Java basics "spring security"

News 2023-09-19 06:36:18 views: null

1. Introduction

Spring Security is a security management framework in the Spring family. Compared with another security framework Shiro, it provides richer functions and richer community resources than Shiro.
Generally speaking, medium and large projects use Spring Security as the security framework. Shiro is mostly used in small projects because it is easier to get started with Shiro than Spring Security.
Generally, web applications require authentication and authorization.
Authentication: Verify whether the current user accessing the system is the user of this system, and confirm which user it is.
Authorization: After authentication, determine whether the current user has the authority to perform a certain operation.
Authentication and authorization are also the core functions of Spring Security as a security framework.

2. Introducing Spring Security

<!-- spring security 安全认证 -->
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

After introducing the dependency, if we try to access the previous interface, we will automatically jump to a Spring Security default login page. The default username is user and the password will be output on the console.
You must log in before you can access the interface.

3. Certification

1. Login verification process

(1) The front-end carries the username and password to access the login interface
(2) The server verifies the username and password in the database
(3) If the username/user id is used correctly, a jwt is generated
(4) The jwt response is given to the front-end
( 5) After front-end login, access to other requests requires a token in the request header
to query the corresponding user and the permission information corresponding to this user based on the user name. InMemoryUserDetailsManager searches (replaceable) the corresponding user
information including permission information in the memory. Encapsulated into a UserDetails object
(6) The server obtains the token in the request header for parsing and obtains the userId.
(7) The server obtains user-related information based on the user ID. If it has permission, it allows access to related resources.
(8) Access the target resource and respond to the front end.
(9) Response information

2. The complete process of Spring Security.
The principle of Spring Security is actually a filter chain, which contains filters that provide various functions. We can take a look at its core filters.
(1) UsernamePasswordAuthenticationFilter: Responsible for processing the login request after we fill in the username and password on the login page. It is mainly responsible for the certification work of entry-level cases.
(2)ExceptionTranslationFilter: Handle any AccessDeniedException and AuthenticationException thrown in the filter chain.
(3) FilterSecurityInterceptor: Filter responsible for permission verification.

3. Certification process

(1) The user submits the user name and password on the login page
(2) Encapsulates the Authentication object. At this time, there is only the user name and password at most, and the permissions are not yet available (
3) Call the authenticate method for authentication
(4) Call the authenticate method of DaoAuthenticationProvider for authentication
(5 ) Call the loadUserByUsername method to query the user
(6) Return the UserDetails object
(7) Use PasswordEncoder to compare the password in UserDetails and the Authentication password to see if it is correct
(8) If correct, set the permission information in UserDetails to the Authentication object
(9) Return to Authentication Object
(10) If the Authentication object is returned in the previous step, use the SecurityContextHolder.getContext().setAuthentication method to store the object. Other filters will use SecurityContextHolder to obtain the current user information.

4. Design ideas
refer to the design of an open source project:
SysLoginController --> SysLoginService --> authenticationManager.authenticate(authenticationToken), the authenticationManager implementation class is ProviderManager --> internal call provider.authenticate(authentication) --> provider implementation class is DaoAuthenticationProvider --> Internally call this.getUserDetailsService().loadUserByUsername(username) --> Call the custom class public class UserDetailsServiceImpl implements UserDetailsService, overridden loadUserByUsername method

check

Guess you like

Origin blog.csdn.net/csj50/article/details/129946574
Recommended
Ranking
How to make the url of the picture have the download attribute and force the download. Jump browser to download automatically.
Lr CC 8.3 Installation Guide
MD5Utils (MD5 encryption tools! Unsalted)
Econ 325 (004)
Photo studio photography appointment app based on java SpringBoot and Vue uniapp
What is b
2017 Second Guangdong strong network Cup online game --Nonstandard
myeclipse8.5 add tomact7
mpeg1, mpeg2 and mpeg4 standard comparative analysis and summary
Tencent sub-sub-group 6-color program
Daily
More
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)
2024-04-16(23)

Code World

© 2018 codetd.com