Preface
Web applications must have security controls to meet production needs. The two major open source frameworks often mentioned in the java web field include Spring Security and Apache Shiro. Therefore, learning these two frameworks is also the only way for Java developers to improve their skills. Starting today, study Spring Security for a continuous period of time. If you want to learn, you can follow the official account: Felordcnor https://felord.cnget relevant information in a timely manner through .
Spring Security 和Apache Shiro
Compared with Apache Shiro, Spring Security provides more security authentication and authentication protocols such as LDAP, OAuth2.0, ACL, Kerberos, SAML, SSO, etc., which can be referenced on demand. OpenIDMore flexible and finer granularity for authentication/authentication. You can conduct more reasonable customized development based on your own business scenarios. In the latest Spring Security 5.x, reactive applications are provided to provide security control support. In terms of language, it supports development using kotlin and groovy.
Spring Security cannot exist independently of Spring because it takes advantage of the features of Spring IOC and AOP. And Apache Shiro can exist independently. But Spring can be said to be the de facto J2EE specification in the Java Web field. Using the Java technology stack rarely works without Spring. Also because of its powerful features, Spring Security is considered very heavy, which is wrong. After careful study, you will find that this is actually the case. Both frameworks are very good security frameworks, and technical selection should be made based on actual needs. If you want to learn these two security frameworks, you must be familiar with some relatively professional concepts.
Authentication/Authentication
The English for these two concepts are authentication/ authorization. Isn't it particularly easy to confuse? Whether you choose Apache Shiro or Spring Security, you need to be familiar with these two concepts. In fact, to put it simply, authentication is to prove 你是谁. For example, you enter your account and password to prove that you are Felordcnthe user with the user name. Authorization is proven by credentials such as roles bound to the authenticated user 你可以做什么. Give a real-life example. During the National Day holiday, everyone has to take transportation when traveling far away. Now the real-name system is required for taking the bus, which means that you need two things to take the bus: 身份证and 车票. The ID card is to prove that you are really you, this is it authentication; and the ticket is to prove that you, Zhang San, have indeed bought the ticket and can get on the bus, this is it authorization. This example also proves it from another aspect. If there is only authentication without authorization, authentication is meaningless. Without authentication, authorization cannot be given to truly trusted users. Both exist simultaneously.
filter chain
For servlet web applications, there is nothing better than using universal security controls Servlet Filter. The filter responsibility chain forms a series of filtering strategies. Requests with different conditions enter different filters for respective processing logic. We can Filterarrange and combine these to meet our actual business needs.
RBAC model
RBAC is the abbreviation of Role-Based Access Control. In RBAC, permissions are associated with roles, and users gain permissions from those roles by becoming members of the appropriate roles. This greatly simplifies the management of permissions. In this way, management is hierarchically interdependent. Permissions are given to roles, and roles are given to users. This kind of permission design is very clear and is very convenient to manage. When you own a character, you naturally inherit all the functions of that character. Some operational restrictions on you do not need to be communicated directly to you, only the roles you own need to be operated. For example, if you are both a java programmer and a front-end programmer in the company, then you have to be not only a sqlboy but also a page boy. If one day the manager says that the front-end is responsible for testing, well, you will take on the testing task again.
Some other concepts
For example, some other common security strategies and attack methods. For example, reverse proxy, gateway, barrier machine and other partial operation and maintenance knowledge; CSRF (Cross-site request forgery) cross-site request forgery and XSS (cross-site scripting attack) also need to be understood. It is also best to study some of the protocols such as OAuth2.0 mentioned above. Of course these are not necessary.