问题描述

OAuth2ProtectedResourceFilter:

OAuth2ProtectedResourceFilter in org.springframework.security.oauth2.provider.filter:

Collection<String> resourceIds = auth.getClientAuthentication().getResourceIds();
if (resourceIds!=null && !resourceIds.isEmpty() && !resourceIds.contains(resourceId)) {
    throw new InvalidTokenException("Invalid token does not contain resource id ("+resourceId+"): " + token);                   
}

我认为这没有用.该代码检查什么?

I think it is not useful. What does this code check for?

推荐答案

基于我收集到的信息，它是资源服务的ID.

Based on what I've gathered, it is the id of the resource service.

当您出于API版本控制的考虑而考虑将oauth令牌提供程序servlet和资源服务器分开时，这一点变得更加清楚.例如，假设客户端A(cA)可以访问api1，而客户端B(cB)可以访问api2，则可以通过在api1的资源服务器xml中指示其resource-id = api1来强制执行此访问，然后配置客户端详细信息对于cA，它们具有resourceIds ="api1"，对于[cB，api2]同样.

It becomes more clear when you consider separating your oauth token provider servlet and your resource servers for the purpose of api versioning. For example, say Client A (cA) has access to api1 and Client B (cB) has access to api2, you enforce this access by dictating in your resource server xml for api1 that its resource-id=api1 and then configure your client details for cA that they have resourceIds="api1", and likewise for [cB,api2].

这使我们能够保护api访问并将其保护声明与客户角色声明分开.

This lets us protect api access and keep its protection declaration separate from, say, our client roles declaration.

这篇关于在具有Spring Security的OAuth 2.0中resourceId是什么意思的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！