Small knowledge, big challenge! This paper is participating in theEssentials for programmers”Creative activities.

Writing in the front

Thank you for clicking on this article. I’m sure you know Spring Security and want to learn about it systematically, so you’re in the right place. I will systematically study Spring Security with you this month and next month.

I used to write a design pattern column (finished), and now I am working on a concurrent queue column. If you are interested, you can click on my avatar to follow the column and we will learn together. Now you want Spring Security and concurrent queues to go hand in hand (time permitting, of course)

Without more words, let’s get to the point of today

First Spring Security

Most of you may be in contact with the combination of SpringBoot and Security. In fact, Spring Security has been born for many years before SpringBoot. Security means Security in Chinese. Yes, it’s a security framework that protects interfaces and engineering. They used to say, you can’t run naked. You have to have a check or something, but of course, this is just one of them.

With the rise of Spring Boot, developers can use Spring Security with zero configuration, based on the automatic configuration solution provided by Spring Boot for Spring Security. If you want to use Spring Security in your Spring Boot application, just add the following dependencies to your Maven project’s POM file:

<dependency>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-security</artifactId>
</dependency>
Copy the code

So let’s write a simple interface.

@RestController
public class DemoController {
 
    @GetMapping("/hello")
    public String hello(a) {
        return "Hello World!"; }}Copy the code

Start the Spring Boot application and access the “localhost/ Hello “interface through a browser. You’re probably hoping for “Hello World!” This returns the result, but in fact the browser jumps to a login screen that looks like this:

The reason is that Spring Security automatically empowers your application with user authentication. This is equivalent to a token mechanism, the user does not have a token, then no access. So where is this username and password, and where do you get it from? However, you can see this startup log line in your IDEA console

Using generated security password: 707234543-6234f-5h43-a443-43758732h4
Copy the code

This line of log is a password generated by Spring Security, and the user name is the default “user.” By entering the correct username and password, the browser will print “Hello World!” The result of this response

The above procedure demonstrates the authentication capabilities provided by Spring Security and is a basic feature of Spring Security’s many capabilities. Let’s explore the full architecture of features in Spring Security.

Spring Security function

Spring Security provides a complete set of Security solutions. Spring Security provides Security functions for different business requirements and application scenarios

We can define what we need to access as a Resource. For example, in a Web application, an exposed HTTP endpoint can be thought of as a Resource. Let’s start by understanding two concepts that are common but confusing in the security world. Authentication and Authorization.

The combination of authentication and authorization forms the most common solution for security management of resources in the system, that is, to determine the valid identity of resource visitors and then determine whether they have legitimate access to this resource, as shown in the following figure:

This is equivalent to the ancient people to go to the audience, knock at the door, the gatekeeper depends on who you are, whether you can enter, you have to go to the master to let you in, so who you are, what you do, what authority you have.

For authentication, this part of the requirements are relatively clear. Obviously, we need to build a complete set of storage system to store and maintain user information, and ensure that the user information can be reasonably used in the process of processing requests.

What we usually do is introduce character systems. We set different levels of roles for different users, and different levels of roles have different access permissions. Each request can be bound to a role and thus have access.

Next, we combine authentication and authorization to sort out the security implementation scheme in the Web application access scenario, as shown in the figure below (from the network) :

All right, I’m just going to do a little bit of this today, but there’s no point in writing too much, and we’ll see you in the code in the next chapter.

conclusion

Spring Security is a long-standing framework in the Spring family, with a complete and powerful functional system. We’ll learn together later.

overtones

Thank you for reading, if you feel that you have learned something, please like, follow. Also welcome to have a question we comment below exchange

Come on! See you next time!

To share with you a few I wrote in front of a few SAO operation

Talk about different strategy patterns (Bookmarks)

Copy object, this operation is a little SAO!