An efficient authentication framework out of the box, focusing on restful API authentication dynamic protection

Written in the beginning

Hi, everybody. First post in nuggets. I’m trying to promote a project I wrote. Two years ago, after using Shiro, I started to make an authentication framework – Sureness. I thought it was for restful apis, it was easy to use, and there was no framework binding. I have been writing these ideas on and off for two years, during which I have sent 10 versions in maven library and verified the online environment. Start to write some articles in this publicity, hope that people follow and use sureness-su.usthe.com

Sureness – restful API-oriented authentication and authentication

A simple and efficient open-source jvm security framework that focus on the protection of restful api.

If the home pageusthe.com/surenessUnable to access, please use alternate website:su.usthe.com

Background

Many websites now have a front and back end separation, with the back end providing REST apis and the front end calling the interface to fetch data rendering. How to protect the REST API provided by the back end under this architecture has become more important. API protection can be considered as follows: Authentication-whether the authentication information carried in the request is verified. Only the authenticated user has the permission to access the SPECIFIED API. JWT, BASIC, Digest, OAuth, JWT, JWT, BASIC, Digest, Oauth, JWT, JWT, BASIC, Digest, Oauth, JWT, JWT, JWT, BASIC, Digest, Oauth, JWT HTTP implementation is not servlet but jax-RS specification, to be or not to be, this is a question.

Currently, the mainstream Java authorization framework includes Shiro and Spring Security. The following discussion on them is my personal opinion. Shiro is not very friendly to restful API native support and needs to rewrite some code. Two years ago, a project called Booshiro modified Shiro so that it could match different REST requests in the filter chain for permission verification and then give shiro permission Commit several pr,fix its dangerous vulnerabilities in filtering chain matching, in general Shiro is powerful but its origins are not web-oriented and not very Restful to Spring Security is powerful and deeply integrated with Spring. Without Spring, for example, Javalin and karaf, the OSGi framework we used before, would not be able to use it. If you don’t use the annotation configuration, they all match in the chain, Using a requested url and configuration of the chain matching an ant (such as caching to improve performance in matching process), but the match chain too much or more consumption performance (judging according to the algorithm time complexity, temporarily not test validation) we hope that we can solve these, provide a for restful API, frameless dependence, can dynamically modify permissions, Multiple authentication policies, faster, easy-to-use authentication framework

Introduction

Sureness is a new authentication project based on the good design and some ideas of Shiro after we use the Java authorization framework. It is based on RBAC (user-role-resource) and mainly focuses on restful apis Rely on the safety protection without specific framework (essence filter interceptor judgment, existing springboot, quarkus, javalin, ktor demo etc.) to support dynamic change permissions configuration (dynamic modification which API needs to be certified, Servlet and JAX-RS support multiple authentication strategies, JWT, Basic Auth… Extensible custom supported authentication based on the improved dictionary matching tree has a good performance of the extension interface, low configuration of demo and document Sureness, easy to expand, no coupling with other frameworks, can enable developers to their own projects of multiple scenarios quickly and safely protected

Framework Sample Support

• spring sample-bootstrap
• springboot sample-tom
• quarkus sample-quarkus
• javalin sample-javalin
• ktor sample-ktor
• spring webflux sample-spring-webflux
• more samples todo

Quick start

Use the previous conventions

• surenessAs simple as possible, based onrbac, there is only (role-resource) mapping, there is no (permission) action mapping, that is, user-role-resource
• We will berestful apiThe request is treated as a resource in the following format:requestUri===httpMethodThat is, the path of the request plus how it is requested (post,get,put,delete...) regarded as a resource as a wholeeg: /api/v2/book===get getWay to request/api/v2/bookThe interface data
• Role resource mapping: the role to which the user belongs – the role owns the resource – the user owns the resource (the user can access thisapi)

Add Sureness to the project

1. Projects usingmavenBuild, addmavencoordinates

< the dependency > < groupId > com. Usthe. Sureness < / groupId > < artifactId > sureness - core < / artifactId > < version > 0.1 < / version > </dependency>Copy the code

2. Projects usinggradleBuild,gradlecoordinates

Compile group: 'com.usthe.sureness', name: 'sureness-core', version: '0.1'Copy the code

3. The project is general engineering, joinsureness-core.jarRely on

In mvnrepository download jar at https://mvnrepository.com/artifact/com.usthe.sureness/sureness-coreCopy the code

Add filter entry that blocks all requests

Add a sureness security filter to the interceptor, as follows:

SurenessSecurityManager.getInstance().checkIn(servletRequest)
Copy the code

Implement related exception handling

Sureness uses an exception processing process. We need to customize the checkIn exception processing, security filter, and pass the authentication successfully, fail to throw specific exceptions, and catch exceptions as follows:

try { SubjectSum subject = SurenessSecurityManager.getInstance().checkIn(servletRequest); } the catch (ProcessorNotFoundException | UnknownAccountException | UnsupportedSubjectException e4) {/ / account creation related to abnormal} the catch (DisabledAccountException | ExcessiveAttemptsException e2) {/ / account disabled related to abnormal} the catch (IncorrectCredentialsException | ExpiredCredentialsException e3) {/ / authentication failure related to abnormal} the catch (UnauthorizedException e5) {/ / authentication failure related to abnormal} the catch (RuntimeException E) {// Other custom exceptions}Copy the code

Loading Configuration Data

Sureness authentication, of course, also requires us to configure our own configuration data — account data, role permission data and so forth that might come from text, relational databases, Non-relational database we provide configuration data interface SurenessAccountProvider, PathTreeProvider, Users can implement this interface implementation custom configuration data source We also provide current default text form of realizing DocumentResourceDefaultProvider configuration data, You can configure sureness.yml to configure the default text data source

We provided the code DEMO: default text data source implementation, please refer to sureness10 minutes to set up the permission project –sample-bootstrap If the permission configuration data from the database, please refer to sureness30 minutes to set up the permission project — sample-Tom

HAVE FUN

Welcome to participate in the project and contribute to help Sureness go further and better. If you have any questions or suggestions about the project code, please contact @tomsun28