sparklr2 admin endpoints restricted to POST?

[jrod]

After doing the OAuth dance in tonr/sparklr with "marissa", I try to access the admin endpoints (using Chrome/Simple REST Client) by passing her access token, like so:

Code:

GET http://localhost:8080/sparklr2/oauth/users/marissa/tokens
Authorization: Bearer (token)

and I get:

Code:

403 Forbidden
{"error":"access_denied","error_description":"Access is denied"}

but if I POST, I get the desired response.

Code:

200 OK
[{"access_token":"(access-token)","token_type":"bearer","refresh_token":"(refresh-token)","expires_in":26603,"scope":"read","client_id":"client1"}]

But the config states:

Code:

<intercept-url pattern="/oauth/users/.*"
access="#oauth2.clientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or #oauth2.isClient()) and #oauth2.hasScope('read')"
method="GET" />

so how can this be?

[Dave Syer]

Looks like a bug in the sample to me. It shouldn't accept POST requests at all on that endpoint (but it *was* only added as a demo and to help with integration testing). Fee free to open a JIRA ticket and send a pull request as well if you have time.

[jrod]

OK thanks. I've opened SECOAUTH-318 to track this issue.