java - Oauth2 / Password flow / check permission for a specific entity -

the main data information , information in api linked project(entity), approach password flow: manage specific permission linked project with spring security , oauth2?

in application have 5 micro service:

• uaa microservice : authorization server
• catalog microservice
• order microservice
• invoice microservice
• customer microservice

zoom permission :

each user can have many project, , can have permission each project:

• can_manage_catalog
• can_view_catalog
• can_manage_order
• can_view_order
• can_manage_invoice
• can_view_invoice
• ...

i have many idea not sure if have approach :

use case : want securise endpoint :

http://catalog-service/{project_key}/catalogs 

only user have permission view_catalog or manage_catalog project {project_key} can list catalog present in project

my first idea : use projectaccessexpression preauthorize

catalogcontroller.java

@controller public class catalogcontroller {      @preauthorize("@projectaccessexpression.haspermission(#projectkey, 'managecatalog', principal)" +         " or @projectaccessexpression.haspermission(#projectkey,  'viewcatalog', principal)")     @requestmapping(             value = "/{projectkey}/catalogs",             method = requestmethod.get,             produces = mediatype.application_json_value     )     public @responsebody list<catalog> findbyproject(@pathvariable("projectkey") string projectkey) {         return catalogservice.find();     } } 

projectaccessexpression.java

@component public class projectaccessexpression {          private resttemplate resttemplate;         public boolean havepermission(string projectkey, string permission , string username) {             boolean havepermission = resttemplate.getforobject(string.format("http://uaa-service/permission/check?project=%1&permission=%2&username=%3",                     projectkey, permission, username                     ), boolean.class);             return havepermission;         } } 

the inconvenient : need call uaa service each time

second idea : use user_role

with user_role

• username | role
• mylogin1 | shop1.can_manage_catalog
• mylogin1 | shop1.can_view_catalog
• mylogin1 | shop2.can_manage_catalog
• mylogin1 | shop2.can_view_catalog
• mylogin1 | shop2.can_manage_order
• mylogin1 | shop2.can_view_order
• ...

shop1 shop2 projectkey

the inconvenient : not sure if user change permission, need revoke token associate

third idea : add specific permission in authentication blob

i don't know how storing...

and in controller annotation :

@preauthorize("@projectaccessexpression.haspermission(authentication, 'managecatalog||viewcatalog', #projectkey) 

the inconvenient : same inconvenient @ second idea

it looks trying leverage roles oauth 2.0 project. here excerpt of spring documentation on oauth 2.0

mapping user roles scopes: http://projects.spring.io/spring-security-oauth/docs/oauth2.html

it useful limit scope of tokens not scopes assigned client, according user's own permissions. if use defaultoauth2requestfactory in authorizationendpoint can set flag checkuserscopes=true restrict permitted scopes match user's roles. can inject oauth2requestfactory tokenendpoint works (i.e. password grants) if install tokenendpointauthenticationfilter - need add filter after http basicauthenticationfilter. of course, can implement own rules mapping scopes roles , install own version of oauth2requestfactory. authorizationserverendpointsconfigurer allows inject custom oauth2requestfactory can use feature set factory if use @enableauthorizationserver.

all boils down can protect endpoints different scopes mapping scopes own custom roles. allow fine grained security.

i found pretty walk-through can use reference: (obviously you'll have configure settings own use case)

https://raymondhlee.wordpress.com/2014/12/21/implementing-oauth2-with-spring-security/