foreword
I have been talking about opening a Spring Security column before, and today I took the time to sort it out and prepare to start updating.
You are also welcome to subscribe to this column!
What is Spring Security?
Spring is a very successful Java application framework and is currently a very mainstream development framework. Spring Security is just a member of our Spring family. It is based on the Spring framework and provides us with a complete set of solutions for web application security
Generally speaking, the security of web applications includes two parts: user authentication (Authentication) and user authorization (Authorization), which are the two core functions of Spring Security we explained today.
1. User authentication: refers to verifying whether a user is a legitimate user in our system, that is, whether the user can access Heartache. The prerequisite for authentication is that the user provides a user name and password. Through our system to complete the verification of the user name and password provided, whether it passes. That is, the verification in the system login function that we often say.
2. User authorization: refers to whether the user has the right to access and operate. In our system, different users often have different permissions. For example, for the operation of the menu, some users can read it, and some users can add it. This different permission is what we call authorization. Usually, the system assigns corresponding roles to users, and then empowers users through the permissions of the roles. That is, in our system to determine whether the user has permission to access or the operating system.
History of Spring Security
Spring Security started at the end of 2003, "spring's acegi security system". The origin was a question on the Spring developer mailing list, someone asked whether to consider providing a spring-based security implementation.
At that time, the Spring community was relatively small (compared to today's scale!), in fact, Spring itself appeared as a sourceforge project in early 2003. The response to this question is that this is indeed an area worthy of research, although time constraints prevent further research on it. With this in mind, a simple security implementation was built but not released. After a few weeks, other members of the spring community asked security questions and the code was provided to them.
Requests followed, and around January 2004, 200,000 people were using the codes. Others joined these pioneers and suggested a project on sourceforge, which was officially established in March 2004.
In the early days, the project itself did not have its own authentication module. The authentication process relies on container management security, while acegi focuses on authorization. This was fine at first, but as more and more users asked for additional container support, the limitations of container-based authentication became apparent.
There is also a related issue of adding new jars to the container's classpath, which is often confusing to the end user and prone to configuration errors. Then acegi joined the authentication service. About a year later, acegi became an official subproject of spring. After two and a half years of active use in many production software projects and tens of thousands of improvements and community contributions, the final 1.0.0 release was released in May 2006. At the end of 2007, acegi officially became a spring portfolio project and was renamed "Spring Security".
Comparison of similar products
Let's explain Shiro and Spring Security from their respective characteristics
| SpringSecurity | Shiro |
|---|---|
| 1. The support of Spring technology stack 2. Perfect seamless integration with Spring Older versions cannot be used without the web environment The new version extracts the overall framework hierarchically, forming a core module and a web module. The introduction of the core module can completely separate from the web environment and be used independently 5 Heavyweight Frames |
1. Lightweight permission control framework under Apache 2. The concept is to simplify complex things, and the Internet applications with higher performance requirements are more friendly 3. Good versatility Not limited to the Web environment, can be used without the Web Some specific requirements in the Web environment require the development of our custom code |
Summarize
Spring Security is a security management framework in the Spring family. In fact, Spring Security has been developed for many years before Spring Boot appeared, but it is not used much. The field of security management framework has always been dominated by Shiro.
Compared with Shiro, it is more complicated to integrate Spring Security in SSM. Therefore, although Spring Security is more powerful than Shiro, it is not used as much as Shiro (Although Shiro does not have as many functions as Spring Security, for most projects, Shiro is also sufficient).
Since the emergence of Spring Boot, Spring Boot has provided an automatic configuration solution for Spring Security, which can use our Spring Security framework with less configuration.
Therefore, at present, the combination of common security management technology stacks is as follows:
• SSM + Shiro
• Spring Boot/Spring Cloud + Spring Security
The above is just a recommended combination. From a purely technical point of view, no matter how the combination is, it can be run.
Module division
Pre-knowledge
1. Master the Spring framework
2. Master the basic use of SpringBoot
3. Master JavaWeb related technologies (such as filters)
Well, the basic understanding of Spring Security is here first.
Welcome everyone to click on the card below to pay attention to "coder trainees"