将 Oauth 2.0 添加到基于 Jersey 的 RESTful 服务器
[英]Adding Oauth 2.0 to Jersey based RESTful server
问题描述
I have a Jersey based server that I want to secure with OAuth 2.0 .
我有一个基于Jersey的服务器,我想用OAuth 2.0来保护它。 There are two paths that I've seen as common:我认为有两条路径很常见:
- Oltu - Is compatible with Jersey and seems to be supported, although not as well as Spring Security. Oltu - 与 Jersey 兼容并且似乎受支持,但不如 Spring Security。 This 2012 question seems to suggest this is the way to go, but I want confirmation on a 2016 context so I son't implement something not as well supported anymore. 这个 2012 年的问题似乎表明这是要走的路,但我想确认 2016 年的上下文,所以我儿子不再实施不受支持的东西。
- Spring Security - It seems to be very popular, but this path implies changing the server into a Spring based MVC. Spring Security - 它似乎很流行,但这条路径意味着将服务器更改为基于 Spring 的 MVC。 I don't know if that is something recommendable based on the benefits of using something as widely supported as Spring and the cost of the refactoring.我不知道根据使用像 Spring 这样广泛支持的东西的好处和重构的成本,这是否值得推荐。
With support I mean a project that is in continous development, well established community with tutorials, materials and some libraries for clients (web, mobile, server) already available.支持我的意思是一个持续开发的项目,完善的社区,已经提供了教程、材料和一些客户端(网络、移动、服务器)库。
Which one is a stronger option?哪个是更强的选择? Is there another option or options?还有其他选择吗?
In any case.无论如何。 Is there a good reference material or tutorial to start implementing this?是否有很好的参考资料或教程来开始实施?
UPDATE更新
After few hours of reading and understanding about both the OAuth Providers I had mentioned, I feel Apache Oltu's documentation did not guide me much as there are key components that aren't documented yet, but an example gave me a better picture on how Oltu must be implemented.在阅读和理解我提到的两个 OAuth Providers 几个小时后,我觉得 Apache Oltu 的 文档并没有给我太多指导,因为有一些关键组件还没有文档化,但是一个例子让我更好地了解了Oltu必须如何得到落实。 On the other hand, going through Spring Security's material I got to know that it can still be built on a non-Spring MVC based java project.另一方面,通过Spring Security 的材料,我知道它仍然可以构建在非 Spring MVC 的 java 项目上。 But there is a limited exposure of implementations/tutorials on Spring Security on a non-Spring based project.但是在基于非 Spring 的项目中,Spring Security 的实现/教程的曝光有限。
Another approach:另一种方法:
I came up with an architecture that might be more stable and would not care about the implementation details of the inner server(the one already implemented using Jersey).我想出了一种可能更稳定的架构,并且不会关心内部服务器的实现细节(已经使用 Jersey 实现的)。 Having a server that is dedicated for security purpose (authorizing, authenticating, storing tokens in its own database, etc) in the middle that acts like a gateway between the outside world and the inner server.在中间有一个专用于安全目的(授权、验证、在自己的数据库中存储令牌等)的服务器,充当外部世界和内部服务器之间的网关。 It essentially acts a relay and routes the calls, back and forth and ensures that the client knows nothing about the inner server and both the entities communicate with the security server only.它本质上充当中继并路由呼叫,来回并确保客户端对内部服务器一无所知,并且两个实体仅与安全服务器通信。 I feel this would be the path to move forward as我觉得这将是前进的道路
- Replacing with another security provider just means plugging out the security server implemetation and adding the new one.替换为另一个安全提供程序只是意味着插入安全服务器实现并添加新的。
- The security server cares nothing about the inner server implementation and the calls would still follow the RESTful standards.安全服务器不关心内部服务器实现,调用仍将遵循 RESTful 标准。
I appreciate your suggestions or feedbacks on this approach.感谢您对此方法的建议或反馈。
2 个解决方案
解决方案1
2 2016-05-04 19:41:51
Apache Oltu supports OpenID Connect but its architecture is bad. Apache Oltu支持OpenID Connect,但它的架构很糟糕。 For example, OpenIdConnectResponse should not be a descendant of OAuthAccessTokenResponse because an OpenID Connect response does not always contain an access token.例如, OpenIdConnectResponse不应该的后代OAuthAccessTokenResponse因为开放ID连接反应并不总是包含一个访问令牌。 In addition, the library weirdly contains a GitHub-specific class, GitHubTokenResponse .此外,该库奇怪地包含一个特定于 GitHub 的类GitHubTokenResponse 。
Spring Security is famous, but I'm afraid it will never be able to support OpenID Connect. Spring Security很有名,但恐怕永远无法支持 OpenID Connect。 See Issue 619 about the big hurdle for OpenID Connect support.有关 OpenID Connect 支持的大障碍,请参阅问题 619 。
java-oauth-server and java-resource-server are good examples of Jersey + OAuth 2.0, but they use a commercial backend service, Authlete . java-oauth-server和java-resource-server是 Jersey + OAuth 2.0 的好例子,但它们使用商业后端服务Authlete 。 (I'm the author of them.) (我是它们的作者。)
OpenAM , MITREid Connect , Gluu , Connect2id , and other OAuth 2.0 + OpenID Connect solutions are listed in Libraries, Products, and Tools page of OpenID Foundation. OpenAM 、 MITREid Connect 、 Gluu 、 Connect2id和其他 OAuth 2.0 + OpenID Connect 解决方案列在 OpenID Foundation 的库、产品和工具页面中。
UPDATE for the update of the question
更新问题的更新
RFC 6749 (The OAuth 2.0 Authorization Framework) distinguishes an authorization server from a resource server . RFC 6749 (OAuth 2.0 授权框架)将授权服务器与资源服务器区分开来。 In short, an authorization server is a server that issues an access token, and a resource server is a server that responds to requests which come along with an access token.简而言之,授权服务器是发出访问令牌的服务器,资源服务器是响应伴随访问令牌而来的请求的服务器。
For a resource server, API Gateway is one of the recent design patterns.对于资源服务器, API Gateway是最近的设计模式之一。 Amazon, CA Technologies, IBM, Oracle and other companies provide API Gateway solutions. Amazon、CA Technologies、IBM、Oracle 等公司提供 API Gateway 解决方案。 API Gateway architecture may be close to your idea. API 网关架构可能与您的想法很接近。 Some API Gateway solutions verify access tokens in their own ways (because the solutions issue access tokens by themselves) and other solutions just delegate access token verification to an external server (because the solutions don't have a mechanism to issue access tokens).一些 API Gateway 解决方案以自己的方式验证访问令牌(因为解决方案自己发布访问令牌),而其他解决方案只是将访问令牌验证委托给外部服务器(因为解决方案没有发布访问令牌的机制)。 For example, Amazon API Gateway is an example that delegates access token verification to an external server, which Amazon has named custom authorizer .例如, Amazon API Gateway是一个将访问令牌验证委托给外部服务器的示例,Amazon 将其命名为custom authorizer 。 See the following for further information about custom authorizer.有关自定义授权方的更多信息,请参阅以下内容。
- Introducing custom authorizers in Amazon API Gateway (AWS Blog) 在 Amazon API Gateway 中引入自定义授权方(AWS 博客)
- Enable Amazon API Gateway Custom Authorization (AWS Document) 启用 Amazon API Gateway 自定义授权(AWS 文档)
- Amazon API Gateway Custom Authorizer + OAuth (Authlete article)Amazon API Gateway 自定义授权器 + OAuth (Authlete 文章)
If an authorization server provides an introspection API (such as RFC 7662 ) that you can use query information about an access token, your resource server implementation may be able to replace (plug-out and add) an authorization server to refer to comparatively easily.如果授权服务器提供内省 API(例如RFC 7662 ),您可以使用有关访问令牌的查询信息,您的资源服务器实现可能能够替换(插入和添加)授权服务器以相对容易地引用。
For an athorization server, gateway-style solutions are rare.对于授权服务器,网关式解决方案很少见。 It's because such a solution must expose all the functionalities required to implement an authorization server as Web APIs.这是因为这样的解决方案必须将实现授权服务器所需的所有功能公开为 Web API。 Authlete is such a solution but I don't know others. Authlete就是这样一个解决方案,但我不知道其他人。
解决方案2
1 2016-05-04 15:54:31
I think, it's far simplier to use the oauth connectors that are implemented inside jersey itself!我认为,使用在 jersey 内部实现的 oauth 连接器要简单得多! Have you considered using jersey own OAuth (already linked inside jersey) server / client ?您是否考虑过使用 jersey 自己的 OAuth(已在 jersey 内部链接)服务器/客户端? https://eclipse-ee4j.github.io/jersey.github.io/documentation/latest/security.html#d0e13146 https://eclipse-ee4j.github.io/jersey.github.io/documentation/latest/security.html#d0e13146
Please take a look to :请看一看:
16.3.2.
hope helped.希望有所帮助。 :) :)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.