diff --git a/openid-connect-common/src/main/java/org/mitre/uma/service/PermissionService.java b/openid-connect-common/src/main/java/org/mitre/uma/service/PermissionService.java index 5e6afec17..1f0b9ac4b 100644 --- a/openid-connect-common/src/main/java/org/mitre/uma/service/PermissionService.java +++ b/openid-connect-common/src/main/java/org/mitre/uma/service/PermissionService.java @@ -21,6 +21,7 @@ import java.util.Set; import org.mitre.uma.model.Permission; import org.mitre.uma.model.ResourceSet; +import org.springframework.security.oauth2.common.exceptions.InsufficientScopeException; /** @@ -33,6 +34,7 @@ public interface PermissionService { * @param resourceSet the resource set to create the permission on * @param scopes the set of scopes that this permission is for * @return the created (and stored) permission object, with ticket + * @throws InsufficientScopeException if the scopes in scopes don't match those in resourceSet.getScopes */ public Permission create(ResourceSet resourceSet, Set scopes); diff --git a/openid-connect-server/src/main/java/org/mitre/uma/service/impl/DefaultPermissionService.java b/openid-connect-server/src/main/java/org/mitre/uma/service/impl/DefaultPermissionService.java index e8e6d4f67..0fd2fc7ac 100644 --- a/openid-connect-server/src/main/java/org/mitre/uma/service/impl/DefaultPermissionService.java +++ b/openid-connect-server/src/main/java/org/mitre/uma/service/impl/DefaultPermissionService.java @@ -20,11 +20,13 @@ package org.mitre.uma.service.impl; import java.util.Set; import java.util.UUID; +import org.mitre.oauth2.service.SystemScopeService; import org.mitre.uma.model.Permission; import org.mitre.uma.model.ResourceSet; import org.mitre.uma.repository.PermissionRepository; import org.mitre.uma.service.PermissionService; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.oauth2.common.exceptions.InsufficientScopeException; import org.springframework.stereotype.Service; /** @@ -37,11 +39,21 @@ public class DefaultPermissionService implements PermissionService { @Autowired private PermissionRepository repository; + @Autowired + private SystemScopeService scopeService; + /* (non-Javadoc) * @see org.mitre.uma.service.PermissionService#create(org.mitre.uma.model.ResourceSet, java.util.Set) */ @Override public Permission create(ResourceSet resourceSet, Set scopes) { + + // check to ensure that the scopes requested are a subset of those in the resource set + + if (!scopeService.scopesMatch(resourceSet.getScopes(), scopes)) { + throw new InsufficientScopeException("Scopes of resource set are not enough for requested permission."); + } + Permission p = new Permission(); p.setResourceSet(resourceSet); p.setScopes(scopes);