modify oauth scopes
This commit is contained in:
DOHA
parent
a7a28893d9
commit
87392e16b6
@ -29,13 +29,15 @@ public class OAuth2ResourceServerConfig extends ResourceServerConfigurerAdapter
|
|||||||
http
|
http
|
||||||
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
|
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
|
||||||
.and()
|
.and()
|
||||||
.requestMatchers().antMatchers("/foos/**","/bars/**")
|
.requestMatchers().antMatchers("/foos/**","/bars/**","/bazes/**")
|
||||||
.and()
|
.and()
|
||||||
.authorizeRequests()
|
.authorizeRequests()
|
||||||
.antMatchers(HttpMethod.GET,"/foos/**").access("#oauth2.hasScope('read')")
|
.antMatchers(HttpMethod.GET,"/foos/**").access("#oauth2.hasScope('foo') and #oauth2.hasScope('read')")
|
||||||
.antMatchers(HttpMethod.POST,"/foos/**").access("#oauth2.hasScope('write')")
|
.antMatchers(HttpMethod.POST,"/foos/**").access("#oauth2.hasScope('foo') and #oauth2.hasScope('write')")
|
||||||
.antMatchers(HttpMethod.GET,"/bars/**").access("#oauth2.hasScope('read') and hasRole('ROLE_ADMIN')")
|
.antMatchers(HttpMethod.GET,"/bars/**").access("#oauth2.hasScope('bar') and #oauth2.hasScope('read')")
|
||||||
.antMatchers(HttpMethod.POST,"/bars/**").access("#oauth2.hasScope('write') and hasRole('ROLE_ADMIN')")
|
.antMatchers(HttpMethod.POST,"/bars/**").access("#oauth2.hasScope('bar') and #oauth2.hasScope('write')")
|
||||||
|
.antMatchers(HttpMethod.GET,"/bazes/**").access("#oauth2.hasScope('read') and hasRole('ROLE_ADMIN')")
|
||||||
|
.antMatchers(HttpMethod.POST,"/bazes/**").access("#oauth2.hasScope('write') and hasRole('ROLE_ADMIN')")
|
||||||
;
|
;
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
}
|
}
|
||||||
|
|||||||
@ -21,7 +21,7 @@ public class BarController {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// API - read
|
// API - read
|
||||||
// @PreAuthorize("#oauth2.hasScope('read') and hasRole('ROLE_ADMIN')")
|
// @PreAuthorize("#oauth2.hasScope('bar') and #oauth2.hasScope('read')")
|
||||||
@RequestMapping(method = RequestMethod.GET, value = "/bars/{id}")
|
@RequestMapping(method = RequestMethod.GET, value = "/bars/{id}")
|
||||||
@ResponseBody
|
@ResponseBody
|
||||||
public Bar findById(@PathVariable final long id) {
|
public Bar findById(@PathVariable final long id) {
|
||||||
@ -29,7 +29,7 @@ public class BarController {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// API - write
|
// API - write
|
||||||
// @PreAuthorize("#oauth2.hasScope('write') and hasRole('ROLE_ADMIN')")
|
// @PreAuthorize("#oauth2.hasScope('bar') and #oauth2.hasScope('write')")
|
||||||
@RequestMapping(method = RequestMethod.POST, value = "/bars")
|
@RequestMapping(method = RequestMethod.POST, value = "/bars")
|
||||||
@ResponseStatus(HttpStatus.CREATED)
|
@ResponseStatus(HttpStatus.CREATED)
|
||||||
@ResponseBody
|
@ResponseBody
|
||||||
|
|||||||
@ -0,0 +1,41 @@
|
|||||||
|
package org.baeldung.web.controller;
|
||||||
|
|
||||||
|
import static org.apache.commons.lang3.RandomStringUtils.randomAlphabetic;
|
||||||
|
import static org.apache.commons.lang3.RandomStringUtils.randomNumeric;
|
||||||
|
|
||||||
|
import org.baeldung.web.dto.Baz;
|
||||||
|
import org.springframework.http.HttpStatus;
|
||||||
|
import org.springframework.stereotype.Controller;
|
||||||
|
import org.springframework.web.bind.annotation.PathVariable;
|
||||||
|
import org.springframework.web.bind.annotation.RequestBody;
|
||||||
|
import org.springframework.web.bind.annotation.RequestMapping;
|
||||||
|
import org.springframework.web.bind.annotation.RequestMethod;
|
||||||
|
import org.springframework.web.bind.annotation.ResponseBody;
|
||||||
|
import org.springframework.web.bind.annotation.ResponseStatus;
|
||||||
|
|
||||||
|
@Controller
|
||||||
|
public class BazController {
|
||||||
|
|
||||||
|
public BazController() {
|
||||||
|
super();
|
||||||
|
}
|
||||||
|
|
||||||
|
// API - read
|
||||||
|
// @PreAuthorize("#oauth2.hasScope('read') and hasRole('ROLE_ADMIN')")
|
||||||
|
@RequestMapping(method = RequestMethod.GET, value = "/bazes/{id}")
|
||||||
|
@ResponseBody
|
||||||
|
public Baz findById(@PathVariable final long id) {
|
||||||
|
return new Baz(Long.parseLong(randomNumeric(2)), randomAlphabetic(4));
|
||||||
|
}
|
||||||
|
|
||||||
|
// API - write
|
||||||
|
// @PreAuthorize("#oauth2.hasScope('write') and hasRole('ROLE_ADMIN')")
|
||||||
|
@RequestMapping(method = RequestMethod.POST, value = "/bazes")
|
||||||
|
@ResponseStatus(HttpStatus.CREATED)
|
||||||
|
@ResponseBody
|
||||||
|
public Baz create(@RequestBody final Baz baz) {
|
||||||
|
baz.setId(Long.parseLong(randomNumeric(2)));
|
||||||
|
return baz;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
@ -21,7 +21,7 @@ public class FooController {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// API - read
|
// API - read
|
||||||
// @PreAuthorize("#oauth2.hasScope('read')")
|
// @PreAuthorize("#oauth2.hasScope('foo') and #oauth2.hasScope('read')")
|
||||||
@RequestMapping(method = RequestMethod.GET, value = "/foos/{id}")
|
@RequestMapping(method = RequestMethod.GET, value = "/foos/{id}")
|
||||||
@ResponseBody
|
@ResponseBody
|
||||||
public Foo findById(@PathVariable final long id) {
|
public Foo findById(@PathVariable final long id) {
|
||||||
@ -29,7 +29,7 @@ public class FooController {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// API - write
|
// API - write
|
||||||
// @PreAuthorize("#oauth2.hasScope('write')")
|
// @PreAuthorize("#oauth2.hasScope('foo') and #oauth2.hasScope('write')")
|
||||||
@RequestMapping(method = RequestMethod.POST, value = "/foos")
|
@RequestMapping(method = RequestMethod.POST, value = "/foos")
|
||||||
@ResponseStatus(HttpStatus.CREATED)
|
@ResponseStatus(HttpStatus.CREATED)
|
||||||
@ResponseBody
|
@ResponseBody
|
||||||
|
|||||||
@ -0,0 +1,36 @@
|
|||||||
|
package org.baeldung.web.dto;
|
||||||
|
|
||||||
|
public class Baz {
|
||||||
|
private long id;
|
||||||
|
private String name;
|
||||||
|
|
||||||
|
public Baz() {
|
||||||
|
super();
|
||||||
|
}
|
||||||
|
|
||||||
|
public Baz(final long id, final String name) {
|
||||||
|
super();
|
||||||
|
|
||||||
|
this.id = id;
|
||||||
|
this.name = name;
|
||||||
|
}
|
||||||
|
|
||||||
|
//
|
||||||
|
|
||||||
|
public long getId() {
|
||||||
|
return id;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setId(final long id) {
|
||||||
|
this.id = id;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getName() {
|
||||||
|
return name;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setName(final String name) {
|
||||||
|
this.name = name;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
@ -49,13 +49,19 @@ public class OAuth2AuthorizationServerConfig extends AuthorizationServerConfigur
|
|||||||
clients.jdbc(dataSource())
|
clients.jdbc(dataSource())
|
||||||
.withClient("sampleClientId")
|
.withClient("sampleClientId")
|
||||||
.authorizedGrantTypes("implicit")
|
.authorizedGrantTypes("implicit")
|
||||||
.scopes("read","write")
|
.scopes("read","write","foo","bar")
|
||||||
.autoApprove(false)
|
.autoApprove(false)
|
||||||
.and()
|
.and()
|
||||||
.withClient("clientIdPassword")
|
.withClient("fooClientIdPassword")
|
||||||
.secret("secret")
|
.secret("secret")
|
||||||
.authorizedGrantTypes("password","authorization_code", "refresh_token")
|
.authorizedGrantTypes("password","authorization_code", "refresh_token")
|
||||||
.scopes("read","write");
|
.scopes("foo","read","write")
|
||||||
|
.and()
|
||||||
|
.withClient("barClientIdPassword")
|
||||||
|
.secret("secret")
|
||||||
|
.authorizedGrantTypes("password","authorization_code", "refresh_token")
|
||||||
|
.scopes("bar","read","write")
|
||||||
|
;
|
||||||
|
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
}
|
}
|
||||||
|
|||||||
@ -13,7 +13,7 @@
|
|||||||
site="http://localhost:8081/spring-security-oauth-server"
|
site="http://localhost:8081/spring-security-oauth-server"
|
||||||
client-id="sampleClientId"
|
client-id="sampleClientId"
|
||||||
redirect-uri="http://localhost:8081/spring-security-oauth-ui-implicit/"
|
redirect-uri="http://localhost:8081/spring-security-oauth-ui-implicit/"
|
||||||
scope="read write"
|
scope="read write foo bar"
|
||||||
template="oauthTemp">
|
template="oauthTemp">
|
||||||
</oauth>
|
</oauth>
|
||||||
|
|
||||||
@ -94,6 +94,26 @@ app.controller('mainCtrl', function($scope,$resource,$http,$rootScope) {
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// baz
|
||||||
|
$scope.baz = {id:0 , name:"sample baz"};
|
||||||
|
$scope.bazes = $resource("http://localhost:8081/spring-security-oauth-resource/bazes/:bazId",{bazId:'@id'});
|
||||||
|
|
||||||
|
$scope.getBaz = function(){
|
||||||
|
$scope.baz = $scope.bazes.get({bazId:$scope.baz.id});
|
||||||
|
}
|
||||||
|
|
||||||
|
$scope.createBaz = function(){
|
||||||
|
if($scope.baz.name.length==0)
|
||||||
|
{
|
||||||
|
$rootScope.message = "Baz name can not be empty";
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
$scope.baz.id = null;
|
||||||
|
$scope.baz = $scope.bazes.save($scope.baz, function(){
|
||||||
|
$rootScope.message = "Baz Created Successfully";
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
});
|
});
|
||||||
/*]]>*/
|
/*]]>*/
|
||||||
</script>
|
</script>
|
||||||
|
|||||||
@ -50,8 +50,31 @@
|
|||||||
<a class="btn btn-default" href="#" ng-click="getBar()">Get Bar</a>
|
<a class="btn btn-default" href="#" ng-click="getBar()">Get Bar</a>
|
||||||
<a class="btn btn-default" href="#" ng-click="createBar()">Create Bar</a>
|
<a class="btn btn-default" href="#" ng-click="createBar()">Create Bar</a>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
</div>
|
</div>
|
||||||
|
<br/>
|
||||||
|
<hr/>
|
||||||
|
<br/>
|
||||||
|
<br/>
|
||||||
|
<br/>
|
||||||
|
<h1>Baz Details</h1>
|
||||||
|
<div class="col-sm-6">
|
||||||
|
<div class="col-sm-12">
|
||||||
|
<label class="col-sm-2">ID</label>
|
||||||
|
<span class="col-sm-10"><input class="form-control" ng-model="baz.id"/></span>
|
||||||
|
</div>
|
||||||
|
|
||||||
|
<div class="col-sm-12">
|
||||||
|
<label class="col-sm-2">Name</label>
|
||||||
|
<span class="col-sm-10"><input class="form-control" ng-model="baz.name"/></span>
|
||||||
|
</div>
|
||||||
|
|
||||||
|
<div class="col-sm-12">
|
||||||
|
<a class="btn btn-default" href="#" ng-click="getBaz()">Get Baz</a>
|
||||||
|
<a class="btn btn-default" href="#" ng-click="createBaz()">Create Baz</a>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
|
||||||
|
|
||||||
</div>
|
</div>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
@ -28,8 +28,8 @@ app.controller('mainCtrl', function($scope,$resource,$http,$httpParamSerializer,
|
|||||||
$scope.foo = $scope.foos.get({fooId:$scope.foo.id});
|
$scope.foo = $scope.foos.get({fooId:$scope.foo.id});
|
||||||
}
|
}
|
||||||
|
|
||||||
$scope.data = {grant_type:"password", username: "", password: "", client_id: "clientIdPassword"};
|
$scope.data = {grant_type:"password", username: "", password: "", client_id: "fooClientIdPassword"};
|
||||||
$scope.encoded = btoa("clientIdPassword:secret");
|
$scope.encoded = btoa("fooClientIdPassword:secret");
|
||||||
|
|
||||||
var isLoginPage = window.location.href.indexOf("login") != -1;
|
var isLoginPage = window.location.href.indexOf("login") != -1;
|
||||||
if(isLoginPage){
|
if(isLoginPage){
|
||||||
|
|||||||
@ -13,45 +13,76 @@ import com.jayway.restassured.response.Response;
|
|||||||
|
|
||||||
public class AuthorizationLiveTest {
|
public class AuthorizationLiveTest {
|
||||||
|
|
||||||
private String obtainAccessToken(String username, String password) {
|
private String obtainAccessToken(String clientId, String username, String password) {
|
||||||
final Map<String, String> params = new HashMap<String, String>();
|
final Map<String, String> params = new HashMap<String, String>();
|
||||||
params.put("grant_type", "password");
|
params.put("grant_type", "password");
|
||||||
params.put("client_id", "clientIdPassword");
|
params.put("client_id", clientId);
|
||||||
params.put("username", username);
|
params.put("username", username);
|
||||||
params.put("password", password);
|
params.put("password", password);
|
||||||
final Response response = RestAssured.given().auth().preemptive().basic("clientIdPassword", "secret").and().with().params(params).when().post("http://localhost:8081/spring-security-oauth-server/oauth/token");
|
final Response response = RestAssured.given().auth().preemptive().basic(clientId, "secret").and().with().params(params).when().post("http://localhost:8081/spring-security-oauth-server/oauth/token");
|
||||||
return response.jsonPath().getString("access_token");
|
return response.jsonPath().getString("access_token");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void givenUser_whenAccessFoosResource_thenOk() {
|
public void givenUser_whenUseFooClient_thenOkForFooResourceOnly() {
|
||||||
final String accessToken = obtainAccessToken("john", "123");
|
final String accessToken = obtainAccessToken("fooClientIdPassword", "john", "123");
|
||||||
final Response response = RestAssured.given().header("Authorization", "Bearer " + accessToken).get("http://localhost:8081/spring-security-oauth-resource/foos/1");
|
|
||||||
assertEquals(200, response.getStatusCode());
|
final Response fooResponse = RestAssured.given().header("Authorization", "Bearer " + accessToken).get("http://localhost:8081/spring-security-oauth-resource/foos/1");
|
||||||
assertNotNull(response.jsonPath().get("name"));
|
assertEquals(200, fooResponse.getStatusCode());
|
||||||
|
assertNotNull(fooResponse.jsonPath().get("name"));
|
||||||
|
|
||||||
|
final Response barResponse = RestAssured.given().header("Authorization", "Bearer " + accessToken).get("http://localhost:8081/spring-security-oauth-resource/bars/1");
|
||||||
|
assertEquals(403, barResponse.getStatusCode());
|
||||||
|
|
||||||
|
final Response bazResponse = RestAssured.given().header("Authorization", "Bearer " + accessToken).get("http://localhost:8081/spring-security-oauth-resource/bazes/1");
|
||||||
|
assertEquals(403, bazResponse.getStatusCode());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void givenUser_whenAccessBarssResource_thenUnauthorized() {
|
public void givenUser_whenUseBarClient_thenOkForBarResourceOnly() {
|
||||||
final String accessToken = obtainAccessToken("john", "123");
|
final String accessToken = obtainAccessToken("barClientIdPassword", "john", "123");
|
||||||
final Response response = RestAssured.given().header("Authorization", "Bearer " + accessToken).get("http://localhost:8081/spring-security-oauth-resource/bars/1");
|
|
||||||
assertEquals(403, response.getStatusCode());
|
final Response barResponse = RestAssured.given().header("Authorization", "Bearer " + accessToken).get("http://localhost:8081/spring-security-oauth-resource/bars/1");
|
||||||
|
assertEquals(200, barResponse.getStatusCode());
|
||||||
|
assertNotNull(barResponse.jsonPath().get("name"));
|
||||||
|
|
||||||
|
final Response fooResponse = RestAssured.given().header("Authorization", "Bearer " + accessToken).get("http://localhost:8081/spring-security-oauth-resource/foos/1");
|
||||||
|
assertEquals(403, fooResponse.getStatusCode());
|
||||||
|
|
||||||
|
final Response bazResponse = RestAssured.given().header("Authorization", "Bearer " + accessToken).get("http://localhost:8081/spring-security-oauth-resource/bazes/1");
|
||||||
|
assertEquals(403, bazResponse.getStatusCode());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void givenAdmin_whenAccessFoosResource_thenOk() {
|
public void givenAdmin_whenUseFooClient_thenOkForFooAndBazResourceOnly() {
|
||||||
final String accessToken = obtainAccessToken("tom", "111");
|
final String accessToken = obtainAccessToken("fooClientIdPassword", "tom", "111");
|
||||||
final Response response = RestAssured.given().header("Authorization", "Bearer " + accessToken).get("http://localhost:8081/spring-security-oauth-resource/foos/1");
|
|
||||||
assertEquals(200, response.getStatusCode());
|
final Response fooResponse = RestAssured.given().header("Authorization", "Bearer " + accessToken).get("http://localhost:8081/spring-security-oauth-resource/foos/1");
|
||||||
assertNotNull(response.jsonPath().get("name"));
|
assertEquals(200, fooResponse.getStatusCode());
|
||||||
|
assertNotNull(fooResponse.jsonPath().get("name"));
|
||||||
|
|
||||||
|
final Response bazResponse = RestAssured.given().header("Authorization", "Bearer " + accessToken).get("http://localhost:8081/spring-security-oauth-resource/bazes/1");
|
||||||
|
assertEquals(200, bazResponse.getStatusCode());
|
||||||
|
assertNotNull(bazResponse.jsonPath().get("name"));
|
||||||
|
|
||||||
|
final Response barResponse = RestAssured.given().header("Authorization", "Bearer " + accessToken).get("http://localhost:8081/spring-security-oauth-resource/bars/1");
|
||||||
|
assertEquals(403, barResponse.getStatusCode());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void givenAdmin_whenAccessBarssResource_thenOk() {
|
public void givenAdmin_whenUseBarClient_thenOkForBarAndBazResourceOnly() {
|
||||||
final String accessToken = obtainAccessToken("tom", "111");
|
final String accessToken = obtainAccessToken("barClientIdPassword", "tom", "111");
|
||||||
final Response response = RestAssured.given().header("Authorization", "Bearer " + accessToken).get("http://localhost:8081/spring-security-oauth-resource/bars/1");
|
|
||||||
assertEquals(200, response.getStatusCode());
|
final Response barResponse = RestAssured.given().header("Authorization", "Bearer " + accessToken).get("http://localhost:8081/spring-security-oauth-resource/bars/1");
|
||||||
assertNotNull(response.jsonPath().get("name"));
|
assertEquals(200, barResponse.getStatusCode());
|
||||||
|
assertNotNull(barResponse.jsonPath().get("name"));
|
||||||
|
|
||||||
|
final Response bazResponse = RestAssured.given().header("Authorization", "Bearer " + accessToken).get("http://localhost:8081/spring-security-oauth-resource/bazes/1");
|
||||||
|
assertEquals(200, bazResponse.getStatusCode());
|
||||||
|
assertNotNull(bazResponse.jsonPath().get("name"));
|
||||||
|
|
||||||
|
final Response fooResponse = RestAssured.given().header("Authorization", "Bearer " + accessToken).get("http://localhost:8081/spring-security-oauth-resource/foos/1");
|
||||||
|
assertEquals(403, fooResponse.getStatusCode());
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user