Skip to content

Resource Server supports hasAuthority #5237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jzheaux opened this issue Apr 16, 2018 · 1 comment
Closed

Resource Server supports hasAuthority #5237

jzheaux opened this issue Apr 16, 2018 · 1 comment
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
5.1.0.M2

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Apr 16, 2018

Summary

Under the current plan, Resource Server SpEL expressions will only support oauth2-specific expressions at the root. For example:

@PreAuthorize("hasScope('message.read')")

will work, but

@PreAuthorize("hasAuthority('message.read')")

won't. This will have two unfortunate consequences for end users.

First, it may put oauth2-specific SpEL expressions into generic interfaces, e.g.:

public interface MessageRepository implements CrudRepository {
    @PreAuthorize("hasScope('message.read')")
    Message findById(String id);
}

when we'd really like:

public interface MessageRepository implements CrudRepository {
    @PreAuthorize("hasAuthority('message.read')")
    Message findById(String id);
}

Second, it may be impossible for a service that needs to support more than just OAuth2 to do so. For example:

public interface MessageRepository implements CrudRepository {
    @PreAuthorize("hasAuthority('message.read') or hasScope('message.read')")
    Message findById(String id);
}

may be impossible.

The purpose of this issue is to provide support for hasAuthority in Security SpEL expressions when the server is configured as an OAuth2 Resource Server.

Each individual scope in the scope attribute in OAuth 2 appears to be a good mapping for the intent of hasAuthority(authority).
@jzheaux
Copy link
Contributor Author

jzheaux commented Apr 16, 2018

Relates to #4887

@rwinch rwinch mentioned this issue Apr 16, 2018
Closed
11 tasks
@jzheaux jzheaux mentioned this issue Apr 17, 2018
Merged
@jzheaux jzheaux added New Feature in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) labels Apr 17, 2018
@jzheaux jzheaux modified the milestones: 5.1.0.M1, 5.1.0.M2 Apr 17, 2018
@jzheaux jzheaux mentioned this issue Jul 3, 2018
Closed
jzheaux added a commit to jzheaux/spring-security that referenced this issue Jul 16, 2018
@jzheaux
Resource Server Jwt Support
2b628f6 
Introducing initial support for Jwt-Encoded Bearer Token authorization
with remote JWK set signature verification.

High-level features include:

- Accepting bearer tokens as headers and form or query parameters
- Verifying signatures from a remote Jwk set

And:

- A DSL for easy configuration
- A sample to demonstrate usage

Fixes: spring-projectsgh-5128
Fixes: spring-projectsgh-5125
Fixes: spring-projectsgh-5121
Fixes: spring-projectsgh-5130
Fixes: spring-projectsgh-5226
Fixes: spring-projectsgh-5237
@rwinch rwinch closed this as completed in 40ccdb9 Jul 16, 2018
@rwinch rwinch added the type: enhancement A general enhancement label May 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
5.1.0.M2
Development

No branches or pull requests
2 participants
@rwinch @jzheaux