Uploaded image for project: 'Spring Security OAuth'
  1. Spring Security OAuth
  2. SECOAUTH-318

sparklr2 admin endpoints restricted to POST

    Details

    • Type: Defect
    • Status: Resolved
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: 1.0.0.RC1
    • Fix Version/s: 1.0.1
    • Component/s: OAuth 2
    • Labels:

      Description

      After doing the OAuth dance in tonr/sparklr with "marissa", a GET request to the admin endpoints passing the correct access token fails.

      >
      GET http://localhost:8080/sparklr2/oauth/users/marissa/tokens
      Authorization: Bearer (token)

      <
      403 Forbidden

      {"error":"access_denied","error_description":"Access is denied"}

      However, a POST request works.

      <
      200 OK
      [

      {"access_token":"(access-token)","token_type":"bearer","refresh_token":"(refresh-token)","expires_in":26603,"scope":"read","client_id":"client1"}

      ]

      This appears to conflict with sparklr2's configuration:

      <intercept-url pattern="/oauth/users/.*"
      access="#oauth2.clientHasRole('ROLE_CLIENT') and (hasRole('ROLE_USER') or #oauth2.isClient()) and #oauth2.hasScope('read')"
      method="GET" />

        Attachments

          Activity

            People

            • Assignee:
              david_syer Dave Syer
              Reporter:
              jrod John Rodriguez
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: