[英]OAuth Resource Owner Password Java
Is there a Java provider implementation of the OAuth's Resource Owner Password flow or a library to include in my project? 是否存在OAuth的资源所有者密码流的Java提供程序实现或要包含在我的项目中的库?
I have read that Spring Security provides those libraries with a server or provider implementation, can I only include those Spring libraries to my standard Java EE project without using the full Spring stack? 我已经读过Spring Security为那些库提供了服务器或提供程序实现,是否可以仅将这些Spring库包含到我的标准Java EE项目中而不使用完整的Spring堆栈?
Could it be possible or reasonable to implement the OAuth provider and client for that flow following the RFC? 在RFC之后为该流程实现OAuth提供程序和客户端是否可行或合理?
The UAA project uses Spring Security's OAuth provider to implement a full OAuth2 authorization server (including resource owner grant). UAA项目使用Spring Security的OAuth提供程序来实现完整的OAuth2授权服务器(包括资源所有者授权)。 Why not use that? 为什么不使用它?
You can't "only include those Spring libraries to my standard Java EE project" without using Spring. 如果不使用Spring,则不能“仅将这些Spring库包括到我的标准Java EE项目中”。 It's not really clear from your question how you would expect that to work. 从您的问题还不清楚,您希望它如何工作。 Where would the authorization server be implemented, for example? 例如,授权服务器将在哪里实施?
It's certainly possible to implement the OAuth2 provider yourself, especially if you are only using part of the spec, but it's not trivial and probably not "reasonable" if it is just incidental to your main application development. 当然,可以自己实现OAuth2提供程序,特别是如果您仅使用规范的一部分,但是如果它只是与您的主应用程序开发有关的话,那么它并不简单,并且可能不合理。
You will still need to consider how to protect your resource servers when they are accessed by an application which has obtained a token from the authorization server. 当从授权服务器获得令牌的应用程序访问资源服务器时,您仍然需要考虑如何保护它们。 In other words, they need to be able to check and understand the token that is issued and make an access decision based on it. 换句话说,他们需要能够检查和理解所发出的令牌并基于该令牌做出访问决策。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.