The liver is bald! Alibaba's top version of Spring Security notes

Spring Security

Spring Security is a security framework that can provide declarative security access control solutions for Spring-based enterprise application systems. Since it is a member of the Spring ecosystem, it is constantly revised and upgraded with the entire Spring ecosystem. It is very simple to add springsecurity to the spring boot project. Using Spring Security reduces the amount of repetitive code written for enterprise system security control. work.

 

Spring Security OAuth2.0 authentication and authorization

In the era of mobile Internet, everyone is using mobile phones every day. Commonly used software includes WeChat, Alipay, Toutiao, etc. Let’s take WeChat as an example to illustrate authentication.

Related basic concepts, before using WeChat for the first time, you need to register as a WeChat user, and then enter the account and password to log in to WeChat. The process of entering the account and password to log in to WeChat is authentication.

Authentication  : User authentication is the process of judging whether a user's identity is legal. When a user accesses system resources, the system requires verification of the user's identity information. Only if the identity is legal, the access can be continued, and if it is illegal, the access is denied. Common user identity authentication methods include: username and password login, QR code login, mobile phone SMS login, fingerprint authentication and other methods.

OAuth (Open Authorization) is an open standard that allows users to authorize third-party mobile applications to access their information stored on another service provider without the need to provide user names and passwords to third-party mobile applications or share all of their data , OAuth2.0 is a continuation of the OAuth protocol, but it is not compatible with OAuth 1.0 (that is, OAuth1.0 is completely abolished).
The OAuth 2.0 specification defines an authorization (delegation) protocol.

The current information on Spring Security is relatively relatively and not complete, so your editor (Lei Feng) sorts out and shares this information, and comprehensively explains the Spring Security framework in two environments . First of all, in the SSM environment, we use the xml configuration method, starting from the source infiltration, to complete the basic "authentication" and "authorization" functions of Spring Security, which will also integrate "remember me", CSRF interception and other technologies. Then, in the SpringBoot environment, we will continue to develop a deeper learning of Spring Security. At this time, the certification will also be transformed into a distributed mode. The above is the content contained in the note. The following editor will show the catalog and detailed screenshots. Friends who need the full version of the source code + notes will like it. Only like + follow, you can get it for free! !

 

The first note: Spring Security OAuth2.0 authentication and authorization

Due to space reasons, in order to avoid affecting everyone's reading experience, only screenshots are used to show part of the content.

 

1. Basic concepts

• What is certification
• What is a conversation
• What is authorization
• Authorized data model
• RBAC

 

 

2. Session-based authentication

• Certification process
• Create project
• Realize authentication function
• Realize the conversation function
• Implement authorization function

 

3. Spring Security Quick Start

• Introduction to Spring Security
• Create project
• Certification
• Authorization

 

4. Detailed explanation of Spring Security application

• Integrate SpringBoot
• working principle
• Custom authentication
• Conversation
• drop out
• Authorization

 

 

5. Distributed system certification scheme

• What is a distributed system
• Distributed authentication requirements
• Distributed authentication scheme

 

 

6.OAuth2.0

• Introduction to OAuth2.0
• Sping Cloud Security OAuth2
• JWT token
• Improve environment configuration

 

 

7. Spring Security implements distributed system authorization

• demand analysis
• Registry
• Gateway
• Transfer invention token to microservice
• Microservice user authentication interception
• Integration Testing
• Expand user information.

 

Second copy: Spring Security notes, the preferred security framework for enterprise development

 

Part 2: Getting to Know Spring Security

• 1. Introduction to permissions related concepts
• 2. Introduce the concept of authentication and authorization
• 3. Introduction to Springsecurity
• 4. Here are eleven filter principles explained
• 5. Database environment preparation
• 6. The database uses mysql, and the three tables of users, roles and permissions are prepared here.
• 7. Description of technical selection of springsecurity authorization control case for independent web engineering
• 8.springmvc+spring+mybatis+jsp+adminLTE
• 9. Springsecurity authentication function realization
• 10. At this time, the authentication has not actually obtained the role information from the database.

 

 

 

Part 2: Spring Security authorization operation

• 11. Realize the user management role query function
• 12. Prepare for authorization
• 13. Implement user role modification function
• 14. Can add and delete user roles
• 15. Use springsecurity dynamic tags to control the display or hide of the menu on the jsp page
• 16. Springsecurity is used in an independent web project, but the authority table is not actually used, that is, the menu is not stored in the library, and it is directly written on the page, and the springsecurity dynamic tag is used to control the display or hiding.
• 17. Use annotations in the background to truly control user access to resources
• 18. Here will use jsr250, springEL, springsecurity three types of annotations to demonstrate
• 19.403 exception handling
• 20. Three ways to handle the interception of 403 exceptions

 

 

The third part: SpringSecurity integrated SpringBoot centralized version

 

• 21. Swagger makes restfulAPI introduction
• 22. Since the front-end and back-end separation method is used, how can the API be omitted?
• 23. Change all processors that return pages in the background to processors that return data
• 24. After the front and back ends are separated, what is the point of returning to the page?
• 25. Explain the certification problems in the project after the front and back ends are separated
• 26. At this time, the page and the background are in different servers, so there will be a problem that the session cannot be shared.
• 27. Introduction to JWT
• 28. Explain the function and role of JWT
• 29. Springsecurity integrates JWT
• 30. Realize front-end and back-end separated authentication through springsecurity plus JWT

 

 

Part 4: OAuth2.0 actual combat case

• 31. Replace all pages with vue
• 32. The front-end and back-end separation jsp naturally can no longer be used
• 33. Create a permission table and store all menus in the library
• 34. In the previous independent web project, the menu was directly written on the page and not stored in the library, and the dynamic tags of springsecurity could not be used after the front and back ends were separated.
• 35. Complete the role management authority query function
• 36. Prepare for the dynamic display of the menu.
• 37. Complete the function of modifying the menu under the role
• 38. Still prepare for the dynamic display menu
• 39. Introduce the use of element-ui
• 40. Technical preparation for page display menu
• 41. After the authentication is passed, the menu will be displayed dynamically on the page
• 42. Use element-ui to complete the display of dynamic menus.