Announcement Announcement Module
No announcement yet.
confusing between ROLE_USER, ROLE_CLIENT Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • confusing between ROLE_USER, ROLE_CLIENT

    I use Spring OAuth M6. I have some problems :
    1. when I want to get token from client, sometimes it detects clientId (in AuthorizationCodeTokenGranter:83) as a client and sometimes as a resourceowner and the second causes an exception. The problem can be detected specially when you clear the cache of browser(I don't know relationship between these ).
    2. I want to serve some services only for clients, and I set access="ROLE_CLIENT" and give my client, ROLE_CLIENT premission, but I get accessDeniedException because RoleVoter does not check this role, find my clients as "ROLE_USER".
    Last edited by Sina; Apr 16th, 2012, 08:53 AM.

  • #2
    I didn't really understand point 1.

    On point 2, the Spring Security ROLE_* values are completely arbitrary, and you are free to interpret them in any way you like. If the existing voters don't do what you need you can write your own or use a SpEL expression. However, a RoleVoter does check all the granted authorities in the current Authentication, so I don't really know what you mean by saying that it does not check ROLE_CLIENT.

    Can you explain in a bit more detail what you want to happen?


    • #3
      Dear Dave,
      for point 2, let's see this example in sparklr. If I change spring-servlet.xml, to :
      	<http pattern="/photos/**" entry-point-ref="oauthAuthenticationEntryPoint" access-decision-manager-ref="accessDecisionManager"
      		<intercept-url pattern="/photos" access="ROLE_CLIENT,SCOPE_READ" />
      		<intercept-url pattern="/photos/trusted/**" access="ROLE_CLIENT,SCOPE_TRUST" />
      		<intercept-url pattern="/photos/user/**" access="ROLE_CLIENT,SCOPE_TRUST" />
      		<intercept-url pattern="/photos/**" access="ROLE_CLIENT,SCOPE_READ" />
      		<custom-filter ref="resourceServerFilter" before="EXCEPTION_TRANSLATION_FILTER" />
      		<access-denied-handler ref="oauthAccessDeniedHandler" />
      I think this means that only client can access to these url(I have not changed anything else and as you know client has role "ROLE_CLIENT"). when I run tonr(or my project), it returns error code:403. I think that " r" can't detect this Role.
      I must develop my voter?
      for point 1 I describe it later and better. I want to find a better description for it.


      • #4
        If you didn't change Tonr, it is not acting as a client, it is acting on behalf of a user (who will not have the required ROLE_CLIENT), so it is expected that you would get a 403. If you want to make an assertion about the request from tonr being from a client with a specific role (without changing the app) you can use an expression, e.g. "oauthClientHasRole('ROLE_CLIENT') and hasScope('trust')".