问题描述
我有一个使用Java JAX-RS构建的REST API,该API将会公开,并且受到OAuth 2.0的保护.
I have a REST API built using Java JAX-RS, the API will be exposed to public and it is protected by OAuth 2.0.
我计划从正在构建的内部项目中使用此API,并且因为它是我的API,所以我不希望用户授权我对此API进行调用.
I plan to use this API from internal projects I am building and because it is my API, I don't expect the user to authorise me to make calls to this API.
现在,我正在使用过滤器来检查访问令牌,并根据我的OAuth Provider(配置示例)对其进行验证:
Right now, I am using filters to check access token and validate it against my OAuth Provider, sample of configuration :
<!-- Exposing the facility service as a REST service -->
<jaxrs:server id="restContainer" address="/">
<jaxrs:serviceBeans>
.. services beans
</jaxrs:serviceBeans>
<jaxrs:providers>
<ref bean="oauthFilter"/> <-- filter to validate oauth
<ref bean="apiUsageFilter"/> <-- filter to check api usage (integrated with 3scale)
<ref bean="jacksonProvider" />
<ref bean="exceptionMapper" />
</jaxrs:providers>
<jaxrs:extensionMappings>
<entry key="json" value="application/json" />
<entry key="xml" value="application/xml" />
<entry key="html" value="text/html" />
</jaxrs:extensionMappings>
<jaxrs:features>
<bean class="org.apache.cxf.feature.LoggingFeature"/>
</jaxrs:features>
</jaxrs:server>
我想知道是否可以实现一个新的过滤器来检查呼叫的起源,如果它是来自列出的ip/域中的,则绕过oauth,如果没有,则继续进行oauth.
I am wondering if I can implement a new filter to check origin of the call, if it is from among the listed ip(s)/domain(s) then bypass oauth, if not, then proceed with oauth.
这种方法可行吗?这是一个好习惯吗?优点和缺点?
Is that approach possible ? would it be a good practice? Pros and Cons?
谢谢!
推荐答案
解决方案很简单:我们为服务器到服务器应用程序实现了客户端授权授予,为移动应用程序实现了资源所有者凭证授权授予(没有后端)在OAuth 2.0服务器中.
The solution was simple : we implemented Client authorization grant for server-to-server applications, and Resource Owner Credentials authorization grant for mobile apps (that don't have backend) in the OAuth 2.0 server.
这篇关于Jax RS REST API-OAuth 2.0和控件来源的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!