Oauth2 introduction: Oauth2 defines a secure, open and simple standard for user resource authorization. Third parties can obtain user authorization information without knowing the user's account and password, and this is safe.
To put it simply, when a user logs in to the website, he needs an account and password, but you don't have an account and password. You need to register the website's account and password, but you don't want to register. If I have (qq, github, Weibo, facebook) ) account of a third-party website, just log in to the current website to access the resources of the website? Is there such an implementation?
The answer is yes, of course it is a unified specification, in which oauh2 is used.
ouah2 has 4 implementation modes (refer to Ruanyifeng's http://www.ruanyifeng.com/blog/2014/05/oauth_2_0.html)
(1) Authorization code mode
When the user accesses the website to log in, chooses qq login, facebook login, or Weibo login, the website will import you to the login page of qq, facebook, and Weibo (that is, the authentication server), enter the account number and password, when the authorization is successful, It will obtain a unique authorization code (Auth code), and then the client will get the Auth code and attach the earlier redirect url, request token to the authentication server (qq, facebook), and verify the authorization with the request header submitted to the authentication server (qq, facebook). code and redirect url, confirm correct, return token and update token
(2) Password mode
The user increases his account and password to the client. The client uses this information to request the authorization code from the server provider. After the authentication server passes the authentication, it returns the token, and the user can access the resources of the website through the token.
(3) Easy mode
Instead of going through the server of the third-party application, directly ask the authentication server for the token in the browser, skip the step of authorization code.
(4) Client mode
It means that the client authenticates to the "service provider" in its own name, not in the name of the user. Strictly speaking, the client mode is not part of the problem that the OAuth framework is designed to solve. In this mode, the user registers directly with the client, and the client requests the "service provider" to provide services in its own name. In fact, there is no authorization problem.
Introduction to Spring Security:
Spring Security is a framework focused on providing authentication and authorization for Java applications, using servlet filters internally to filter requests to urls and to do some security processing before the application processes the request. Spring Security provides several filters that can intercept servlet requests and forward these requests to the authentication and access decision manager to enhance security. Depending on your needs, you can use appropriate filters to protect your applications.
Spring Security and oath2 custom permission control