API now bound to USER for read, ADMIN for write, addresses #267

2013-03-05 17:45:33 -05:00 · 2013-03-05 17:45:33 -05:00 · c9bdba3f3a
parent 1daf5bd357
commit c9bdba3f3a
4 changed files with 16 additions and 7 deletions
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/web/ScopeAPI.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/web/ScopeAPI.java
@ -25,6 +25,7 @@ import com.google.gson.Gson;
 */
@Controller
@RequestMapping("/api/scopes")
+@PreAuthorize("hasRole('ROLE_USER')")
 public class ScopeAPI {

 	
@ -92,6 +93,7 @@ public class ScopeAPI {
 		}
 	}
 	
+	@PreAuthorize("hasRole('ROLE_ADMIN')")
 	@RequestMapping(value = "", method = RequestMethod.POST, produces = "application/json", consumes = "application/json")
 	public String createScope(@RequestBody String json, ModelMap m) {
 		SystemScope scope = gson.fromJson(json, SystemScope.class);
@ -111,6 +113,7 @@ public class ScopeAPI {
 		}
 	}
 	
+	@PreAuthorize("hasRole('ROLE_ADMIN')")
 	@RequestMapping(value = "/{id}", method = RequestMethod.DELETE)
 	public String deleteScope(@PathVariable("id") Long id, ModelMap m) {
 		SystemScope existing = scopeService.getById(id);
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java
@ -54,7 +54,7 @@ import com.google.gson.JsonParser;

@Controller
@RequestMapping("/api/clients")
-@PreAuthorize("hasRole('ROLE_ADMIN')")
+@PreAuthorize("hasRole('ROLE_USER')")
 public class ClientAPI {

    @Autowired
@ -120,6 +120,7 @@ public class ClientAPI {
     * @param principal
     * @return
     */
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
    @RequestMapping(method = RequestMethod.POST, consumes = "application/json", produces = "application/json")
    public String apiAddClient(@RequestBody String jsonString, Model m, Authentication auth) {

@ -160,6 +161,7 @@ public class ClientAPI {
     * @param principal
     * @return
     */
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
    @RequestMapping(value="/{id}", method = RequestMethod.PUT, consumes = "application/json", produces = "application/json")
    public String apiUpdateClient(@PathVariable("id") Long id, @RequestBody String jsonString, Model m, Authentication auth) {
    	
@ -204,6 +206,7 @@ public class ClientAPI {
     * @param modelAndView
     * @return
     */
+    @PreAuthorize("hasRole('ROLE_ADMIN')")
    @RequestMapping(value="/{id}", method=RequestMethod.DELETE)
    public String apiDeleteClient(@PathVariable("id") Long id, ModelAndView modelAndView) {

--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/WhitelistAPI.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/WhitelistAPI.java
@ -28,7 +28,7 @@ import com.google.gson.JsonParser;
 */
@Controller
@RequestMapping("/api/whitelist")
-@PreAuthorize("hasRole('ROLE_ADMIN')")
+@PreAuthorize("hasRole('ROLE_USER')")
 public class WhitelistAPI {

 	@Autowired
@ -59,6 +59,7 @@ public class WhitelistAPI {
 	 * @param p
 	 * @return
 	 */
+	@PreAuthorize("hasRole('ROLE_ADMIN')")
 	@RequestMapping(method = RequestMethod.POST, consumes = "application/json", produces = "application/json")
 	public String addNewWhitelistedSite(@RequestBody String jsonString, ModelMap m, Principal p) {
 		
@ -80,6 +81,7 @@ public class WhitelistAPI {
 	/**
 	 * Update an existing whitelisted site
 	 */
+	@PreAuthorize("hasRole('ROLE_ADMIN')")
 	@RequestMapping(value="/{id}", method = RequestMethod.PUT, consumes = "application/json", produces = "application/json")
 	public String updateWhitelistedSite(@PathVariable("id") Long id, @RequestBody String jsonString, ModelMap m, Principal p) {
 		
@ -106,6 +108,7 @@ public class WhitelistAPI {
 	 * Delete a whitelisted site
 	 * 
 	 */
+	@PreAuthorize("hasRole('ROLE_ADMIN')")
 	@RequestMapping(value="/{id}", method = RequestMethod.DELETE)
 	public String deleteWhitelistedSite(@PathVariable("id") Long id, ModelMap m) {
 		WhitelistedSite whitelist = whitelistService.getById(id);
--- a/openid-connect-server/src/main/webapp/resources/template/client.html
+++ b/openid-connect-server/src/main/webapp/resources/template/client.html
@ -258,19 +258,19 @@
 			<div class="control-group" id="tokenEndpointAuthMethod">
 				<label class="control-label"><span class="label label-default nyi"><i class="icon-road icon-white"></i> NYI </span> Token Endpoint Authentication Method</label>
 				<div class="controls">
-					<label class="radio inline">
+					<label class="radio">
 						<input type="radio" name="tokenEndpointAuthMethod" value="SECRET_BASIC" <%=(tokenEndpointAuthMethod == 'SECRET_BASIC' ? 'checked' : '')%>> Client Secret over HTTP Basic
 					</label>
-					<label class="radio inline">
+					<label class="radio">
 						<input type="radio" name="tokenEndpointAuthMethod" value="SECRET_POST" <%=(tokenEndpointAuthMethod == 'SECRET_POST' ? 'checked' : '')%>> Client Secret over HTTP POST
 					</label>
-					<label class="radio inline">
+					<label class="radio">
 						<input type="radio" name="tokenEndpointAuthMethod" value="SECRET_JWT" <%=(tokenEndpointAuthMethod == 'SECRET_JWT' ? 'checked' : '')%>> Client Secret via symmetrically-signed JWT assertion
 					</label>
-					<label class="radio inline">
+					<label class="radio">
 						<input type="radio" name="tokenEndpointAuthMethod" value="PRIVATE_KEY_JWT" <%=(tokenEndpointAuthMethod == 'PRIVATE_KEY_JWT' ? 'checked' : '')%>> Asymmetrically-signed JWT assertion
 					</label>
-					<label class="radio inline">
+					<label class="radio">
 						<input type="radio" name="tokenEndpointAuthMethod" value="NONE" <%=(tokenEndpointAuthMethod == 'NONE' ? 'checked' : '')%>> No authentication
 					</label>
 				</div>