How to persist approved flag to database.

**dsytenkov** · Jun 1st, 2012, 04:53 AM

Hi All,

I'm using Spring Security OAuth2 (M6 version)and I have a requirement that user should get to approve page only once after first his login. The approved flag should be stored in DB and it is not difficult to implement custom UserApprovalHandler that verifies this flag. My question is where to inject code to save the approval flag value. I looked at the AuthorizationEndpoint source code and some other classes but i can't find a place where this code can be injected. So I'll be grateful for any advice.
My opinion that it might be better to put this logic into UserApprovalHandler. For example create new method.

/**
* Basic interface for determining whether a given client authentication request has been approved by the current user.
*
* @author Ryan Heaton
* @author Dave Syer
*/
public interface UserApprovalHandler {

/**
* Whether the specified authorization request has been approved by the current user (if there is one).
*
* @param authorizationRequest the authorization request.
* @param userAuthentication the user authentication for the current user.
* @return Whether the specified client authentication has been approved by the current user.
*/
boolean isApproved(AuthorizationRequest authorizationRequest, Authentication userAuthentication);

/**
* Put approve logic here
* @param authorizationRequest
* @param approved
*/
void doApprove(AuthorizationRequest authorizationRequest, boolean approved);
}

And then change AuthorizationEndpoint from

public View approveOrDeny(@RequestParam(USER_OAUTH_APPROVAL) boolean approved,
@ModelAttribute AuthorizationRequest authorizationRequest, SessionStatus sessionStatus, Principal principal) {
................

try {
Set<String> responseTypes = authorizationRequest.getResponseTypes();
authorizationRequest = resolveRedirectUri(authorizationRequest);
if (responseTypes.contains("token")) {
return getImplicitGrantResponse(authorizationRequest.appr oved(true)).getView();
}
return getAuthorizationCodeResponse(authorizationRequest.approved(approved), (Authentication) principal);
}
finally {
sessionStatus.setComplete();
}

}

to

public View approveOrDeny(@RequestParam(USER_OAUTH_APPROVAL) boolean approved,
@ModelAttribute AuthorizationRequest authorizationRequest, SessionStatus sessionStatus, Principal principal) {
................

try {
Set<String> responseTypes = authorizationRequest.getResponseTypes();
authorizationRequest = resolveRedirectUri(authorizationRequest);
if (responseTypes.contains("token")) {
return getImplicitGrantResponse(authorizationRequest.appr oved(true)).getView();
}
return getAuthorizationCodeResponse(userApprovalHandler.doApprove(authorizationRequest ,approved), (Authentication) principal);
}
finally {
sessionStatus.setComplete();
}

}

**Dave Syer** · Jun 5th, 2012, 06:36 AM

There's a pull request open for a modification to AuthorizationRequest to store more complex data about the user approval, so I imagine it's going to require some sort of similar change. Maybe you should look there and see if it's heading in the right direction for you?

**dsytenkov** · Jun 5th, 2012, 07:07 AM

Dave, thanks for reply.

May you give me a link to the opened request so I'll have a look? I've tried to search with "AuthorizationRequest" in Spring OAuth Jira but didn't found anything related to this.

Thanks in advance, Denis.

**Dave Syer** · Jun 5th, 2012, 07:44 AM

I don't know if there's anything in JIRA yet. Here's the pull request: https://github.com/SpringSource/spri...-oauth/pull/38

**dsytenkov** · Jun 5th, 2012, 09:14 AM

Dave, Thanks for the link.
Unfortunately this request is not about the problem that I have. My problem is related to the moving of approval logic implemеntation to some other class different from AuthorizationEndpoint to make this easier to customize.

Thread: How to persist approved flag to database.

Thread Tools

Display

How to persist approved flag to database.

Posting Permissions