{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 ゆ 、 Hurt° 的问题《How to protect spring-security-oauth resources usi》','https://www.manongdao.com/q-1234082.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I successfully configured spring-security-oauth2 so that external apps can authenticate with my application. However based on the external app and based on what the user allows, only a subset of my API should be accessible to clients. The available subset is determined by the OAuth Scopes.
In classic Spring applications I could use @PreAuthorize to enforce boundaries based on roles:
@Controller
public class MyController {
@PreAuthorize("hasRole('admin')")
@RequestMapping("...")
public String doStuff() {
// ...
}
}
How do I do the same when using OAuth and with Scopes instead of roles?
Spring OAuth ships with the
OAuth2MethodSecurityExpressionHandler, a class that adds the ability to do such checks using the @PreAuthorize expressions. All you need to do is register this class, e.g. like this if you are using Javaconfig:Now you can simply use:
to secure your request methods. To see which further methods are available besided
hasScopecheck the classOAuth2SecurityExpressionMethods.The downside is that
OAuth2MethodSecurityExpressionHandlerextends theDefaultMethodSecurityExpressionHandlerand thus you cannot combine it with other classes that also extend this class.As an alternative you could also map OAuth scopes to classic user roles.