Announcement Announcement Module
No announcement yet.
Meaning Tonr Spring Config - /oauth/(users|clients)/.*" Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Meaning Tonr Spring Config - /oauth/(users|clients)/.*"

    Hi there,

    we've got a demo OAuth2 server with Spring OAuth2 running but we do not fully understand some of the Spring Config - originally this piece is from the Sparkl demo app:

    <!-- The OAuth2 protected resources are separated out into their own block so we can deal with authorization and error handling
    separately. This isn't mandatory, but it makes it easier to control the behaviour. -->
    <http pattern="/oauth/(users|clients)/.*" request-matcher="regex" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint"
    use-expressions="true" xmlns="">
    <anonymous enabled="false" />
    <intercept-url pattern="/oauth/users/([^/].*?)/tokens/.*"
    access="oauthClientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or oauthIsClient()) and oauthHasScope('write')"
    method="DELETE" />
    <intercept-url pattern="/oauth/users/.*"
    access="oauthClientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or oauthIsClient()) and oauthHasScope('read')"
    method="GET" />
    <intercept-url pattern="/oauth/clients/.*" access="oauthClientHasRole('ROLE_CLIENT') and oauthIsClient() and oauthHasScope('read')"
    method="GET" />
    <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
    <access-denied-handler ref="oauthAccessDeniedHandler" />
    <expression-handler ref="oauthWebExpressionHandler" />

    What is it good for? I have the gut feel that we don't need it for our scenario, but who can tell us exactly what this is used for?

  • #2
    It's protecting the token admin endpoints. If you have those endpoints (they are defined in the sparklr sample, not in the core library) you will need to protect them, and otherwise I guess not.