Announcement Announcement Module
No announcement yet.
question about consumer roles and user roles Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • question about consumer roles and user roles

    I have a website that users can login through web pages. The user roles are defined as ROLE_ADMIN, ROLE_USER etc. Now I wanna enable the 3rd party developers to make iPhone applications that connects to our site through oAuth. Now we have 2 actors: mobile user and mobile application developer/vendor. For the mobile users, they are still attached to their original roles (ROLE_ADMIN, ROLE_USER). For mobile application developer, how do I assign their roles? for example, I may wanna make 2 new roles just for app developers: ROLE_DEVELOPER_BASIC, ROLE_DEVELOPER_ADVANCED.

    here are their permissions
    ROLE_DEVELOPER_BASIC can access url "/api/basic/*"
    ROLE_DEVELOPER_ADVANCED can access url "/api/advanced/*"
    How do I do that with Spring Security OAuth?

  • #2
    You need a more complicated access decision than is supported by the default AccessDecisionManager. You can add your own and implement the decision you need in a custom voter. If you were using OAuth2 you could use a SpEL expression for the access decision (it's only supported in OAuth 1 in method level security). Raise a JIRA ticket, and feel free to contribute a fix (should be easy to copy the OAuth 2 code), if you want to do that.