is there annotation or di based approach implementing resource field level filtering based on oauth2 scope in spring?
we have spring boot based resource server has oauth2 scope protected endpoints. works fine scope protect endpoints, want able filter sensitive information resources expose based on scope. e.g. want expose last 4 of person's ssn when client scope allows it.
so far way i've found on resource server this:
authentication authentication = securitycontextholder.getcontext().getauthentication(); oauth2securityexpressionmethods expressionmethods = new oauth2securityexpressionmethods(authentication); boolean hasscope = expressionmethods.hasscope("xyz.read"); if(hasscope) { resource.setssn(entity.getssn()); } so when scope "xyz.read" not present resource this:
{ "name": "blah" } but when scope "xyz.read" present resource this:
{ "name": "blah", "ssn": "123-45-2347" } having reach out , grab authentication object security context holder , construct new oauth2securityexpressionmethods every time want check scope seems we're missing something. 'pure' oauth2 resource server we've not discovered better way accomplish this.
this our resource server configuration looks (and work fine):
@configuration @enableresourceserver public class resourceserverconfiguration extends resourceserverconfigureradapter { @override public void configure(httpsecurity http) throws exception { http.authorizerequests() .antmatchers("/health").permitall() .antmatchers("/info").permitall() .antmatchers("/").permitall() .antmatchers("/**").access("#oauth2.hasscope('xyz.read')"); } @override public void configure(resourceserversecurityconfigurer resources) throws exception { resources.resourceid("resource-id"); } }
you make use of @jsonview annotation, view names reflect authentication or access levels. have @ tutorial: http://www.baeldung.com/jackson-json-view-annotation.
the goal: when object serialized, view dictate fields should shown/serialized.
Comments
Post a Comment