This is the 28th day of my participation in Gwen Challenge
We thought we were nearing the end of our understanding of Spring Cloud-related components, but we almost missed an important part of Spring Cloud Security today
preface
Any management system, there is one of the most important page ———— login page, just look at the play need to enter the ticket, we want to obtain the authority of the management system, also need the corresponding ticket
Authentication flow chart of OAuth2.0
- (A) After the user opens the client, the client requests the user to grant authorization;
- (B) The User agrees to authorize the client;
- (C) The client applies for a token from the authentication server using the authorization obtained in the previous step;
- (D) After authenticating the client, the authentication server confirms no error and agrees to issue the token;
- (E) The client uses the token to apply to the resource server for obtaining resources;
- (F) The resource server confirms the token and agrees to open the resource to the client.
Authorization way
Authorization-code is the most secure authorization mode. It applies to open platforms where the client is an untrusted third-party application and the client obtains the token without the user’s knowledge
- Client requests authorization from authorization server (with clientId, return address, etc.)
- The authorization server redirects the page to the user, asking whether to authorize the user
- Use the authorization server to confirm authorization by entering your account password
- The authorization server returns the code parameter to the client
- The client obtains the token and refreshToken from the authorization server according to code
- The client obtains user resources from the resource server based on the token
Implicit Grant
Application scenario: Single-page application or APP
- Client requests authorization from authorization server (with clientId, return address, etc.)
- The authorization server redirects the page to the user, asking whether to authorize the user
- The user enters the account password to the authorization server to confirm authorization
- Authorization server — > attach token to client
Password mode (Resource Owner Credentials Grant)
It is suitable for your own APP and one-page application to directly interact with the authorization server and obtain authorization through your account and password
- The client requests authorization from the authorization server with the user account and password
- The authorization server returns the token value to the client
The Client Credentials Grant mode
This mode is used for communication between servers
- The client sends the negotiated authorization to the authorization server
- The authorization server issues tokens to clients
Four modes to choose from
Spring Security
At its heart is a chain of filters that are automatically configured when the project starts. The Basic Authentication Filter is used to authenticate a user’s identity, a Filter that handles Authentication in Spring Security.
The core function
- certification
- authorization
- Attack prevention
Spring Cloud Security features
Spring Cloud Security provides a set of primitives for building secure applications and services that are easy to use.
- The SSO token is relayed from the front-end to the back-end service in the gateway agent
- Relay tokens between resource servers
- An interceptor that makes Feign clients behave like OAuth2RestTemplate (get token, etc.)
- Configure downstream authentication in the Zuul proxy
Today’s summary
Today, I mainly talk about the functions of the relevant knowledge points involved in security and some simple applications. The principle is still to be in-depth, come on!