Results 1 to 4 of 4

Thread: confusing between ROLE_USER, ROLE_CLIENT

  1. Apr 16th, 2012, 08:40 AM #1
    Sina
    Sina is offline Junior Member
    Join Date
    Sep 2011
    Posts
    12

    Default confusing between ROLE_USER, ROLE_CLIENT

    Hi,
    I use Spring OAuth M6. I have some problems :
    1. when I want to get token from client, sometimes it detects clientId (in AuthorizationCodeTokenGranter:83) as a client and sometimes as a resourceowner and the second causes an exception. The problem can be detected specially when you clear the cache of browser(I don't know relationship between these ).
    2. I want to serve some services only for clients, and I set access="ROLE_CLIENT" and give my client, ROLE_CLIENT premission, but I get accessDeniedException because RoleVoter does not check this role, find my clients as "ROLE_USER".
    Cheers.
    Last edited by Sina; Apr 16th, 2012 at 08:53 AM.
    Reply With Quote Reply With Quote
  2. Apr 17th, 2012, 04:02 AM #2
    Dave Syer
    Dave Syer is offline Senior Member
    Join Date
    Jun 2005
    Posts
    4,241

    Default

    I didn't really understand point 1.

    On point 2, the Spring Security ROLE_* values are completely arbitrary, and you are free to interpret them in any way you like. If the existing voters don't do what you need you can write your own or use a SpEL expression. However, a RoleVoter does check all the granted authorities in the current Authentication, so I don't really know what you mean by saying that it does not check ROLE_CLIENT.

    Can you explain in a bit more detail what you want to happen?
    Reply With Quote Reply With Quote
  3. Apr 17th, 2012, 04:56 AM #3
    Sina
    Sina is offline Junior Member
    Join Date
    Sep 2011
    Posts
    12

    Default

    Dear Dave,
    for point 2, let's see this example in sparklr. If I change spring-servlet.xml, to :
    Code:
    	<http pattern="/photos/**" entry-point-ref="oauthAuthenticationEntryPoint" access-decision-manager-ref="accessDecisionManager"
		xmlns="http://www.springframework.org/schema/security">
		<intercept-url pattern="/photos" access="ROLE_CLIENT,SCOPE_READ" />
		<intercept-url pattern="/photos/trusted/**" access="ROLE_CLIENT,SCOPE_TRUST" />
		<intercept-url pattern="/photos/user/**" access="ROLE_CLIENT,SCOPE_TRUST" />
		<intercept-url pattern="/photos/**" access="ROLE_CLIENT,SCOPE_READ" />
		<custom-filter ref="resourceServerFilter" before="EXCEPTION_TRANSLATION_FILTER" />
		<access-denied-handler ref="oauthAccessDeniedHandler" />
	</http>
    I think this means that only client can access to these url(I have not changed anything else and as you know client has role "ROLE_CLIENT"). when I run tonr(or my project), it returns error code:403. I think that "org.springframework.security.access.vote.RoleVote r" can't detect this Role.
    I must develop my voter?
    for point 1 I describe it later and better. I want to find a better description for it.
    Reply With Quote Reply With Quote
  4. Apr 17th, 2012, 08:50 AM #4
    Dave Syer
    Dave Syer is offline Senior Member
    Join Date
    Jun 2005
    Posts
    4,241

    Default

    If you didn't change Tonr, it is not acting as a client, it is acting on behalf of a user (who will not have the required ROLE_CLIENT), so it is expected that you would get a 403. If you want to make an assertion about the request from tonr being from a client with a specific role (without changing the app) you can use an expression, e.g. "oauthClientHasRole('ROLE_CLIENT') and hasScope('trust')".
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules