Spring Security profile

Let’s take a quick look at what Spring Security is.

Spring Security is a permission control framework and a project within the Spring ecosystem.

It provides Authentication and Authorization. In addition, it automatically protects us against some cyber attacks. For example, CSRF attacks and so on.

  • certification

    Authentication is about identifying “who” the user is.

  • authorization

    Authorization is whether the user is allowed to do something.

The underlying Spring Security implementation is through a series of filters. The client sends the request to the application, and the container creates a filter chain containing the filter and Servlet.

Previously, The configuration of Spring Security was quite tedious. Configuring THE XML alone can be daunting enough.

Spring Security configuration items are now much simpler thanks to Spring Boot. Even the most basic use requires only the introduction of jar packages.

Automatic Security configuration for Spring Boot:

  • The default configuration, Spring Security in Servlet filters to create bean called springSecurityFilterChain. This bean is responsible for all security validation within the application (protecting urls, validating usernames and passwords, redirecting to login forms, and so on).
  • Create a UserDetailsService bean containing the user name and a randomly generated password that is printed to the console.
  • On each request to the servlet container filter springSecurityFilterChain registration.

Of course, automatic configuration can not meet our needs, the simplest, how we have to set their own user name and password.

The convenience of Spring Boot comes into play when you configure a user name and password in a YML file.

  1. Yml configuration

    spring:
  application:
    name: user_center
  security:
    user:
      name: DaMai
      password: damai123456
Copy the code

  2. Start the project and access an interface

    Such as access: 127.0.0.1:3344 / authRole / 1. Spring Security intercepts it and redirects to the built-in login page.

  3. After entering the configured user name and password, you can access it.

    Of course, we have not sorted out the code, will report an error. But as we can see, this is validated, so the business request is processed.

RBAC permission design idea

RBAC is the first letter of role-based Access Control. This is currently the most used permission system design idea.

The simplest RBAC system is the user-role-permission authorization model, also known as RBAC0. In this model, users and roles, roles and permissions, are generally many-to-many relationships.

Of course, in our business development process, or need to expand according to the actual. This is just a guideline.

The overall process is to query which roles have access to the path and then match when the user has that role.