How to protect spring-security-oauth resources using @PreAuthorize based on Scope?

Question

I successfully configured spring-security-oauth2 so that external apps can authenticate with my application. However based on the external app and based on what the user all

Answer 1

Spring OAuth ships with the OAuth2MethodSecurityExpressionHandler, a class that adds the ability to do such checks using the @PreAuthorize expressions. All you need to do is register this class, e.g. like this if you are using Javaconfig:

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public static class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
    @Override
    protected MethodSecurityExpressionHandler createExpressionHandler() {
        return new OAuth2MethodSecurityExpressionHandler();
    }
}

Now you can simply use:

@PreAuthorize("#oauth2.hasScope('requiredScope')")

to secure your request methods. To see which further methods are available besided hasScope check the class OAuth2SecurityExpressionMethods.

The downside is that OAuth2MethodSecurityExpressionHandler extends the DefaultMethodSecurityExpressionHandler and thus you cannot combine it with other classes that also extend this class.

As an alternative you could also map OAuth scopes to classic user roles.