question about consumer roles and user roles

[andyww]

I have a website that users can login through web pages. The user roles are defined as ROLE_ADMIN, ROLE_USER etc. Now I wanna enable the 3rd party developers to make iPhone applications that connects to our site through oAuth. Now we have 2 actors: mobile user and mobile application developer/vendor. For the mobile users, they are still attached to their original roles (ROLE_ADMIN, ROLE_USER). For mobile application developer, how do I assign their roles? for example, I may wanna make 2 new roles just for app developers: ROLE_DEVELOPER_BASIC, ROLE_DEVELOPER_ADVANCED.

here are their permissions

Code:

ROLE_DEVELOPER_BASIC can access url "/api/basic/*"
ROLE_DEVELOPER_ADVANCED can access url "/api/advanced/*"

How do I do that with Spring Security OAuth?

[Dave Syer]

You need a more complicated access decision than is supported by the default AccessDecisionManager. You can add your own and implement the decision you need in a custom voter. If you were using OAuth2 you could use a SpEL expression for the access decision (it's only supported in OAuth 1 in method level security). Raise a JIRA ticket, and feel free to contribute a fix (should be easy to copy the OAuth 2 code), if you want to do that.