Thursday, August 23, 2012

Spring security expressions not working with OAUTH2

When using spring security OAUTH2 in a client app, you will normally define an access decision manager like this:


That is needed to add the OAUTH2 scope voter to the auth decision process. Well, that is going to mess with the element if you're using it and have use-expressions="true". 

So even if you have:

your expressions will not work. You will get a stack trace like the following:

java.lang.IllegalArgumentException: Unsupported configuration attributes: [hasRole('ROLE_USER'), permitAll]...

That's because of the above custom definition of the accessDecisionManager bean. You need to switch the RoleVoter definition in the accessDecisionManager for a WebExpressionVoter in order for the web expressions to become available, just like this:


Here you go,
Enjoy Spring Security (with OAUTH2) as before.


9 comments:

ngjweb said...

Thank you very much !, I spent a lot of time to find this as I am a Oauth newbie.

am2605 said...

Thank you!

Anonymous said...

Fantistic. Thanks!

Chris Hansen said...

Thanks for the post. One thing to add:
If you plan to use any of the oauth2 expressions like oauth2.hasScope or oauth2.clientHasRole you'll also need to configure the web expression handler as a property of the voter. For example (apologies for formatting):

<bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
<property name="expressionHandler" ref="oauthWebExpressionHandler" />
</bean>

Anonymous said...

Thank you very much !

Puneet Dwivedi said...

Very helpful. Thanks for post

Himansu Rath said...

Thanks a lot

Richard said...

You just saved my bacon

Anonymous said...

i love you so much! thank you !!!