1. Basic concepts
1.1 What is certification
In the era of mobile Internet, everyone is brushing their phones every day. The commonly used software is WeChat, Alipay, Toutiao, etc. The following uses WeChat as an example to illustrate the basic concepts related to authentication. Before using WeChat for the first time, you need to register as a WeChat user and then enter The account and password can be used to log in to WeChat, and the process of entering the account and password to log in is authentication.
Why does the system need to be certified?
Authentication is to protect the system's privacy data and resources, and the user's identity can only access the system's resources.
Authentication: User authentication is the process of judging whether the user's identity is legal. When a user accesses system resources, the system requires verification of the user's identity information. The legal identity can continue to be accessed, and the illegal access is denied. Common user identity authentication methods are: user password , QR code login, mobile phone SMS login, fingerprint authentication and other methods.
1.2 What is a session
After the user is authenticated, in order to prevent the user from performing every authentication, the user's information can be guaranteed in the session. The session is a mechanism provided by the system to maintain the current user login status. Common methods include session-based and token-based.
The session-based authentication method is as follows:
Its interactive process is that after the user authentication is successful, the user-related data generated on the server side is saved in the Session (current session) and sent to the client with the session id stored in the cookie, so that the user client can verify with the session_id Whether there is session data on the server to complete the legal verification of the user. When the user exits the system or the session expires and is destroyed, the client's session_id will be invalid
Based on the token method as shown below:
Its interactive process is that after user authentication is successful, the server generates a token and sends it to the client. The client can put it in storage such as cookies or localstorge (now in the browser), and bring the token with each request. After receiving the token, the user's identity can be confirmed. Token-based authentication may not be recorded on the server.
1.2 What is authorization
Take WeChat as an example. After the WeChat login is successful, users can use WeChat functions, such as sending red envelopes, sending circle of friends, adding friends, etc., users who do not have a bank card cannot send red envelopes, users who have a bank card You can send red envelopes, the function of sending red envelopes, and the function of sending circle of friends are WeChat, that is, functional resources. Users can only use the function of red envelopes when they have the permission to send red envelopes, and can only use the circle of friends Function, the process of controlling the user's use of resources according to the user's authority is authorization.
Why do I need authorization?
Authentication is to ensure the legitimacy of users, and authorization is to divide the privacy data in a finer granularity. Authorization occurs after authentication is passed, and different users can access different resources.
Authorization: Authorization is the process of user authentication to control the user's access to resources according to the user's authority. Normal access to resources with resource access is denied, and access is denied without authority.
1.3 Authorized data model
How to perform authorization, that is, to control user access to resources, first need to learn the data model related to authorization
Authorization can be simply understood as how to operate what (which), including the following:
who: Subject (subject), the subject generally refers to the user, can also be a program, need to access the resources in the system.
what: Resource (resource), such as system menu, page, button, code method, system product information, system order information, etc., system menu, page, button, code method are all system function resources. For each function of Web page, it is usually Corresponding to a url, system product information, and system order information belong to physical resources (data resources). Physical resources are composed of resource types and resource instances. For example, product information is a resource type, and a product with a product number of 0001 is a resource instance.
how: permission, permission (premission), stipulates the user's permission to operate the resource, the permission does not make sense to leave the resource, such as user query permission, user add permission, call permission of a certain code method, the modification permission of user number 001 Wait, through the authority, you can know what operation permissions the user has on which resources.
The relationship between subject, resource and authority is as follows:
The data models related to subjects, resources, and permissions are as follows:
Subject (user id, account number, password, ...)
Resources (resource id, resource name, access address, ...)
Authority (authority id, authority identifier, authority name, resource id, ...)
Role (role id, role name, ...)
Role and permission relationship (role id, permission id,)
The relationship between the subject (user) and the role (user id, role id)
The relationship between the subject (user), resources, and permissions is as shown below
Usually in enterprise development, the resource and permission tables are combined into one permission table as follows:
Resources. (Resource id, resource name, access address ...)
Authority (authority id, authority identifier, authority name, resource id ^)
Merged into:
Authority (authority id, authority identifier, authority name, resource name, resource access address ...)
The relationship between the modified data model is shown below
1.4RBAC
How to achieve authorization, the industry usually implements authorization based on rbac
1.4.1 Role-based access control
RBAC role-based access control (Role-based access control) is authorized by role, for example: the role of the principal is the general manager, you can query the business operation report, query employee salary information, etc. The access control process is as follows
According to the judgment logic in the above figure, the authorization code can be expressed as follows:
if(“主体”.hasRole("总经理角色id"))
{
查询工资
}If the required roles for querying salary in the above figure are the general manager and the department manager, then the judgment logic needs to be modified to "determine whether the user's role is the general manager or the department manager", and the modified code is as follows
if(“主体”.hasRole("总经理角色id") || "主体".hasrole("部门经理"))
{
查询工资
}According to the above example, it is found that when the role permissions need to be modified, the relevant code of authorization needs to be modified, and the system has poor scalability.
1.4.2 Resource-based access control
RBAC resource-base access control (resource-base access control) is to authorize according to resources (or permissions), for example, users must have salary query permission to query employee salary information, etc. Access control is as follows
According to the judgment in the above figure, the authorization code can be expressed as
if(主体.hasrole(“总经理角色id”)){
查询工资
}Advantages, the system defines the authorization flag for querying salary, that is, the angle palladium required for querying salary changes to the general manager and department manager does not need to modify the authorization code, the system has strong scalability.
