# Security Tools

When you need to declare dependencies with OAuth2 scopes you use `Security()`.

But you still need to define what is the dependable, the callable that you pass as a parameter to `Depends()` or `Security()`.

There are multiple tools that you can use to create those dependables, and they get integrated into OpenAPI so they are shown in the automatic docs UI, they can be used by automatically generated clients and SDKs, etc.

/**
 * An SPI interface to extend Maven with new enum values for extensible enumerations.
 * <p>
 * Maven uses extensible enumerations to allow plugins and extensions to add new values
 * to various categories like languages, scopes, and packaging types. This interface is the
 * base for all providers that register such extensions.
 * <p>
 * Implementations of this interface are discovered through the Java ServiceLoader mechanism.

* Never store plaintext passwords, only password hashes.
* Implement and use well-known cryptographic tools, like pwdlib and JWT tokens, etc.
* Add more granular permission controls with OAuth2 scopes where needed.
* ...etc.

Nevertheless, you might have a very specific use case where you really need to disable the API docs for some environment (e.g. for production) or depending on configurations from environment variables.

	var names1 []string
	DB.Model(&User{}).Where("name like ?", "distinct%").Distinct().Order("name").Pluck("Name", &names1)

	AssertEqual(t, names1, []string{"distinct", "distinct-2", "distinct-3"})

	var names2 []string
	DB.Scopes(func(db *gorm.DB) *gorm.DB {
		return db.Table("users")
	}).Where("name like ?", "distinct%").Order("name").Pluck("name", &names2)
	AssertEqual(t, names2, []string{"distinct", "distinct", "distinct", "distinct-2", "distinct-3"})

 */
package org.codelibs.fess.score;

import java.util.ArrayList;
import java.util.List;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/**
 * This class updates scores of documents.
 */
public class ScoreUpdater {
    /**
     * Constructor.
     */
    public ScoreUpdater() {
        super();
    }

import org.apache.maven.lifecycle.mapping.LifecycleMojo;
import org.apache.maven.lifecycle.mapping.LifecyclePhase;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * TODO: this is session scoped as SPI can contribute.
 */
@Named
@Singleton
public class DefaultPackagingRegistry
        extends ExtensibleEnumRegistries.DefaultExtensibleEnumRegistry<Packaging, PackagingProvider>

/// note | Hinweis

Beachten Sie den Header `Authorization` mit einem Wert, der mit `Bearer ` beginnt.

///

## Fortgeschrittene Verwendung mit `scopes` { #advanced-usage-with-scopes }

OAuth2 hat ein Konzept von <abbr title="Geltungsbereiche">„Scopes“</abbr>.

Sie können diese verwenden, um einem JWT-Token einen bestimmten Satz von Berechtigungen zu übergeben.

<img src="/img/tutorial/security/image10.png">

/// note | Nota

Observa el header `Authorization`, con un valor que comienza con `Bearer `.

///

## Uso avanzado con `scopes` { #advanced-usage-with-scopes }

OAuth2 tiene la noción de "scopes".

Puedes usarlos para agregar un conjunto específico de permisos a un token JWT.

    mockWebServer.start(slackApi.port);
  }

  public HttpUrl newAuthorizeUrl(String scopes, String team, Listener listener) {
    if (mockWebServer == null) throw new IllegalStateException();

    ByteString state = randomToken();
    synchronized (this) {
      listeners.put(state, listener);
    }

    return slackApi.authorizeUrl(scopes, redirectUrl(), state, team);
  }

  private ByteString randomToken() {

/// note | 笔记

注意，请求中 `Authorization` 响应头的值以 `Bearer` 开头。

///

## `scopes` 高级用法

OAuth2 支持**`scopes`**（作用域）。

**`scopes`**为 JWT 令牌添加指定权限。

让持有令牌的用户或第三方在指定限制条件下与 API 交互。

**高级用户指南**中将介绍如何使用 `scopes`，及如何把 `scopes` 集成至 **FastAPI**。

## 小结

至此，您可以使用 OAuth2 和 JWT 等标准配置安全的 **FastAPI** 应用。

几乎在所有框架中，处理安全问题很快都会变得非常复杂。