Question

我是安全新手。 JAVA和我需要实现OAuth2的令牌跟随，这是我需要实现的确切流程（如果有一些库可以帮助它很棒）

http://tutorials.jenkov.com/oauth2/authorization-code-request-response.html

如何使用JAVA实现它，我想使用一些提供此功能的库。令牌流应该是针对UAA的，但任何其他类似的例子都会非常有用。我找到了这个例子，但不知道如何使用/测试它与UAA的E2E 邮差将非常有助于模拟它...

https://developers.google.com/api-client-library/java/google-oauth-java-client/oauth2

UAA背景

https://github.com/cloudfoundry/uaa

Answer 1

我建议你将Spring作为用Java构建Web应用程序的最流行的框架。它具有Spring Security模块，可以帮助开发OAuth 2.0客户端和资源服务器，如here或here所示。

Answer 2

有关OAuth 2.0流程的详细说明，请访问RFC 6749 Specification。关于逐步解决方案，您应该看到一些教程，例如this article explaining how to create a Spring REST API using OAuth 2.0。本文将介绍代码以及创建Postman请求。关于模拟/测试，我之前使用TestNG和Mockito为OAuth 2.0创建了测试套件。

您开发和研究的越多，您就越能找到改进或改变代码设计方式的方法。如果您真的想要遵守OAuth 2.0流程，那么您应该正确理解RFC 6749链接中的流程（有时可能相对模糊）。

Answer 3

以下是Google API clinet库示例。如果有帮助，试试这个

    public class ServletSample extends AbstractAuthorizationCodeServlet {

  @Override
  protected void doGet(HttpServletRequest request, HttpServletResponse response)
      throws IOException {
    // do stuff
  }

  @Override
  protected String getRedirectUri(HttpServletRequest req) throws ServletException, IOException {
    GenericUrl url = new GenericUrl(req.getRequestURL().toString());
    url.setRawPath("/oauth2callback");
    return url.build();
  }

  @Override
  protected AuthorizationCodeFlow initializeFlow() throws IOException {
    return new AuthorizationCodeFlow.Builder(BearerToken.authorizationHeaderAccessMethod(),
        new NetHttpTransport(),
        new JacksonFactory(),
        new GenericUrl("https://server.example.com/token"),
        new BasicAuthentication("s6BhdRkqt3", "7Fjfp0ZBr1KtDRbnfVdmIw"),
        "s6BhdRkqt3",
        "https://server.example.com/authorize").setCredentialDataStore(
            StoredCredential.getDefaultDataStore(
                new FileDataStoreFactory(new File("datastoredir"))))
        .build();
  }

  @Override
  protected String getUserId(HttpServletRequest req) throws ServletException, IOException {
    // return user ID
  }
}

public class ServletCallbackSample extends AbstractAuthorizationCodeCallbackServlet {

  @Override
  protected void onSuccess(HttpServletRequest req, HttpServletResponse resp, Credential credential)
      throws ServletException, IOException {
    resp.sendRedirect("/");
  }

  @Override
  protected void onError(
      HttpServletRequest req, HttpServletResponse resp, AuthorizationCodeResponseUrl errorResponse)
      throws ServletException, IOException {
    // handle error
  }

  @Override
  protected String getRedirectUri(HttpServletRequest req) throws ServletException, IOException {
    GenericUrl url = new GenericUrl(req.getRequestURL().toString());
    url.setRawPath("/oauth2callback");
    return url.build();
  }

  @Override
  protected AuthorizationCodeFlow initializeFlow() throws IOException {
    return new AuthorizationCodeFlow.Builder(BearerToken.authorizationHeaderAccessMethod(),
        new NetHttpTransport(),
        new JacksonFactory(),
        new GenericUrl("https://server.example.com/token"),
        new BasicAuthentication("s6BhdRkqt3", "7Fjfp0ZBr1KtDRbnfVdmIw"),
        "s6BhdRkqt3",
        "https://server.example.com/authorize").setCredentialDataStore(
            StoredCredential.getDefaultDataStore(
                new FileDataStoreFactory(new File("datastoredir"))))
        .build();
  }

  @Override
  protected String getUserId(HttpServletRequest req) throws ServletException, IOException {
    // return user ID
  }
}

Answer 4

https://github.com/spring-projects/spring-security-oauth/tree/master/samples/oauth2包含使用Spring Security执行oauth2的示例代码。

Java - 令牌流OAuth 2 E2E带代码

4 个答案: