Transferred from 2018-03-19 Liu Xin's code farmer turned over
1 Introduction
Under the promotion of the third-generation king of the Java Empire, the empire provided its subjects with something called Java Authentication and Authorization Service (JAAS), and under the struggle of the fourth-generation king, JAAS successfully entered the JDK, which became part of the standard package.
The king hopes that JAAS can unify the security field, trigger a frenzy of use like JDBC, and become an important infrastructure, and specially set up a new position as JAAS minister, and appointed a confidant of his own to promote this matter.
But the greater the hope, the greater the disappointment. Except for a few wealthy and famous families with related interests who are constantly waving their flags, the subjects are dismissive of JAAS, and not many people use it.
2. Lei Xiucai
Minister IO was bored at home this day, and took his loyal staff, InputReader, for a private visit, and came to a famous tavern in Beijing, where he ordered a few delicate dishes and a pot of fine wine. Before eating, I saw a scholar at the next table sighing.
When Minister IO moved in his heart, he called him over to have a chat.
It turned out that the scholar was Lei Xiucai. He said that his hometown was heavily taxed and that he could no longer live. He came to the capital to petition, but he had no choice but to get in the door.
Minister IO became curious and hurriedly asked what was going on.
Lei Xiucai said: "It's all JAAS's fault."
“JAAS?”
"It's just authentication and authorization!" Lei Xiucai was slightly disappointed when he saw that the other party didn't know.
"certified?"
"Authentication is to determine who you are, usually you need to verify the username and password provided by the other party. Authorization is to determine what you can do. For example, whether you can create an account, delete users, and so on."
"Uh uh, thinking about it, why not use the official JAAS, the standard of the empire is still quite good, such as JDBC."
"Sir, you don't know anything about the JDBC standard. Of course, there is nothing to say about the JDBC standard, but this JAAS, alas, is extremely cumbersome to use, and everyone is reluctant to use it. But that JAAS minister doesn't care about this, and has been promoting JAAS crazily. If you don't use it, It's going to be heavily taxed and we won't be able to survive."
"This is a little troublesome, what are you going to do?" Minister IO went to test the other party's routine first.
Lei Xiucai lowered his voice: "To tell the truth, our family has launched a new authentication and authorization system called JSecurity. We want to ask the adults in the capital to dedicate it to His Majesty and replace JAAS."
"Oh?!" Minister IO sat up straight, this is a big deal!
3、JSecurity
The IO Minister and InputReader exchanged glances: A new opportunity has come!
Before, I fought with the Minister of Threads, the Minister of XML, and the Minister of JDBC/JTA. I fought and fought, and I couldn't take advantage of it.
This time, we may be able to seize the safety field!
InputReader asked: "What are the benefits of this JSecurity?"
"Simple, flexible and easy to use! Much easier to use than JAAS!" Lei Xiucai said.
"It's too abstract, let's have some dry stuff."
Lei Xiucai suddenly became vigilant, just drinking and laughing without saying a word.
Minister IO decided to open the skylight and say something bright: "To tell you the truth, I am the Minister of IO at that time. Don't be afraid, I can help you play your majesty."
"Ah?!" Lei Xiucai's face was full of astonishment. He didn't expect to encounter a high-ranking official here. It seemed that it was right to go to the temple in the morning to worship Buddha.
Minister IO said, "Can we talk about your JSecurity now?"
Lei Xiucai was prepared, he took out two pieces of paper with codes from his sleeves and presented them to Minister IO and InputReader:
Minister IO put on his reading glasses and looked at the paper for a long time: "Why are you called Subject here? Not called User?"
"Master Hui, this Subject is a term in the security field, which represents the so-called 'subject', which can represent both the user and the program (web crawler, etc.). People in my hometown also think this term is a bit difficult to understand. It is easy to understand with the term User, but considering that many systems now have the concept of User, in order to avoid conflicts, it is better to call it Subject. ”
InputReader asked: "Your login method, what if the login fails?"
"Actually, that method will throw an exception, which needs to be handled by the application. We provide many Exception classes to deal with various situations, such as unknown account (UnknownAccountException), incorrect password (IncorrectCredentialsException), account locked (LockedAccountException), number of attempts Too many (ExcessiveAttemptsException) etc."
The IO minister said: "But when the program provides the user with an error message, it must provide vague information and cannot be used by people with ulterior motives, right?"
"That's right, my lord, the error message for the user must be vague, such as: Incorrect username or password." Lei Xiucai was very happy to see that Minister IO began to think deeply.
"Here we can determine what role (Role) a user has and what permissions (Permission) he has. What is the relationship between this role and permissions?" InputStream continued to ask.
"This is relatively simple. A role can simply be considered a collection of permissions. For example, the role of admin may have permissions to delete users, view users, and modify users. For example, the role of viewer may only have permissions to view users. "
"What does that user:delete mean?" Minister IO's eyes lit up.
According to the past experience of court struggles, these details must be clarified, otherwise others will seize the handle, and they will not be able to step down in the court. The mistakes of the JTA Minister cannot be repeated.
Lei Xiucai said: "That is a permission symbol rule we defined, the format is as follows: resource: operation: instance, separated by two colons, for example:
user:create:U001 Indicates that the create operation is performed on the user resource instance U001
user:create indicates the create operation on the resource, which is equivalent to user:create:*
user:*:U001 means perform all operations on user resource instance 01"
IO Minister nodded, the format is defined by JSecurity, but the data content needs to be determined by the application.
InputReader suddenly said: "Sir, do you remember An Hanlin who proposed Java annotations? It would be great if this JSecurity supported annotations."
Lei Xiucai said, "Yes, that annotation is very useful."
4、Realm
The three returned to the IO Minister's Mansion. Before they could have tea, InputReader asked anxiously: "Your code looks very simple, but where does JSecurity verify these usernames, passwords, permissions, and roles?"
Seeing that the problem is getting deeper and deeper, Lei Xiucai is also getting more and more happy. It seems that he really met a noble today.
"This is a really good question, my lord," said Lei Xiucai, "for each application, the place where these security-related data are stored may be different, it may be in a text file, in a database, or in an LDAP server... … The data format is not the same, some call the user user, some may call it username, some call the password password, some may call it pwd... Considering that our JSecurity is a framework, we have to make an abstract concept. The concept is called Realm, and it sounds a little weird."
Lei Xiucai smiled embarrassedly, and continued: "This Realm is an interface, like a bridge, that connects application-specific data with a format that our JSecurity framework can understand! It can connect user application-specific data. The security data is converted into a format that JSecurity can understand."
"Does each application have to provide a unique JDBCRealm/LDAPRealm/IniRealm implementation class?" IO Minister expressed dissatisfaction.
"No no," Lei Xiucai hurriedly put out the fire, "in order to reduce the burden on the application, our JSecurity framework has provided these default implementations, and you can just make some adjustments when you use it. For example, if you have a The application stores the user name and password in the database table, usesr(id, name, pwd...), you only need to provide a sql to JDBCRealm, and our framework can automatically complete the authentication.”
Lei Xiucai threw out another picture.
InputReader looks at this picture and automatically fills the entire authentication process:
The application configuration uses JDBCRealm (of course, the connection information of the database must be provided)
The application tells JSecurity how to get the password from the user table based on the user name. The key is the sql:
jdbcRealm.authenticationQuery = select pwd from users where name= ?The user performs the subject.login operation, and JSecurity uses SQL to query to see if the username and password match the database values.
(Note: For simplicity, the scenario of using salt to hash the password is deliberately ignored here)
For roles and permissions, you can also provide similar sql to let JSeurity fetch related data from database tables:
jdbcRealm.userRolesQuery = “SELECT role_name FROM user_roles WHERE user_name = ?”
jdbcRealm.permissionsQuery = “SELECT permission FROM roles_permissions WHERE role_name = ? "
"If an application is configured with multiple Realms, what should be done during authentication?" InputReader continued to ask the bottom line.
Lei Xiucai secretly admired InputReader's thoughtfulness and said, "We have defined an interface called AuthenticationStrategy to define what to do when multiple Realms are authenticated. We also provide several default implementations, such as FirstSuccessfulStrategy, as long as a Realm is encountered If the authentication is successful, it is successful; or AllSuccessfulStrategy, all Realms must be authenticated successfully."
InputReader nodded, it seemed they thought it through. Obviously, for authorization, similar policies can also be defined.
Lei Xiucai drew a picture showing the architecture of authentication and authorization:
5. Session management
"Well, I think you've done a great job of authentication and authorization!" the IO Minister tried to sum up.
"Sir, we also support some very attractive features. Such as session management."
"Session ? Isn't that what Web Containers like Tomcat do?" InputReader asked.
"Yeah, so in general, if you want to use Session, you must have a Web Container like Tomcat and Jetty, but if you use our JSecurity, you don't need Tomcat or Jetty at all. Our built-in Session is Supported, which means that even desktop applications can use Session:"
Subject currentUser = SecurityUtils.getSubject();
Session session = currentUser.getSession();
session.setAttribute( "someKey", someValue);"That's a good selling point!" InputReader winked at the IO Minister.
"What other functions?" Minister IO had a big appetite.
"We also provide some tools to do encryption, and of course we have great support for web development."
"My lord, this subordinate thinks that the design of this API is really simple, and it is much cleaner than that JAAS." InputReader said to the IO Minister.
6. Epilogue
Minister IO was very happy, high-spirited and full of justice, and he said loudly and forcefully: "Our majesty is a generation of holy monarchs, but we have been deceived by ministers such as JAAS. If this continues, the people will not be able to live, and the Java Empire will die. It's a copy!"
When Lei Xiucai saw that the senior officials of the dynasty were willing to stand up for him, he was overwhelmed with emotion.
But InputReader pulled the IO Minister and whispered: "My lord, this JAAS entered the JDK after the efforts of two generations of kings, which fully represents the interests of the wealthy and distinguished family. Besides, the Minister of JAAS is a popular man beside the king, and it is impossible to discard it. If you want to play like this, you will definitely hit a nail, and you have to curve to save the country."
"Curve to save the country?"
"My subordinates suggested to make this JSecurity open source first, let it join the famous non-governmental organization Apache, let the subjects use it first, and then we will fund it secretly. Such a useful thing will definitely form a climate. His Majesty also has to make concessions, and the Minister of JAAS is expected to fall."
Minister IO nodded in approval.
The next day, Lei Xiucai was sent to Apache, where JSeurity was renamed Shiro and began to spread to the people.
Sure enough, a few years later, more and more people fell in love with Shiro, and JAAS was left out in the cold. When the king saw this, he had to let the minister of JAAS go home to retire.