How to implement security in spring boot if we use scopes with attributes

Question

I use scopes with attributes as described here. Do you know how to implement the security configuration in a spring boot app to achieve that only the corresponding data regarding the scope attribute will be served.

Answer 1

I think there are two approaches you can use to accomplish this result depending on your concrete requirements. However, first of all there is no such thing like a parametrized scope with XSUAA.

1. It is possible to model additional attributes into the role templates of XSUAA, for example, a Country attribute like this in xs-security.json

  "attributes": [ 
  { 
    "name" : "Country", 
    "description" : "Country parameter for the Role", 
    "valueType" : "string" 
  }],
  "role-templates": [
  {
    "name": "BusinessPartnerViewer",
    "description": "Role to view business addresses",
      "scope-references" : [
        "$XSAPPNAME.ViewAddresses"
      ],
      "attribute-references": [
        "Country"
      ]
  }

Then you need to recreate your XSUAA instance in CloudFoundry with cf create-service xsuaa application <serviceinstance> -c xs-security.json. Note: You cannot update the binding when you had other role template definitions previously.

Based on this, a subscriber of the application may instantiate roles at runtime providing an attribute along with the OAuth scope.

This approach has the downside that the consumer of the application may have to create many roles depending on the possible permutations of scopes and attributes.

2. Of course, you can always consider implementing your own approach, if the first approach is not sufficient. In this case, your application has to model and resolve the dependencies yourself depending on the user context, i.e., you have to create a database table that maps users to scopes and/or additional attributes and then you lookup at runtime the properties based on the information from the Json Web Token.