如何根据spring-rest-oauth中的oauth范围限制方法访问？

Question

如何根据范围限制对方法的访问？例如,在下面的curl中,我获得了只有"read"范围的访问令牌.也就是说,用户已授权客户端应用程序具有对资源的只读访问权限

curl -X POST -vu clientapp:12334 http://localhost:9001/oauth/token -H "Accept: application/json" -d "password=spring&username=roy&grant_type=password&scope=read"

但Note客户端在auth服务器上注册了两个范围 - read and write.

现在,假设资源服务器有两个端点

/users/update - 此端点是POST请求.只有在用户批准"写入"范围时才应该公开.

users/getInfo - 此端点是GET请求.这应该公开,因为用户已授予具有读取范围的客户端访问权限

我的问题是我们如何在方法级别控制这些访问

@RestController
@RequestMapping("/users")
public class UserController {

    private static final String template = "Hello, %s!";

    private final AtomicLong counter = new AtomicLong();

    @RequestMapping("/update",  method = RequestMethod.POST)
    public UserProfile update(@AuthenticationPrincipal User user) {

          ///update userProfile 
         return userProfile;
    }

      @RequestMapping("/getInfo",  method = RequestMethod.GET)
    public UserProfile getProfile(@AuthenticationPrincipal User user) {

            //get the userData from database
            return userProfile;
    }
}

是否可以使用范围注释方法:例如

  @scope("read")
   @RequestMapping("/getInfo",  method = RequestMethod.GET)
    public UserProfile getProfile(@AuthenticationPrincipal User user) {

            //get the userData from database
            return userProfile;
    }
}

Answer 1

Spring Security OAuth有自己的表达,例如#oauth2.clientHasRole,#oauth2.clientHasAnyRole,#oauth2.hasScope

@PreAuthorize("#oauth2.hasScope('write')")
public void create(Contact contact);

参考:

http://projects.spring.io/spring-security-oauth/docs/oauth2.html

http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/expression/OAuth2SecurityExpressionMethods.html

http://docs.spring.io/spring-security/site/docs/3.2.5.RELEASE/reference/htmlsingle/#el-access