceptor" class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor">
              <property name="authenticationManager" ref="authenticationManager"/>
              <property name="accessDecisionManager" ref="accessDecisionManager"/>
              <property name="securityMetadataSource" ref="securityMetadataSource"/>
            </bean>
            
            ...

            Comment


            • #7
              By the way, in 1.0.0.M4, this will be a lot easier to do using expressions on your methods. It'll look something like this:

              Code:
                @PreAuthorize("oauthClientHasRole('ROLE_SPECIAL_CLIENT')")
                public void myMethod() {...}

              Comment


              • #8
                Solution

                In the end I could make it work.

                It was missing the AOP interceptors:

                Here's how it's looking like:

                Code:
                	<http auto-config='true' access-denied-page="/login.jsp" access-decision-manager-ref="accessDecisionManager">
                		<intercept-url pattern="/customerdetails/**" access="ROLE_USER" />
                		<intercept-url pattern="/customerguid/**" access="ROLE_USER" />
                		<intercept-url pattern="/oauth/**" access="ROLE_USER" />
                		<intercept-url pattern="/request_token_authorized.jsp" access="ROLE_USER" />
                		<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
                
                		<form-login authentication-failure-url="/login.jsp" default-target-url="/actions/Login.action" login-page="/login.jsp"
                			login-processing-url="/login.do" />
                		<logout logout-success-url="/index.jsp" logout-url="/logout" />
                	</http>
                	
                	<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
                		<beans:property name="decisionVoters">
                			<beans:set>
                				<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
                				<beans:bean class="org.springframework.security.access.vote.RoleVoter"/>
                				<beans:bean class="org.springframework.security.oauth.provider.attributes.ConsumerSecurityVoter"/>
                			</beans:set>
                		</beans:property>
                	</beans:bean>	
                	
                	<beans:bean id="methodSecurityInterceptor" class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor">
                	 	<beans:property name="authenticationManager" ref="authenticationManager"/>
                		<beans:property name="accessDecisionManager" ref="accessDecisionManager"/>
                		<beans:property name="securityMetadataSource" ref="delegatingMetadataSource"/>
                	</beans:bean>
                
                    <beans:bean id="methodSecurityMetadataSourceAdvisor" class="org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor"> 
                        <beans:constructor-arg value="methodSecurityInterceptor"/>
                        <beans:constructor-arg ref="delegatingMetadataSource"/>
                        <beans:constructor-arg value="delegatingMetadataSource"/>
                    </beans:bean>
                
                    <beans:bean id="defaultAdvisorAutoProxyCreator" class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator">
                        <beans:property name="beanName" value="methodSecurityMetadataSourceAdvisor"/>
                    </beans:bean>
                
                	<beans:bean id="delegatingMetadataSource" class="org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource">
                		<beans:property name="methodSecurityMetadataSources">
                			<beans:list>
                				<beans:bean class="org.springframework.security.oauth.provider.attributes.ConsumerSecurityMetadataSource" />
                			</beans:list>
                		</beans:property>
                	</beans:bean>

                Comment

                Working...
                X