current position:Home>Working practice of spring security -- understanding of some simple concepts in spring security

Working practice of spring security -- understanding of some simple concepts in spring security

2022-06-24 09:04:06nihui123

   In daily development, there may not be much involved in security , But for Java For enterprise level projects ,Web When the application reaches a certain stage, security must be considered . stay Java One of the two security frameworks commonly used in enterprise development is Spring Security, The other is Apache Shiro , In general , When we were developing , These two frameworks are already ready , Developers can use it directly , But if you want to develop in a higher direction, understanding these two frameworks is the only way . Let's take a look Spring Security Some working things in .

 Insert picture description here

One 、Spring Security and Apache Shiro

   By comparison Spring Security than Apache Shiro More functions are provided , for example LDAP、OAuth2.0、ACL、Kerberos、SAML、SSO、OpenID Etc. security certification 、 Authentication protocol and other functions , When necessary, you can add... By reference . For authentication / More convenient and flexible for authorization , It also provides finer grained permission splitting . Developers can conduct rational integrated development in combination with their own business scenarios . Abreast of the times Spring Security It also provides support operations related to security control for responsive applications .

   because Spring Security Used Spring Framework of the IOC and AOP Therefore, it is impossible to get rid of Spring The framework uses . This point Apache Shiro Can exist independently . But in many enterprise level Web Almost all applications use Spring Frame building , So Spring Security It is also compatible . So Spring Security Depending on Spring The advantages of the framework also play a very important role in the field of enterprise application authentication . However, after knowing the two frameworks , You will find that the two frameworks are in fact similar .

Two 、 authentication / authentication

  Authentication/Authorization, Are two words that are very confusing . No matter Spring Security still Apache Shiro, To understand how they work , You have to figure out what these two words mean . What is certification , Certification is about who you are , What is Authorization , Delegation is about solving the problem of what you can do . A simple example , You take a bus to the high-speed railway station , You have to have your ID card and ticket , At this time, the work completed by the ID card is the work of authentication , The work completed by the ticket is the operation of authentication . If only authentication is not authorized , Authentication doesn't make sense . If there is no certification , Only authorization cannot add corresponding permissions to real users . So in a real development scenario, the two must exist together .
 Insert picture description here

3、 ... and 、 filter

   stay Spring MVC There is a concept called Servlet , about Servlet Web In terms of application , The best time to manage through security control is Servlet Filter. Use the responsibility chain design pattern , Add the filter to form the filter responsibility chain , Through a series of filtering strategies , Different conditions enter into different filters for treatment . Through to Filter An effective combination of to achieve our business needs .

Four 、RBAC Model

   RBAC Role-based access control (Role-Based Access Control). stay RBAC in , Permissions are associated with roles , Users can obtain the corresponding permissions of these roles by setting them to corresponding roles , This operation greatly simplifies the permission management operation . Such management requires interdependency between levels , Permissions are assigned to roles , And assign roles to users , The design is clear , Easy to manage . When you have a role , Will inherit all the functions of this role , Then do something .
 Insert picture description here

5、 ... and 、 Other concepts

   In the actual development, we will encounter other operations , For example, security policy 、 Attack defense , Reverse proxy 、 gateway 、 Fortress machine, etc . And there will be CSRF(Cross-site request forgery) Cross-site request forgery 、XSS( Cross-site scripting attacks ) Also need to have some understanding ; And that is OAuth2.0 And so on .

copyright notice
author[nihui123],Please bring the original link to reprint, thank you.

Random recommended