org.keycloak.representations.idm.authorization.Permission Java Examples
The following examples show how to use
org.keycloak.representations.idm.authorization.Permission.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: UmaGrantTypeTest.java From keycloak with Apache License 2.0 | 6 votes |
@Test public void testObtainRptWithUpgrade() throws Exception { AuthorizationResponse response = authorize("marta", "password", "Resource A", new String[] {"ScopeA", "ScopeB"}); String rpt = response.getToken(); AccessToken.Authorization authorization = toAccessToken(rpt).getAuthorization(); Collection<Permission> permissions = authorization.getPermissions(); assertNotNull(permissions); assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB"); assertTrue(permissions.isEmpty()); response = authorize("marta", "password", "Resource A", new String[] {"ScopeC"}, rpt); assertTrue(response.isUpgraded()); authorization = toAccessToken(response.getToken()).getAuthorization(); permissions = authorization.getPermissions(); assertNotNull(permissions); assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB", "ScopeC"); assertTrue(permissions.isEmpty()); }
Example #2
Source File: PolicyEnforcer.java From keycloak with Apache License 2.0 | 6 votes |
public AuthorizationContext enforce(OIDCHttpFacade facade) { if (LOGGER.isDebugEnabled()) { LOGGER.debugv("Policy enforcement is enabled. Enforcing policy decisions for path [{0}].", facade.getRequest().getURI()); } AuthorizationContext context = new KeycloakAdapterPolicyEnforcer(this).authorize(facade); if (LOGGER.isDebugEnabled()) { LOGGER.debugv("Policy enforcement result for path [{0}] is : {1}", facade.getRequest().getURI(), context.isGranted() ? "GRANTED" : "DENIED"); LOGGER.debugv("Returning authorization context with permissions:"); for (Permission permission : context.getPermissions()) { LOGGER.debug(permission); } } return context; }
Example #3
Source File: AbstractPermissionService.java From keycloak with Apache License 2.0 | 6 votes |
private String createPermissionTicket(List<PermissionRequest> request) { List<Permission> permissions = verifyRequestedResource(request); String audience = Urls.realmIssuer(this.authorization.getKeycloakSession().getContext().getUri().getBaseUri(), this.authorization.getRealm().getName()); PermissionTicketToken token = new PermissionTicketToken(permissions, audience, this.identity.getAccessToken()); Map<String, List<String>> claims = new HashMap<>(); for (PermissionRequest permissionRequest : request) { Map<String, List<String>> requestClaims = permissionRequest.getClaims(); if (requestClaims != null) { claims.putAll(requestClaims); } } if (!claims.isEmpty()) { token.setClaims(claims); } return this.authorization.getKeycloakSession().tokens().encode(token); }
Example #4
Source File: AbstractPolicyEnforcer.java From keycloak with Apache License 2.0 | 6 votes |
private boolean hasResourceScopePermission(MethodConfig methodConfig, Permission permission) { List<String> requiredScopes = methodConfig.getScopes(); Set<String> allowedScopes = permission.getScopes(); if (allowedScopes.isEmpty()) { return true; } PolicyEnforcerConfig.ScopeEnforcementMode enforcementMode = methodConfig.getScopesEnforcementMode(); if (PolicyEnforcerConfig.ScopeEnforcementMode.ALL.equals(enforcementMode)) { return allowedScopes.containsAll(requiredScopes); } if (PolicyEnforcerConfig.ScopeEnforcementMode.ANY.equals(enforcementMode)) { for (String requiredScope : requiredScopes) { if (allowedScopes.contains(requiredScope)) { return true; } } } return requiredScopes.isEmpty(); }
Example #5
Source File: AuthorizationContext.java From keycloak with Apache License 2.0 | 6 votes |
public boolean hasScopePermission(String scopeName) { if (this.authzToken == null) { return false; } Authorization authorization = this.authzToken.getAuthorization(); if (authorization == null) { return false; } for (Permission permission : authorization.getPermissions()) { if (permission.getScopes().contains(scopeName)) { return true; } } return false; }
Example #6
Source File: ProtectedResource.java From quarkus with Apache License 2.0 | 6 votes |
@GET @Path("/scope") @Produces(MediaType.APPLICATION_JSON) public Uni<List<Permission>> hasScopePermission(@QueryParam("scope") String scope) { return identity.checkPermission(new BasicPermission("Scope Permission Resource") { @Override public String getActions() { return scope; } }).onItem() .apply(new Function<Boolean, List<Permission>>() { @Override public List<Permission> apply(Boolean granted) { if (granted) { return identity.getAttribute("permissions"); } throw new ForbiddenException(); } }); }
Example #7
Source File: RptStore.java From devconf2019-authz with Apache License 2.0 | 6 votes |
public boolean hasPermission(AccessToken rpt, String resourceName, String scopeName) { if (rpt==null || rpt.getAuthorization() == null) { return false; } AccessToken.Authorization authorization = rpt.getAuthorization(); for (Permission permission : authorization.getPermissions()) { if (resourceName.equalsIgnoreCase(permission.getResourceName()) || resourceName.equalsIgnoreCase(permission.getResourceId())) { if (scopeName == null) { return true; } if (permission.getScopes().contains(scopeName)) { return true; } } } return false; }
Example #8
Source File: AbstractPolicyEnforcer.java From keycloak with Apache License 2.0 | 6 votes |
private boolean hasValidClaims(Permission permission, Map<String, List<String>> claims) { Map<String, Set<String>> grantedClaims = permission.getClaims(); if (grantedClaims != null) { if (claims.isEmpty()) { return false; } for (Entry<String, Set<String>> entry : grantedClaims.entrySet()) { List<String> requestClaims = claims.get(entry.getKey()); if (requestClaims == null || requestClaims.isEmpty() || !entry.getValue().containsAll(requestClaims)) { return false; } } } return true; }
Example #9
Source File: AuthorizationTokenService.java From keycloak with Apache License 2.0 | 6 votes |
private boolean isUpgraded(AuthorizationRequest request, Authorization authorization) { AccessToken previousRpt = request.getRpt(); if (previousRpt == null) { return false; } Authorization previousAuthorization = previousRpt.getAuthorization(); if (previousAuthorization != null) { Collection<Permission> previousPermissions = previousAuthorization.getPermissions(); if (previousPermissions != null) { for (Permission previousPermission : previousPermissions) { if (!authorization.getPermissions().contains(previousPermission)) { return false; } } } } return true; }
Example #10
Source File: DecisionPermissionCollector.java From keycloak with Apache License 2.0 | 6 votes |
protected void grantPermission(AuthorizationProvider authorizationProvider, List<Permission> permissions, ResourcePermission permission, Collection<Scope> grantedScopes, ResourceServer resourceServer, AuthorizationRequest request, Result result) { Set<String> scopeNames = grantedScopes.stream().map(Scope::getName).collect(Collectors.toSet()); Resource resource = permission.getResource(); if (resource != null) { permissions.add(createPermission(resource, scopeNames, permission.getClaims(), request)); } else if (!grantedScopes.isEmpty()) { ResourceStore resourceStore = authorizationProvider.getStoreFactory().getResourceStore(); resourceStore.findByScope(grantedScopes.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId(), resource1 -> permissions.add(createPermission(resource, scopeNames, permission.getClaims(), request))); if (permissions.isEmpty()) { permissions.add(createPermission(null, scopeNames, permission.getClaims(), request)); } } }
Example #11
Source File: PolicyEnforcerTest.java From keycloak with Apache License 2.0 | 6 votes |
@Test public void testCustomClaimProvider() { KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(getAdapterConfiguration("enforcer-bearer-only-with-cip.json")); PolicyEnforcer policyEnforcer = deployment.getPolicyEnforcer(); oauth.realm(REALM_NAME); oauth.clientId("public-client-test"); oauth.doLogin("marta", "password"); String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE); OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, null); String token = response.getAccessToken(); OIDCHttpFacade httpFacade = createHttpFacade("/api/resourcea", token); AuthorizationContext context = policyEnforcer.enforce(httpFacade); Permission permission = context.getPermissions().get(0); Map<String, Set<String>> claims = permission.getClaims(); assertTrue(context.isGranted()); assertEquals("test", claims.get("resolved-claim").iterator().next()); }
Example #12
Source File: AbstractResourceServerTest.java From keycloak with Apache License 2.0 | 6 votes |
protected void assertPermissions(Collection<Permission> permissions, String expectedResource, String... expectedScopes) { Iterator<Permission> iterator = permissions.iterator(); while (iterator.hasNext()) { Permission permission = iterator.next(); if (permission.getResourceName().equalsIgnoreCase(expectedResource) || permission.getResourceId().equals(expectedResource)) { Set<String> scopes = permission.getScopes(); assertEquals(expectedScopes.length, scopes.size()); if (scopes.containsAll(Arrays.asList(expectedScopes))) { iterator.remove(); } } } }
Example #13
Source File: UmaGrantTypeTest.java From keycloak with Apache License 2.0 | 6 votes |
@Test public void testObtainRptWithIDToken() throws Exception { String idToken = getIdToken("marta", "password"); AuthorizationResponse response = authorize("Resource A", new String[] {"ScopeA", "ScopeB"}, idToken, "http://openid.net/specs/openid-connect-core-1_0.html#IDToken"); String rpt = response.getToken(); assertNotNull(rpt); assertFalse(response.isUpgraded()); AccessToken accessToken = toAccessToken(rpt); AccessToken.Authorization authorization = accessToken.getAuthorization(); assertNotNull(authorization); Collection<Permission> permissions = authorization.getPermissions(); assertNotNull(permissions); assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB"); assertTrue(permissions.isEmpty()); }
Example #14
Source File: UmaGrantTypeTest.java From keycloak with Apache License 2.0 | 6 votes |
@Test public void testObtainRptUsingAccessToken() throws Exception { AccessTokenResponse accessTokenResponse = getAuthzClient().obtainAccessToken("marta", "password"); AuthorizationResponse response = authorize(null, null, null, null, accessTokenResponse.getToken(), null, null, new PermissionRequest("Resource A", "ScopeA", "ScopeB")); String rpt = response.getToken(); assertNotNull(rpt); assertFalse(response.isUpgraded()); AccessToken accessToken = toAccessToken(rpt); AccessToken.Authorization authorization = accessToken.getAuthorization(); assertNotNull(authorization); Collection<Permission> permissions = authorization.getPermissions(); assertNotNull(permissions); assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB"); assertTrue(permissions.isEmpty()); }
Example #15
Source File: EntitlementAPITest.java From keycloak with Apache License 2.0 | 6 votes |
private boolean hasPermission(String userName, String password, String resourceId, String... scopeIds) throws Exception { String accessToken = new OAuthClient().realm("authz-test").clientId(RESOURCE_SERVER_TEST).doGrantAccessTokenRequest("secret", userName, password).getAccessToken(); AuthorizationResponse response = getAuthzClient(AUTHZ_CLIENT_CONFIG).authorization(accessToken).authorize(new AuthorizationRequest()); AccessToken rpt = toAccessToken(response.getToken()); Authorization authz = rpt.getAuthorization(); Collection<Permission> permissions = authz.getPermissions(); assertNotNull(permissions); assertFalse(permissions.isEmpty()); for (Permission grantedPermission : permissions) { if (grantedPermission.getResourceId().equals(resourceId)) { return scopeIds == null || scopeIds.length == 0 || grantedPermission.getScopes().containsAll(Arrays.asList(scopeIds)); } } return false; }
Example #16
Source File: EntitlementAPITest.java From keycloak with Apache License 2.0 | 6 votes |
private void assertResponse(Metadata metadata, Supplier<AuthorizationResponse> responseSupplier) { AccessToken.Authorization authorization = toAccessToken(responseSupplier.get().getToken()).getAuthorization(); Collection<Permission> permissions = authorization.getPermissions(); assertNotNull(permissions); assertFalse(permissions.isEmpty()); for (Permission permission : permissions) { if (metadata.getIncludeResourceName()) { assertNotNull(permission.getResourceName()); } else { assertNull(permission.getResourceName()); } } }
Example #17
Source File: UmaGrantTypeTest.java From keycloak with Apache License 2.0 | 6 votes |
@Test public void testObtainRptWithClientCredentials() throws Exception { AuthorizationResponse response = authorize("Resource A", new String[] {"ScopeA", "ScopeB"}); String rpt = response.getToken(); assertNotNull(rpt); assertFalse(response.isUpgraded()); AccessToken accessToken = toAccessToken(rpt); AccessToken.Authorization authorization = accessToken.getAuthorization(); assertNotNull(authorization); Collection<Permission> permissions = authorization.getPermissions(); assertNotNull(permissions); assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB"); assertTrue(permissions.isEmpty()); }
Example #18
Source File: PermissionTicketAwareDecisionResultCollector.java From keycloak with Apache License 2.0 | 6 votes |
@Override protected void onGrant(Permission grantedPermission) { // Removes permissions (represented by {@code ticket}) granted by any user-managed policy so we don't create unnecessary permission tickets. List<Permission> permissions = ticket.getPermissions(); Iterator<Permission> itPermissions = permissions.iterator(); while (itPermissions.hasNext()) { Permission permission = itPermissions.next(); if (permission.getResourceId() == null || permission.getResourceId().equals(grantedPermission.getResourceId())) { Set<String> scopes = permission.getScopes(); Iterator<String> itScopes = scopes.iterator(); while (itScopes.hasNext()) { if (grantedPermission.getScopes().contains(itScopes.next())) { itScopes.remove(); } } if (scopes.isEmpty()) { itPermissions.remove(); } } } }
Example #19
Source File: UmaGrantTypeTest.java From keycloak with Apache License 2.0 | 6 votes |
@Test public void testObtainRptWithUpgradeOnlyScopes() throws Exception { AuthorizationResponse response = authorize("marta", "password", null, new String[] {"ScopeA", "ScopeB"}); String rpt = response.getToken(); AccessToken.Authorization authorization = toAccessToken(rpt).getAuthorization(); Collection<Permission> permissions = authorization.getPermissions(); assertFalse(response.isUpgraded()); assertNotNull(permissions); assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB"); assertTrue(permissions.isEmpty()); response = authorize("marta", "password", "Resource A", new String[] {"ScopeC"}, rpt); authorization = toAccessToken(response.getToken()).getAuthorization(); permissions = authorization.getPermissions(); assertTrue(response.isUpgraded()); assertNotNull(permissions); assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB", "ScopeC"); assertTrue(permissions.isEmpty()); }
Example #20
Source File: GroupPermissions.java From keycloak with Apache License 2.0 | 6 votes |
private boolean hasPermission(Resource resource, EvaluationContext context, String... scopes) { ResourceServer server = root.realmResourceServer(); Collection<Permission> permissions; if (context == null) { permissions = root.evaluatePermission(new ResourcePermission(resource, resource.getScopes(), server), server); } else { permissions = root.evaluatePermission(new ResourcePermission(resource, resource.getScopes(), server), server, context); } List<String> expectedScopes = Arrays.asList(scopes); for (Permission permission : permissions) { for (String scope : permission.getScopes()) { if (expectedScopes.contains(scope)) { return true; } } } return false; }
Example #21
Source File: AbstractPolicyEnforcer.java From keycloak with Apache License 2.0 | 5 votes |
private boolean isResourcePermission(PathConfig actualPathConfig, Permission permission) { // first we try a match using resource id boolean resourceMatch = matchResourcePermission(actualPathConfig, permission); // as a fallback, check if the current path is an instance and if so, check if parent's id matches the permission if (!resourceMatch && actualPathConfig.isInstance()) { resourceMatch = matchResourcePermission(actualPathConfig.getParentConfig(), permission); } return resourceMatch; }
Example #22
Source File: MgmtPermissions.java From keycloak with Apache License 2.0 | 5 votes |
public Collection<Permission> evaluatePermission(List<ResourcePermission> permissions, ResourceServer resourceServer, EvaluationContext context) { RealmModel oldRealm = session.getContext().getRealm(); try { session.getContext().setRealm(realm); return authz.evaluators().from(permissions, context).evaluate(resourceServer, null); } finally { session.getContext().setRealm(oldRealm); } }
Example #23
Source File: UserPermissions.java From keycloak with Apache License 2.0 | 5 votes |
private boolean hasPermission(EvaluationContext context, String... scopes) { ResourceServer server = root.realmResourceServer(); if (server == null) { return false; } Resource resource = resourceStore.findByName(USERS_RESOURCE, server.getId()); List<String> expectedScopes = Arrays.asList(scopes); if (resource == null) { return grantIfNoPermission && expectedScopes.contains(MgmtPermissions.MANAGE_SCOPE) && expectedScopes.contains(MgmtPermissions.VIEW_SCOPE); } Collection<Permission> permissions; if (context == null) { permissions = root.evaluatePermission(new ResourcePermission(resource, resource.getScopes(), server), server); } else { permissions = root.evaluatePermission(new ResourcePermission(resource, resource.getScopes(), server), server, context); } for (Permission permission : permissions) { for (String scope : permission.getScopes()) { if (expectedScopes.contains(scope)) { return true; } } } return false; }
Example #24
Source File: PermissionEqualsTest.java From keycloak with Apache License 2.0 | 5 votes |
@Test public void testEquals() { assertTrue(new Permission("1", null, Collections.emptySet(), Collections.emptyMap()).equals( new Permission("1", null, Collections.emptySet(), Collections.emptyMap()) )); assertFalse(new Permission("1", null, Collections.emptySet(), Collections.emptyMap()).equals( new Permission("2", null, Collections.emptySet(), Collections.emptyMap()) )); assertFalse(new Permission("1", null, new HashSet<>(Arrays.asList("read", "write")), Collections.emptyMap()).equals( new Permission("1", null, Collections.emptySet(), Collections.emptyMap()) )); assertTrue(new Permission("1", null, new HashSet<>(Arrays.asList("read", "write")), Collections.emptyMap()).equals( new Permission("1", null, new HashSet<>(Arrays.asList("read", "write")), Collections.emptyMap()) )); assertTrue(new Permission("1", null, new HashSet<>(Arrays.asList("read", "write")), Collections.emptyMap()).equals( new Permission("1", null, new HashSet<>(Arrays.asList("write")), Collections.emptyMap()) )); assertFalse(new Permission("1", null, new HashSet<>(Arrays.asList("read")), Collections.emptyMap()).equals( new Permission("1", null, new HashSet<>(Arrays.asList("write")), Collections.emptyMap()) )); assertFalse(new Permission(null, null, new HashSet<>(Arrays.asList("write")), Collections.emptyMap()).equals( new Permission("1", null, new HashSet<>(Arrays.asList("write")), Collections.emptyMap()) )); assertFalse(new Permission("1", null, new HashSet<>(Arrays.asList("write")), Collections.emptyMap()).equals( new Permission(null, null, new HashSet<>(Arrays.asList("write")), Collections.emptyMap()) )); assertTrue(new Permission(null, null, new HashSet<>(Arrays.asList("write")), Collections.emptyMap()).equals( new Permission(null, null, new HashSet<>(Arrays.asList("write")), Collections.emptyMap()) )); assertTrue(new Permission(null, null, new HashSet<>(Arrays.asList("read", "write")), Collections.emptyMap()).equals( new Permission(null, null, new HashSet<>(Arrays.asList("read")), Collections.emptyMap()) )); assertFalse(new Permission(null, null, new HashSet<>(Arrays.asList("read", "write")), Collections.emptyMap()).equals( new Permission(null, null, new HashSet<>(Arrays.asList("update")), Collections.emptyMap()) )); assertFalse(new Permission(null, null, Collections.emptySet(), Collections.emptyMap()).equals( new Permission(null, null, new HashSet<>(Arrays.asList("read")), Collections.emptyMap()) )); }
Example #25
Source File: KeycloakAdapterPolicyEnforcer.java From keycloak with Apache License 2.0 | 5 votes |
@Override protected boolean isAuthorized(PathConfig pathConfig, PolicyEnforcerConfig.MethodConfig methodConfig, AccessToken accessToken, OIDCHttpFacade httpFacade, Map<String, List<String>> claims) { AccessToken original = accessToken; if (super.isAuthorized(pathConfig, methodConfig, accessToken, httpFacade, claims)) { return true; } accessToken = requestAuthorizationToken(pathConfig, methodConfig, httpFacade, claims); if (accessToken == null) { return false; } AccessToken.Authorization authorization = original.getAuthorization(); if (authorization == null) { authorization = new AccessToken.Authorization(); authorization.setPermissions(new ArrayList<Permission>()); } AccessToken.Authorization newAuthorization = accessToken.getAuthorization(); if (newAuthorization != null) { Collection<Permission> grantedPermissions = authorization.getPermissions(); Collection<Permission> newPermissions = newAuthorization.getPermissions(); for (Permission newPermission : newPermissions) { if (!grantedPermissions.contains(newPermission)) { grantedPermissions.add(newPermission); } } } original.setAuthorization(authorization); return super.isAuthorized(pathConfig, methodConfig, accessToken, httpFacade, claims); }
Example #26
Source File: AuthorizationTokenService.java From keycloak with Apache License 2.0 | 5 votes |
private boolean isGranted(PermissionTicketToken ticket, AuthorizationRequest request, Collection<Permission> permissions) { List<Permission> requestedPermissions = ticket.getPermissions(); // denies in case a rpt was provided along with the authorization request but any requested permission was not granted if (request.getRpt() != null && !requestedPermissions.isEmpty() && requestedPermissions.stream().anyMatch(permission -> !permissions.contains(permission))) { return false; } return !permissions.isEmpty(); }
Example #27
Source File: AuthorizationContext.java From keycloak with Apache License 2.0 | 5 votes |
public List<Permission> getPermissions() { if (this.authzToken == null) { return Collections.emptyList(); } Authorization authorization = this.authzToken.getAuthorization(); if (authorization == null) { return Collections.emptyList(); } return Collections.unmodifiableList(new ArrayList<>(authorization.getPermissions())); }
Example #28
Source File: UmaGrantTypeTest.java From keycloak with Apache License 2.0 | 5 votes |
@Test public void testObtainRptWithUpgradeWithUnauthorizedResource() throws Exception { AuthorizationResponse response = authorize("marta", "password", "Resource A", new String[] {"ScopeA", "ScopeB"}); String rpt = response.getToken(); AccessToken.Authorization authorization = toAccessToken(rpt).getAuthorization(); Collection<Permission> permissions = authorization.getPermissions(); assertFalse(response.isUpgraded()); assertNotNull(permissions); assertPermissions(permissions, "Resource A", "ScopeA", "ScopeB"); assertTrue(permissions.isEmpty()); ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation(); ResourceRepresentation resourceB = addResource("Resource B", "ScopeA", "ScopeB", "ScopeC"); permission.setName(resourceB.getName() + " Permission"); permission.addResource(resourceB.getName()); permission.addPolicy("Deny Policy"); getClient(getRealm()).authorization().permissions().resource().create(permission).close(); try { authorize("marta", "password", "Resource B", new String[]{"ScopeC"}, rpt); fail("Should be denied, resource b not granted"); } catch (AuthorizationDeniedException ignore) { } }
Example #29
Source File: ProtectedResource.java From quarkus with Apache License 2.0 | 5 votes |
@GET @Produces(MediaType.APPLICATION_JSON) public Uni<List<Permission>> permissions() { return identity.checkPermission(new AuthPermission("Permission Resource")).onItem() .apply(new Function<Boolean, List<Permission>>() { @Override public List<Permission> apply(Boolean granted) { if (granted) { return identity.getAttribute("permissions"); } throw new ForbiddenException(); } }); }
Example #30
Source File: AuthorizationContext.java From keycloak with Apache License 2.0 | 5 votes |
public boolean hasPermission(String resourceName, String scopeName) { if (this.authzToken == null) { return false; } Authorization authorization = this.authzToken.getAuthorization(); if (authorization == null) { return false; } for (Permission permission : authorization.getPermissions()) { if (resourceName.equalsIgnoreCase(permission.getResourceName()) || resourceName.equalsIgnoreCase(permission.getResourceId())) { if (scopeName == null) { return true; } if (permission.getScopes().contains(scopeName)) { return true; } } } if (current != null && scopeName == null) { if (current.getName().equals(resourceName)) { return true; } } return false; }