Example 1 with InsufficientScopeException
use of org.springframework.security.oauth2.common.exceptions.InsufficientScopeException in project spring-security-oauth by spring-projects.
the class ScopeVoter method vote.
public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
int result = ACCESS_ABSTAIN;
if (!(authentication instanceof OAuth2Authentication)) {
return result;
}
for (ConfigAttribute attribute : attributes) {
if (denyAccess.equals(attribute.getAttribute())) {
return ACCESS_DENIED;
}
}
OAuth2Request clientAuthentication = ((OAuth2Authentication) authentication).getOAuth2Request();
for (ConfigAttribute attribute : attributes) {
if (this.supports(attribute)) {
result = ACCESS_DENIED;
Set<String> scopes = clientAuthentication.getScope();
for (String scope : scopes) {
if (attribute.getAttribute().toUpperCase().equals((scopePrefix + scope).toUpperCase())) {
return ACCESS_GRANTED;
}
}
if (result == ACCESS_DENIED && throwException) {
InsufficientScopeException failure = new InsufficientScopeException("Insufficient scope for this resource", Collections.singleton(attribute.getAttribute().substring(scopePrefix.length())));
throw new AccessDeniedException(failure.getMessage(), failure);
}
}
}
return result;
}
Also used :
InsufficientScopeException(org.springframework.security.oauth2.common.exceptions.InsufficientScopeException)
OAuth2Request(org.springframework.security.oauth2.provider.OAuth2Request)
AccessDeniedException(org.springframework.security.access.AccessDeniedException)
ConfigAttribute(org.springframework.security.access.ConfigAttribute)
OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication)
Example 2 with InsufficientScopeException
use of org.springframework.security.oauth2.common.exceptions.InsufficientScopeException in project spring-security-oauth by spring-projects.
the class AdminEndpointsTests method testRevokeTokenByUser.
@Test
@OAuth2ContextConfiguration(ResourceOwnerWriteOnly.class)
public void testRevokeTokenByUser() throws Exception {
OAuth2AccessToken token = context.getAccessToken();
String tokenValueBeforeDeletion = token.getValue();
HttpHeaders headers = new HttpHeaders();
headers.setAccept(Arrays.asList(MediaType.APPLICATION_JSON));
HttpEntity<?> request = new HttpEntity<Void>(headers);
assertEquals(HttpStatus.NO_CONTENT, serverRunning.getRestTemplate().exchange(serverRunning.getUrl("/sparklr2/oauth/users/{user}/tokens/{token}"), HttpMethod.DELETE, request, Void.class, "marissa", token.getValue()).getStatusCode());
try {
// The request above will delete the oauth token so that the next request will initially fail. However,
// the failure will be detected and a new access token will be obtained. The new access token
// only has "write" scope and the requested resource needs "read" scope. So, an insufficient_scope
// exception should be thrown.
ResponseEntity<String> result = serverRunning.getForString("/sparklr2/oauth/clients/my-client-with-registered-redirect/users/marissa/tokens", headers);
fail("Should have thrown an exception");
assertNotNull(result);
} catch (InsufficientScopeException ex) {
assertEquals(HttpStatus.FORBIDDEN.value(), ex.getHttpErrorCode());
assertEquals("insufficient_scope", ex.getOAuth2ErrorCode());
String secondTokenWithWriteOnlyScope = context.getOAuth2ClientContext().getAccessToken().getValue();
assertNotNull(secondTokenWithWriteOnlyScope);
assertFalse(secondTokenWithWriteOnlyScope.equals(tokenValueBeforeDeletion));
}
}
Also used :
HttpHeaders(org.springframework.http.HttpHeaders)
InsufficientScopeException(org.springframework.security.oauth2.common.exceptions.InsufficientScopeException)
HttpEntity(org.springframework.http.HttpEntity)
OAuth2AccessToken(org.springframework.security.oauth2.common.OAuth2AccessToken)
OAuth2ContextConfiguration(org.springframework.security.oauth2.client.test.OAuth2ContextConfiguration)
Test(org.junit.Test)
Example 3 with InsufficientScopeException
use of org.springframework.security.oauth2.common.exceptions.InsufficientScopeException in project spring-security-oauth by spring-projects.
the class AuthorizationCodeProviderTests method testInsufficientScopeInResourceRequest.
@Test
@OAuth2ContextConfiguration(resource = MyClientWithRegisteredRedirect.class, initialize = false)
public void testInsufficientScopeInResourceRequest() throws Exception {
AuthorizationCodeResourceDetails resource = (AuthorizationCodeResourceDetails) context.getResource();
resource.setScope(Arrays.asList("trust"));
approveAccessTokenGrant("http://anywhere?key=value", true);
assertNotNull(context.getAccessToken());
try {
serverRunning.getForString("/sparklr2/photos?format=json");
fail("Should have thrown exception");
} catch (InsufficientScopeException ex) {
// ignore / all good
}
}
Also used :
InsufficientScopeException(org.springframework.security.oauth2.common.exceptions.InsufficientScopeException)
AuthorizationCodeResourceDetails(org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails)
OAuth2ContextConfiguration(org.springframework.security.oauth2.client.test.OAuth2ContextConfiguration)
Test(org.junit.Test)
Example 4 with InsufficientScopeException
use of org.springframework.security.oauth2.common.exceptions.InsufficientScopeException in project spring-security-oauth by spring-projects.
the class ClientScopeVoter method vote.
public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
int result = ACCESS_ABSTAIN;
if (!(authentication instanceof OAuth2Authentication)) {
return result;
}
OAuth2Authentication oauth2Authentication = (OAuth2Authentication) authentication;
OAuth2Request clientAuthentication = oauth2Authentication.getOAuth2Request();
ClientDetails client = clientDetailsService.loadClientByClientId(clientAuthentication.getClientId());
Set<String> scopes = clientAuthentication.getScope();
if (oauth2Authentication.isClientOnly() && clientAuthoritiesAreScopes) {
scopes = AuthorityUtils.authorityListToSet(clientAuthentication.getAuthorities());
}
for (ConfigAttribute attribute : attributes) {
if (this.supports(attribute)) {
result = ACCESS_GRANTED;
for (String scope : scopes) {
if (!client.getScope().contains(scope)) {
result = ACCESS_DENIED;
break;
}
}
if (result == ACCESS_DENIED && throwException) {
InsufficientScopeException failure = new InsufficientScopeException("Insufficient scope for this resource", client.getScope());
throw new AccessDeniedException(failure.getMessage(), failure);
}
return result;
}
}
return result;
}
Also used :
InsufficientScopeException(org.springframework.security.oauth2.common.exceptions.InsufficientScopeException)
OAuth2Request(org.springframework.security.oauth2.provider.OAuth2Request)
AccessDeniedException(org.springframework.security.access.AccessDeniedException)
ClientDetails(org.springframework.security.oauth2.provider.ClientDetails)
ConfigAttribute(org.springframework.security.access.ConfigAttribute)
OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication)
Example 5 with InsufficientScopeException
use of org.springframework.security.oauth2.common.exceptions.InsufficientScopeException in project spring-security-oauth by spring-projects.
the class AuthorizationCodeProviderTests method testInsufficientScopeInResourceRequest.
@Test
@OAuth2ContextConfiguration(resource = MyClientWithRegisteredRedirect.class, initialize = false)
public void testInsufficientScopeInResourceRequest() throws Exception {
AuthorizationCodeResourceDetails resource = (AuthorizationCodeResourceDetails) context.getResource();
resource.setScope(Arrays.asList("trust"));
approveAccessTokenGrant("http://anywhere?key=value", true);
assertNotNull(context.getAccessToken());
try {
http.getForString("/admin/beans");
fail("Should have thrown exception");
} catch (InsufficientScopeException ex) {
assertTrue("Wrong summary: " + ex, ex.getSummary().contains("scope=\"read"));
}
}
Also used :
InsufficientScopeException(org.springframework.security.oauth2.common.exceptions.InsufficientScopeException)
AuthorizationCodeResourceDetails(org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails)
OAuth2ContextConfiguration(org.springframework.security.oauth2.client.test.OAuth2ContextConfiguration)
Test(org.junit.Test)
Aggregations
InsufficientScopeException (org.springframework.security.oauth2.common.exceptions.InsufficientScopeException)6
Test (org.junit.Test)3
OAuth2ContextConfiguration (org.springframework.security.oauth2.client.test.OAuth2ContextConfiguration)3
HttpHeaders (org.springframework.http.HttpHeaders)2
AccessDeniedException (org.springframework.security.access.AccessDeniedException)2
ConfigAttribute (org.springframework.security.access.ConfigAttribute)2
AuthorizationCodeResourceDetails (org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails)2
OAuth2Authentication (org.springframework.security.oauth2.provider.OAuth2Authentication)2
OAuth2Request (org.springframework.security.oauth2.provider.OAuth2Request)2
HttpEntity (org.springframework.http.HttpEntity)1
ResponseEntity (org.springframework.http.ResponseEntity)1
OAuth2AccessToken (org.springframework.security.oauth2.common.OAuth2AccessToken)1
OAuth2Exception (org.springframework.security.oauth2.common.exceptions.OAuth2Exception)1
ClientDetails (org.springframework.security.oauth2.provider.ClientDetails)1
