Title interpretation
- For authentication and authorization with Spring Security
- A protocol OAuth 2.0, support for third-party certification (distributed)
Life is short, carpe diem.
[X] shiro
[√] Spring Security
[X] CAS Server
[√] the OAuth2.0
.
from use (below) , shiro more, due to the relatively lightweight shiro, want to use. The spring security need to rely on the spring.
However, with the development of springboot scaffolding, want to use the security environment in the spring is also very convenient
(does not require much configuration to use)And, spring security and distributed, micro-services, combined with spring cloud series of very "silky."
therefore,In the long run, spring security more powerful.
Difference between the two
- Spring Security:
重量
class, feature-rich, spring community support- Apache Shiro:
轻量
class, apache community support
The core functions of Spring Security
- Authentication: authentication, user login authentication (who you are)
- Security, to prevent cross-domain requests, session attacks (where you are)
- Authorization: Authorization, Access Authorization resources (you can do)
Login authentication core technology
- Supports multiple authentication methods (qq, weixin, github)
- Supports multiple front-end channels (phone, pc,)
- Support clustered environments, work across applications, SESSION control, control of user rights, protection and authentication-related attacks
Target
of reusable, enterprise-class, authentication and authorization modules
Technical points
[Archive]: Basic (fei) concept (hua)
verification method
- (Application of the monomer) based on the authentication session
Client: requires the authorization information in the cookie
Server: Log information is stored session
- Based on the authentication token
Do not specify a storage location information of the authorization (如:cookie、localStorage)
Authorization data model
- Subject: Subject
- Resources: Resource
"functional resources: menu page, the button
" data resources (physical resources): product information, order information - Permission / license: Permission
In order to facilitate rights management, we usually add Character(Package of privileges)
Therefore, the actual development A module Usually divided into the following five tables.
RBAC
-
Role-based access control (Role-Based Access Control)[x]
[: When role permission changes, you need to modify the coding level scalability poor]
-
Resource-based access control (Resource-Based Access Control)
End
Any authentication, are essentially based on the resulting distrust of the requesting party.
Protocol role and processes
- The resource owner (resource owner)
- Resource Server (client)
- Authorization server (authorization server)
- Client / third party agreements (resource owner)