Replace #oauth.hasScope annotation with proper #iam.hasScope

Fixed pre-authz in order to rely on token's scopes instead of already approved ones.
indigo-iam · Oct 26, 2023 · ca3800d · ca3800d
1 parent 6fc2f6f
commit ca3800d
Show file tree

Hide file tree

Showing 26 changed files with 279 additions and 81 deletions.
diff --git a/...vice/src/main/java/it/infn/mw/iam/api/account/attributes/AccountAttributesController.java b/...vice/src/main/java/it/infn/mw/iam/api/account/attributes/AccountAttributesController.java
@@ -72,7 +72,7 @@ private void handleValidationError(BindingResult result) {
   }
 
   @RequestMapping(value = "/iam/account/{id}/attributes", method = RequestMethod.GET)
-  @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.isUser(#id) or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')")
+  @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.isUser(#id) or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')")
   public List<AttributeDTO> getAttributes(@PathVariable String id) {
 
     IamAccount account =
@@ -85,7 +85,7 @@ public List<AttributeDTO> getAttributes(@PathVariable String id) {
   }
 
   @RequestMapping(value = "/iam/account/{id}/attributes", method = PUT)
-  @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   public void setAttribute(@PathVariable String id, @RequestBody @Validated AttributeDTO attribute,
       final BindingResult validationResult) {
 
@@ -99,7 +99,7 @@ public void setAttribute(@PathVariable String id, @RequestBody @Validated Attrib
   }
 
   @RequestMapping(value = "/iam/account/{id}/attributes", method = DELETE)
-  @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   @ResponseStatus(value = NO_CONTENT)
   public void deleteAttribute(@PathVariable String id, @Validated AttributeDTO attribute,
       final BindingResult validationResult) {

diff --git a/...ervice/src/main/java/it/infn/mw/iam/api/account/authority/AccountAuthorityController.java b/...ervice/src/main/java/it/infn/mw/iam/api/account/authority/AccountAuthorityController.java
@@ -68,22 +68,22 @@ protected IamAccount findAccountByName(String name) {
       .orElseThrow(() -> new NoSuchAccountError(format("No account found for name '%s'", name)));
   }
 
-  @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_USER')")
+  @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_USER')")
   @RequestMapping(value = "/me/authorities", method = RequestMethod.GET)
   public AuthoritySetDTO getAuthoritiesForMe(Authentication authn) {
     return AuthoritySetDTO
       .fromAuthorities(authorityService.getAccountAuthorities(findAccountByName(authn.getName())));
   }
 
-  @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')")
+  @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')")
   @RequestMapping(value = "/account/{id}/authorities", method = RequestMethod.GET)
   @ResponseBody
   public AuthoritySetDTO getAuthoritiesForAccount(@PathVariable("id") String id) {
     return AuthoritySetDTO
       .fromAuthorities(authorityService.getAccountAuthorities(findAccountById(id)));
   }
 
-  @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   @RequestMapping(value = "/account/{id}/authorities", method = RequestMethod.POST)
   public void addAuthorityToAccount(@PathVariable("id") String id, @Valid AuthorityDTO authority,
       BindingResult validationResult) {
@@ -96,7 +96,7 @@ public void addAuthorityToAccount(@PathVariable("id") String id, @Valid Authorit
 
   }
 
-  @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   @RequestMapping(value = "/account/{id}/authorities", method = RequestMethod.DELETE)
   public void removeAuthorityFromAccount(@PathVariable("id") String id,
       @Valid AuthorityDTO authority, BindingResult validationResult) {

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/find/FindAccountController.java
@@ -36,7 +36,7 @@
 import it.infn.mw.iam.api.scim.model.ScimUser;
 
 @RestController
-@PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
+@PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
 public class FindAccountController {
 
   public static final String INVALID_FIND_ACCOUNT_REQUEST = "Invalid find account request";

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/group/AccountGroupController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/group/AccountGroupController.java
@@ -57,7 +57,7 @@ public AccountGroupController(IamAccountService accountService, IamGroupService
 
   @RequestMapping(value = "/iam/account/{accountUuid}/groups/{groupUuid}", method = POST)
   @ResponseStatus(value = HttpStatus.CREATED)
-  @PreAuthorize("#iam.hasAdminOrGMDashboardRoleOfGroup(#groupUuid) or #oauth2.hasScope('iam:admin.write')")
+  @PreAuthorize("#iam.hasAdminOrGMDashboardRoleOfGroup(#groupUuid) or #iam.hasScope('iam:admin.write')")
   public void addAccountToGroup(@PathVariable String accountUuid, @PathVariable String groupUuid) {
     IamGroup group = groupService.findByUuid(groupUuid).orElseThrow(noSuchGroup(groupUuid));
 
@@ -75,7 +75,7 @@ public void addAccountToGroup(@PathVariable String accountUuid, @PathVariable St
 
   @RequestMapping(value = "/iam/account/{accountUuid}/groups/{groupUuid}", method = DELETE)
   @ResponseStatus(value = HttpStatus.NO_CONTENT)
-  @PreAuthorize("#iam.hasAdminOrGMDashboardRoleOfGroup(#groupUuid) or #oauth2.hasScope('iam:admin.write')")
+  @PreAuthorize("#iam.hasAdminOrGMDashboardRoleOfGroup(#groupUuid) or #iam.hasScope('iam:admin.write')")
   public void removeAccountFromGroup(@PathVariable String accountUuid,
       @PathVariable String groupUuid) {
     IamGroup group = groupService.findByUuid(groupUuid).orElseThrow(noSuchGroup(groupUuid));

diff --git a/...src/main/java/it/infn/mw/iam/api/account/group_manager/AccountGroupManagerController.java b/...src/main/java/it/infn/mw/iam/api/account/group_manager/AccountGroupManagerController.java
@@ -63,7 +63,7 @@ public AccountGroupManagerController(AccountGroupManagerService service,
 
 
   @RequestMapping(value = "/iam/account/{accountId}/managed-groups", method = RequestMethod.GET)
-  @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isUser(#accountId)")
+  @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isUser(#accountId)")
   public AccountManagedGroupsDTO getAccountManagedGroupsInformation(
       @PathVariable String accountId) {
     IamAccount account = accountRepository.findByUuid(accountId)
@@ -74,7 +74,7 @@ public AccountManagedGroupsDTO getAccountManagedGroupsInformation(
 
   @RequestMapping(value = "/iam/account/{accountId}/managed-groups/{groupId}",
       method = RequestMethod.POST)
-  @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   @ResponseStatus(value = HttpStatus.CREATED)
   public void addManagedGroupToAccount(@PathVariable String accountId,
       @PathVariable String groupId) {
@@ -90,7 +90,7 @@ public void addManagedGroupToAccount(@PathVariable String accountId,
 
   @RequestMapping(value = "/iam/account/{accountId}/managed-groups/{groupId}",
       method = RequestMethod.DELETE)
-  @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   @ResponseStatus(value = HttpStatus.NO_CONTENT)
   public void removeManagedGroupFromAccount(@PathVariable String accountId,
       @PathVariable String groupId) {
@@ -105,7 +105,7 @@ public void removeManagedGroupFromAccount(@PathVariable String accountId,
   }
 
   @RequestMapping(value = "/iam/group/{groupId}/group-managers", method=RequestMethod.GET)
-  @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isGroupManager(#groupId)")
+  @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isGroupManager(#groupId)")
   public List<ScimUser> getGroupManagersForGroup(@PathVariable String groupId) {
     IamGroup group = groupRepository.findByUuid(groupId)
       .orElseThrow(() -> InvalidManagedGroupError.groupNotFoundException(groupId));

diff --git a/...ogin-service/src/main/java/it/infn/mw/iam/api/account/labels/AccountLabelsController.java b/...ogin-service/src/main/java/it/infn/mw/iam/api/account/labels/AccountLabelsController.java
@@ -75,7 +75,7 @@ private void handleValidationError(BindingResult result) {
   }
 
   @RequestMapping(method = GET)
-  @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM') or #iam.isUser(#id)")
+  @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM') or #iam.isUser(#id)")
   public List<LabelDTO> getLabels(@PathVariable String id) {
 
     IamAccount account = service.findByUuid(id).orElseThrow(noSuchAccountError(id));
@@ -88,7 +88,7 @@ public List<LabelDTO> getLabels(@PathVariable String id) {
   }
 
   @RequestMapping(method = PUT)
-  @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   public void setLabel(@PathVariable String id, @RequestBody @Validated LabelDTO label,
       BindingResult validationResult) {
     handleValidationError(validationResult);
@@ -98,7 +98,7 @@ public void setLabel(@PathVariable String id, @RequestBody @Validated LabelDTO l
   }
 
   @RequestMapping(method = DELETE)
-  @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   @ResponseStatus(NO_CONTENT)
   public void deleteLabel(@PathVariable String id, @Validated LabelDTO label,
       BindingResult validationResult) {

diff --git a/...ervice/src/main/java/it/infn/mw/iam/api/account/lifecycle/AccountLifecycleController.java b/...ervice/src/main/java/it/infn/mw/iam/api/account/lifecycle/AccountLifecycleController.java
@@ -42,7 +42,7 @@
 
 @RestController
 @RequestMapping(value = AccountLifecycleController.BASE_RESOURCE)
-@PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
+@PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
 public class AccountLifecycleController {
 
   public static final String BASE_RESOURCE = "/iam/account/{id}/endTime";

diff --git a/...java/it/infn/mw/iam/api/account/proxy_certificate/AccountProxyCertificatesController.java b/...java/it/infn/mw/iam/api/account/proxy_certificate/AccountProxyCertificatesController.java
@@ -77,7 +77,7 @@ private void handleValidationError(BindingResult result) {
   }
 
   @RequestMapping(value = "/iam/account/me/proxycert", method = PUT)
-  @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_USER')")
+  @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_USER')")
   public void addProxyCertificate(
       @RequestBody @Validated(
           value = ProxyCertificateDTO.AddProxyCertValidation.class) ProxyCertificateDTO proxyCert,

diff --git a/...ogin-service/src/main/java/it/infn/mw/iam/api/account/search/AccountSearchController.java b/...ogin-service/src/main/java/it/infn/mw/iam/api/account/search/AccountSearchController.java
@@ -38,7 +38,7 @@
 
 @RestController
 @Transactional
-@PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')")
+@PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM')")
 @RequestMapping(AccountSearchController.ACCOUNT_SEARCH_ENDPOINT)
 public class AccountSearchController extends AbstractSearchController<ScimUser, IamAccount> {
 

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/account/search/GroupSearchController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/account/search/GroupSearchController.java
@@ -42,7 +42,7 @@
 
 @RestController
 @Transactional
-@PreAuthorize("hasAnyRole('ADMIN', 'USER') or #oauth2.hasScope('iam:admin.read')")
+@PreAuthorize("hasAnyRole('ADMIN', 'USER') or #iam.hasScope('iam:admin.read')")
 @RequestMapping(GroupSearchController.GROUP_SEARCH_ENDPOINT)
 public class GroupSearchController extends AbstractSearchController<ScimGroup, IamGroup> {
 

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/aup/AupSignatureController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/aup/AupSignatureController.java
@@ -101,7 +101,7 @@ public AupSignatureDTO getSignature() throws AccountNotFoundException {
   }
 
   @RequestMapping(value = "/iam/aup/signature/{accountId}", method = RequestMethod.GET)
-  @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM') or #iam.isUser(#accountId)")
+  @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasAnyDashboardRole('ROLE_ADMIN', 'ROLE_GM') or #iam.isUser(#accountId)")
   public AupSignatureDTO getSignatureForAccount(@PathVariable String accountId) throws AccountNotFoundException {
     IamAccount account = accountUtils.getByAccountId(accountId)
       .orElseThrow(accountNotFoundException("Account not found for id: " + accountId));
@@ -113,7 +113,7 @@ public AupSignatureDTO getSignatureForAccount(@PathVariable String accountId) th
   }
 
   @RequestMapping(value = "/iam/aup/signature/{accountId}", method = RequestMethod.PATCH)
-  @PreAuthorize("#oauth2.hasScope('iam:admin.write')")
+  @PreAuthorize("#iam.hasScope('iam:admin.write')")
   public void setSignatureForAccount(@PathVariable String accountId,
       @RequestBody @Validated AupSignatureDTO dto) throws AccountNotFoundException {
     IamAccount account = accountUtils.getByAccountId(accountId)

diff --git a/...ice/src/main/java/it/infn/mw/iam/api/client/management/ClientManagementAPIController.java b/...ice/src/main/java/it/infn/mw/iam/api/client/management/ClientManagementAPIController.java
@@ -68,15 +68,15 @@ public ClientManagementAPIController(ClientManagementService managementService)
 
   @PostMapping
   @ResponseStatus(CREATED)
-  @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   public RegisteredClientDTO saveNewClient(@RequestBody RegisteredClientDTO client)
       throws ParseException {
     return managementService.saveNewClient(client);
   }
 
   @JsonView({ClientViews.ClientManagement.class})
   @GetMapping
-  @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
   public ListResponseDTO<RegisteredClientDTO> retrieveClients(
       @RequestParam final Optional<Integer> count,
       @RequestParam final Optional<Integer> startIndex,
@@ -94,14 +94,14 @@ public ListResponseDTO<RegisteredClientDTO> retrieveClients(
 
   @JsonView({ClientViews.ClientManagement.class})
   @GetMapping("/{clientId}")
-  @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
   public RegisteredClientDTO retrieveClient(@PathVariable String clientId) {
     return managementService.retrieveClientByClientId(clientId)
       .orElseThrow(clientNotFound(clientId));
   }
 
   @GetMapping("/{clientId}/owners")
-  @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
   public ListResponseDTO<ScimUser> retrieveClientOwners(@PathVariable String clientId,
       @RequestParam final Optional<Integer> count,
       @RequestParam final Optional<Integer> startIndex) {
@@ -111,29 +111,29 @@ public ListResponseDTO<ScimUser> retrieveClientOwners(@PathVariable String clien
 
   @PostMapping("/{clientId}/owners/{accountId}")
   @ResponseStatus(CREATED)
-  @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   public void assignClientOwner(@PathVariable String clientId,
       @PathVariable final String accountId) {
     managementService.assignClientOwner(clientId, accountId);
   }
 
   @PostMapping("/{clientId}/rat")
   @ResponseStatus(CREATED)
-  @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   public RegisteredClientDTO rotateRegistrationAccessToken(@PathVariable String clientId) {
     return managementService.rotateRegistrationAccessToken(clientId);
   }
 
   @DeleteMapping("/{clientId}/owners/{accountId}")
   @ResponseStatus(NO_CONTENT)
-  @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   public void removeClientOwner(@PathVariable String clientId,
       @PathVariable final String accountId) {
     managementService.removeClientOwner(clientId, accountId);
   }
 
   @PutMapping("/{clientId}")
-  @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   public RegisteredClientDTO updateClient(@PathVariable String clientId,
       @RequestBody RegisteredClientDTO client)
       throws ParseException {
@@ -142,14 +142,14 @@ public RegisteredClientDTO updateClient(@PathVariable String clientId,
 
   @PostMapping("/{clientId}/secret")
   @ResponseStatus(CREATED)
-  @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   public RegisteredClientDTO rotateClientSecret(@PathVariable String clientId) {
     return managementService.generateNewClientSecret(clientId);
   }
 
   @DeleteMapping("/{clientId}")
   @ResponseStatus(NO_CONTENT)
-  @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   public void deleteClient(@PathVariable String clientId) {
     managementService.deleteClientByClientId(clientId);
   }

diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/search/SearchClientController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/search/SearchClientController.java
@@ -36,7 +36,7 @@
 
 @RestController
 @RequestMapping(SearchClientController.ENDPOINT)
-@PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
+@PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
 public class SearchClientController {
 
   public static final int MAX_PAGE_SIZE = 100;

diff --git a/...in-service/src/main/java/it/infn/mw/iam/api/exchange_policy/ExchangePolicyController.java b/...in-service/src/main/java/it/infn/mw/iam/api/exchange_policy/ExchangePolicyController.java
@@ -62,7 +62,7 @@ protected InvalidExchangePolicyError buildValidationError(BindingResult result)
   }
 
   @RequestMapping(value = "/policies", method = RequestMethod.GET)
-  @PreAuthorize("#oauth2.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  @PreAuthorize("#iam.hasScope('iam:admin.read') or #iam.hasDashboardRole('ROLE_ADMIN')")
   public List<ExchangePolicyDTO> getExchangePolicies() {
     Page<ExchangePolicyDTO> resultsPage = service.getTokenExchangePolicies(UNPAGED);
     if (resultsPage.hasNext()) {
@@ -74,14 +74,14 @@ public List<ExchangePolicyDTO> getExchangePolicies() {
 
   @RequestMapping(value = "/policies/{id}", method = RequestMethod.DELETE)
   @ResponseStatus(code = HttpStatus.NO_CONTENT)
-  @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   public void deleteExchangePolicy(@PathVariable Long id) {
     service.deleteTokenExchangePolicyById(id);
   }
 
   @RequestMapping(value = "/policies", method = RequestMethod.POST)
   @ResponseStatus(code = HttpStatus.CREATED)
-  @PreAuthorize("#oauth2.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
   public void createExchangePolicy(@Valid @RequestBody ExchangePolicyDTO dto,
       BindingResult validationResult) {