Security profiles for roles cuba-platform/cuba#2428

modules/core/src/com/haulmont/addon/restapi/app.properties

@@ -42,3 +42,5 @@ cuba.localeSelectVisible = false
 
 cuba.trustedClientPassword=MLdWm1Ik4NmM
 
+cuba.securityScopes=+REST
+

modules/global/src/com/haulmont/addon/restapi/app-component.xml

@@ -33,6 +33,7 @@
                   value="+com/haulmont/addon/restapi/spring.xml"/>
         <property name="cuba.remotingSpringContextConfig"
                   value="+com/haulmont/addon/restapi/remoting-spring.xml"/>
+        <property name="cuba.securityScopes" value="+REST"/>
     </module>
 
     <module name="web" dependsOn="global" blocks="web">
@@ -59,6 +60,7 @@
         <property name="cuba.rest.allowedOrigins" value="*"/>
         <property name="cuba.rest.maxUploadSize" value="20971520"/>
         <property name="cuba.rest.responseViewEnabled" value="true"/>
+        <property name="cuba.rest.securityScope" value="REST"/>
     </module>
 
     <module name="portal" dependsOn="global" blocks="portal">
@@ -80,5 +82,6 @@
         <property name="cuba.rest.allowedOrigins" value="*"/>
         <property name="cuba.rest.maxUploadSize" value="20971520"/>
         <property name="cuba.rest.responseViewEnabled" value="true"/>
+        <property name="cuba.rest.securityScope" value="REST"/>
     </module>
 </app-component>

modules/rest-api/src/com/haulmont/addon/restapi/api/auth/ClientProxyTokenStore.java

@@ -242,6 +242,7 @@ protected TrustedClientCredentials createTrustedClientCredentials(String usernam
             credentials.setClientInfo(makeClientInfo(""));
         }
 
+        credentials.setSecurityScope(restApiConfig.getSecurityScope());
         //if locale was not determined then use the user locale
         if (locale == null) {
             credentials.setOverrideLocale(false);

modules/rest-api/src/com/haulmont/addon/restapi/api/auth/CubaUserAuthenticationProvider.java

@@ -111,6 +111,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
                 credentials.setIpAddress(ipAddress);
                 credentials.setClientType(ClientType.REST_API);
                 credentials.setClientInfo(makeClientInfo(request.getHeader(HttpHeaders.USER_AGENT)));
+                credentials.setSecurityScope(restApiConfig.getSecurityScope());
 
                 //if the locale value is explicitly passed in the Accept-Language header then set its value to the
                 //credentials. Otherwise, the locale of the user should be used
@@ -196,6 +197,7 @@ protected TrustedClientCredentials createTrustedCredentials(LoginPasswordCredent
         tcCredentials.setOverrideLocale(credentials.isOverrideLocale());
         tcCredentials.setSyncNewUserSessionReplication(credentials.isSyncNewUserSessionReplication());
         tcCredentials.setSessionAttributes(credentials.getSessionAttributes());
+        tcCredentials.setSecurityScope(restApiConfig.getSecurityScope());
 
         return tcCredentials;
     }

modules/rest-api/src/com/haulmont/addon/restapi/api/auth/ExternalOAuthTokenGranter.java

@@ -63,6 +63,8 @@ public class ExternalOAuthTokenGranter extends AbstractTokenGranter implements O
     protected Configuration configuration;
     @Inject
     protected AuthenticationService authenticationService;
+    @Inject
+    protected RestApiConfig restApiConfig;
 
     protected ExternalOAuthTokenGranter(AuthorizationServerTokenServices tokenServices,
                                         ClientDetailsService clientDetailsService,
@@ -99,6 +101,7 @@ public OAuth2AccessTokenResult issueToken(OAuth2AccessTokenRequest tokenRequest)
             } else {
                 credentials.setClientInfo(makeClientInfo(""));
             }
+            credentials.setSecurityScope(restApiConfig.getSecurityScope());
             credentials.setParams(tokenRequest.getLoginParams());
 
             session = authenticationService.login(credentials).getSession();

modules/rest-api/src/com/haulmont/addon/restapi/api/config/RestApiConfig.java

@@ -21,6 +21,7 @@
 import com.haulmont.cuba.core.config.Source;
 import com.haulmont.cuba.core.config.SourceType;
 import com.haulmont.cuba.core.config.defaults.DefaultBoolean;
+import com.haulmont.cuba.core.config.defaults.DefaultString;
 import com.haulmont.cuba.core.config.type.CommaSeparatedStringListTypeFactory;
 import com.haulmont.cuba.core.config.type.Factory;
 import org.springframework.security.web.util.matcher.RequestMatcher;
@@ -105,4 +106,12 @@ public interface RestApiConfig extends Config {
     @Property("cuba.rest.responseViewEnabled")
     @DefaultBoolean(true)
     boolean getRestResponseViewEnabled();
+
+    /**
+     * Active security scope for a REST client.
+     * Security scope specifies which roles will be loaded for user session
+     */
+    @Property("cuba.rest.securityScope")
+    @DefaultString("REST")
+    String getSecurityScope();
 }

modules/web/src/com/haulmont/addon/restapi/messages.properties

@@ -16,4 +16,5 @@
 
 permission-config.cuba.restApi = REST API
 permission-config.cuba.restApi.enabled = Use REST API
-permission-config.cuba.restApi.fileUpload.enabled=Upload files using REST API
+permission-config.cuba.restApi.fileUpload.enabled=Upload files using REST API
+securityScope_REST=REST

modules/web/src/com/haulmont/addon/restapi/messages_ru.properties

@@ -16,4 +16,5 @@
 
 permission-config.cuba.restApi = REST API
 permission-config.cuba.restApi.enabled = Использование REST API
-permission-config.cuba.restApi.fileUpload.enabled=Загрузка файлов с помощью REST API
+permission-config.cuba.restApi.fileUpload.enabled=Загрузка файлов с помощью REST API
+securityScope_REST=REST