Warmly recommended: Super Multi IT resources, all in 798 Resource Network
Disclaimer: This article is reprinted article, do so in order to prevent the loss of this backup.
This article from the public No.: java mind map (ID: java-mindmap)
Original Address: https://mp.weixin.qq.com/s/7CLh6baPR8x-KdEDCIH9gg
System security has been in the system development can not avoid the issue, but any connection with access control system security are inseparable, user access to large, small button to a page, are likely related to the control authority. The renren-security they provide us with a system developed by permission solutions.
renren-security is "all communities" lightweight open source community rights management systems. The system uses SprinBoot, Mybatis, Shiro framework for the development, very low threshold, that is used to use, support for distributed deployment, Quartz distributed cluster scheduling, department management, data rights, cloud storage and other functions.
Project Features
Flexible access control, a button control to the page or to meet the needs of the vast majority of permission to
improve sector management and data authority, through annotation data to achieve control permissions
perfect script XSS prevention and filtration, the complete elimination of XSS attacks
supports MySQL, Oracle , SQL Server, PostgreSQL and other mainstream database
Design the system structure is relatively clear, the admin, api, common and several modules, each module to achieve the functions substantially as follows:
Common : common module, in the form of jar package are independent of other modules. Tools and implements some common functionality. Comprising processing time, paging, the Sql filtration, filtration and Xss Redis aspect definitions, custom exception handling functions.
ADMIN : system management module, in the form of independent war package deployment. Based on the idea of separating the front and rear end, it is mainly used for the development of back office systems. It includes user management, role management, departmental management, menu management, regular tasks, file upload, API check, while using Redis data cache, and support the deployment of stand-alone cluster.
API : the API interface module, in the form of independent war package deployment. The main module provides an interface to some business calls front-end UI, user registration, login, authentication and user interfaces permissions access to information. Also incorporates swagger2 implements the API interface documentation to facilitate the query and debugging interface.
The system was designed with special emphasis on safety, based in Shiro pages and interfaces are implemented permission check.
Save the user when the user's account password to login authentication, access to user information and role permissions, when the page displays the corresponding status will be displayed according to the permissions the user has, when the interface will be requested user rights verification, data Sql database when it is filtered and Xss, the core idea of the whole process is Shiro user authentication and authorization. FIG process is as follows:
Shiro authentication and authorization
Shiro implement authentication and authorization, you need to customize the Realm inherited AuthorizingRealm, while rewriting doGetAuthenticationInfo(认证)and doGetAuthorizationInfo(授权)these two methods. Here for the integration of systems and Shiro do not do much explanation.
When a user logs in, the user's account and password packaged into a UsernamePasswordTokenpost, then call login to submit accounts certified, shiro we will automatically call overridden doGetAuthenticationInfomethods.
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
//提交认证
subject.login(token);
//Shiro进行认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken)authcToken;
//获取用户信息
SysUserEntity user = new SysUserEntity();
user.setUsername(token.getUsername());
user = sysUserDao.selectOne(user);
//账号不存在
if(user == null) {
throw new UnknownAccountException("账号或密码不正确");
}
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user, user.getPassword(), ByteSource.Util.bytes(user.getSalt()), getName());
return info;
}
If authentication is successful, then you can get information authenticated anywhere in the system by SecurityUtils.getSubject () method. We also can make use of it this feature automatically logged-on user.
It should add that the system of privileges has become one of the label stored in the database, the user's permissions holds the corresponding tag indicates that the corresponding operating authority has. As for the authorization of Shiro, in doGetAuthorizationInfo you need to get a list of all the rights of users, screened by the list of permissions whether it has permission to operate.
//Shiro进行授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
//获取认证时候添加到SimpleAuthenticationInfo中的实例
SysUserEntity user = (SysUserEntity)principals.getPrimaryPrincipal();
Long userId = user.getUserId();
//查询用户所有权限
Set<String> permsSet = new HashSet<String>();
List<String> permsList = sysUserDao.queryAllPerms(userId);
for(String perms : permsList){
if(StringUtils.isBlank(perms)){
continue;
}
permsSet.addAll(Arrays.asList(perms.trim().split(",")));
}
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
info.setStringPermissions(permsSet);
return info;
}
Shiro authorization is passive, is triggered only authorized users will be the appropriate conditions, the following ways:
1. acting on page pages if you encounter <#if shiro.hasPermission("sys:del")></#if>, Shiro will call a custom Realm obtain permission information, see "sys: del" exists in authority data, there is authorization, there is no access is denied, can be applied to some open specific buttons and labels.
<#if shiro.hasPermission("sys:add")>
<a class="btn btn-primary" @click="add">新增</a>
</#if>
<#if shiro.hasPermission("sys:del")>
<a class="btn btn-primary" @click="del">删除</a>
</#if>
2. By way of comment on the role of the interface. In the controller, the method if the rate of the @RequiresPermissions("sys:del")notes, Shiro will also call a custom Realm obtain permission information, see "sys: del" exists in authority data, there is authorization, there is no access is denied, and thus realize the interface permissions check.
@RequestMapping("/delete")
@RequiresPermissions("sys:del")
public R delete(long deptId){
//判断是否有子部门
List<Long> deptList = sysDeptService.queryDetpIdList(deptId);
if(deptList.size() > 0){
return R.error("请先删除子部门");
}
sysDeptService.deleteById(deptId);
return R.ok();
}
This, basically realized Shiro Permissions page and interface control. Of course, Shiro is a more controlling role in the presentation layer, but for security reasons the system should also increase the verification of the data. Therefore, at the data level, can be achieved by filtration and filtration Sql Xss filtration way. The project has been packaged into its tool, the principle is the regular match and replacement strings, interested partners can see directly into the project, described here is not tired of.
In addition to implementing access control system, but also achieved a lot of back office systems commonly used to develop some of the features, such as Quartz distributed cluster scheduling, dynamic switching of multiple data sources and deploy the next Session management cluster, interested partners can also view the source code.
Project Address: https://gitee.com/renrenio/renren-security