Announcement Announcement Module
Collapse
No announcement yet.
Issue with scope attribute on <oauth:resource/> in 1.0.0RC3 Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Issue with scope attribute on <oauth:resource/> in 1.0.0RC3

    I am working on updating from 1.0.0M6d to 1.0.0RC3. In my client I have the following oauth:resource defined:

    Code:
    <oauth:resource id="service" type="authorization_code" client-id="client" client-secret="secret"
    		access-token-uri="${accessTokenUri}" user-authorization-uri="${userAuthorizationUri}"  scope="read,write"/>
    On the resource I have the following:

    Code:
    <http pattern="/service/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
    		access-decision-manager-ref="accessDecisionManager" xmlns="http://www.springframework.org/schema/security">
    		<anonymous enabled="false" />
    		<intercept-url pattern="/service" access="ROLE_USER,SCOPE_READ" />
    		<intercept-url pattern="/service/**" access="ROLE_USER,SCOPE_READ" method="GET"/>
    		<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
    		<access-denied-handler ref="oauthAccessDeniedHandler" />
    	</http>
    and for the AccessDecisionManager:

    Code:
    	<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans">
    		<constructor-arg>
    			<list>
    				<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
    				<bean class="org.springframework.security.access.vote.RoleVoter" />
    				<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
    			</list>
    		</constructor-arg>
    	</bean>
    When I replace ScopeVoter with my own implementation, I can see that the AuthorizationRequest associated with the Authentication passed to the vote() method on ScopeVoter has only a single scope associated with it: 'read write'. It looks like somewhere the scopes are getting parsed incorrectly in the request. If I remove the scope attribute from oauth:resource, it seems to fall back to the scopes registered with the client and the request succeeds.

  • #2
    That looks like a bug. If you raise a ticket in JIRA you will be able to trace it.

    Comment


    • #3
      done: SECOAUTH-346

      Comment

      Working...
      X