Menu
OAuth2ProtectedResourceFilter in org.springframework.security.oauth2.provider.filter:
Collection<String> resourceIds = auth.getClientAuthentication().getResourceIds();
if (resourceIds!=null && !resourceIds.isEmpty() && !resourceIds.contains(resourceId)) {
throw new InvalidTokenException("Invalid token does not contain resource id ("+resourceId+"): " + token);
}
I think it is not useful. What does this code check for?
795
Based on what I've gathered, it is the id of the resource service.
It becomes more clear when you consider separating your oauth token provider servlet and your resource servers for the purpose of api versioning. For example, say Client A (cA) has access to api1 and Client B (cB) has access to api2, you enforce this access by dictating in your resource server xml for api1 that its resource-id=api1 and then configure your client details for cA that they have resourceIds="api1", and likewise for [cB,api2].
This lets us protect api access and keep its protection declaration separate from, say, our client roles declaration.
165
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
