Meaning Tonr Spring Config - /oauth/(users|clients)/.*"

[hansamann]

Hi there,

we've got a demo OAuth2 server with Spring OAuth2 running but we do not fully understand some of the Spring Config - originally this piece is from the Sparkl demo app:

<!-- The OAuth2 protected resources are separated out into their own block so we can deal with authorization and error handling
separately. This isn't mandatory, but it makes it easier to control the behaviour. -->
<http pattern="/oauth/(users|clients)/.*" request-matcher="regex" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint"
use-expressions="true" xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/oauth/users/([^/].*?)/tokens/.*"
access="oauthClientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or oauthIsClient()) and oauthHasScope('write')"
method="DELETE" />
<intercept-url pattern="/oauth/users/.*"
access="oauthClientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or oauthIsClient()) and oauthHasScope('read')"
method="GET" />
<intercept-url pattern="/oauth/clients/.*" access="oauthClientHasRole('ROLE_CLIENT') and oauthIsClient() and oauthHasScope('read')"
method="GET" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<expression-handler ref="oauthWebExpressionHandler" />
</http>

What is it good for? I have the gut feel that we don't need it for our scenario, but who can tell us exactly what this is used for?

[Dave Syer]

It's protecting the token admin endpoints. If you have those endpoints (they are defined in the sparklr sample, not in the core library) you will need to protect them, and otherwise I guess not.