This is the 28th day of my participation in Gwen Challenge
For a service system, security must be considered. Application security is an ever-improving goal, and a comprehensive, system-wide approach is important because developers never know how an intruder might attack a system. In the implementation of system security, it is generally advocated to use layers of security, that is, multi-level security guarantee and continuous layer to provide additional security. The more secure each layer, the more robust and secure the application. Java EE applications are high in the security layer and need to be configured with specific problem domain security configurations.
Security concerns are twofold
Security at the application level focuses on two main aspects, Authentication and Authoriztion, that is, who you are and what you can do. In a single application, developers can control and record user access through a simple interceptor and session mechanism. In distributed systems, because business logic is encapsulated in microservices, each microservice needs to authenticate and license user behavior, two possible approaches arise:
- The first is through a centralized authority management system, the identity of the users and permissions for unified management, can be an authorization, more use for many times, but the independent security access control in micro service need to aggregate each micro logic, more than a micro service based on different business logic implementation may need to add the new implementation in the security services;
- The second is to disperse the security part into various micro-services, which manage and control users’ access according to their own business. This will lead to decentralized security management, and even each micro-service has its own implementation mode, which is not conducive to unified management. Both of these methods have advantages and disadvantages. It is necessary to make a macro judgment according to the specific needs of the project, and even can be combined under certain circumstances.
Although the spring-Cloud-security documentation does not provide much help in its use, through the use and exploration of Spring-Security and spring-security-oAuth2, Will help developers build robust security applications through Spring-cloud-Security.
Before we start to introduce the related applications and source code, we need to supplement some of the prior knowledge, such as OAuth2 and JWT.
OAuth2 profile
OAuth2 related theory introduction mainly comes from the OAuth2 official documents, related address to https://tools.ietf.org/html/rfc6749.
The purpose of OAuth protocol is to provide a secure, open and simple standard for user resource authorization. The introduction on the official website is as follows:
An open protocol to allow secure API authorization in a simple and standard method from web, mobile and desktop applications.
Because OAuth1 is not compatible with OAuth2, and the signature logic is too complex and the authorization process is too single, I will not talk about it here. The following focuses on the OAuth2 authentication process, which is the mainstream authorization process in the current Web application.
Concepts in OAuth2
OAuth2 is the current industry standard for authorization and focuses on providing a simple client-side development approach for the authorization process for Web applications, desktop applications, mobile devices, and indoor devices. It provides third-party applications with limited access to HTTP services. Resource owners can authorize third-party applications to obtain HTTP services, or third-party applications can obtain access rights in their own names.
role
There are four main types of roles in OAuth2
- Resource Owner An entity that grants access rights to protected resources. The entity can be a user and is called end-user.
- Resource Server A resource server that holds protected resources and allows access requests with access tokens to access protected resources.
- Client A client authorized by the resource owner to access protected resources on behalf of the resource owner.
- Authorization Server Authenticates the authorization of resource owners and sends access tokens to clients.
In many cases, the resource server and the authorization server are one and the same, the authorization server for authorization interaction and the resource server for requesting resource interaction. But the authorization server is a separate entity that can issue access tokens that are accepted by multiple resource servers.
The agreement process
Take a look at this flow chart from the authorities:
+--------+ +---------------+ | |--(1)- Authorization Request ->| Resource | | | | Owner | | |<-(2)-- Authorization Grant ---| | | | +---------------+ | | | | +---------------+ | |--(3)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(4)----- Access Token -------| | | | +---------------+ | | | | +---------------+ | |--(5)----- Access Token ------>| Resource | | | | Server | | |<-(6)--- Protected Resource ---| | +--------+ +---------------+Copy the code
This is an abstract interaction flowchart for the OAuth2 role, consisting of the following six steps:
- The client requests authorization from the resource owner;
- The resource owner agrees to authorize and returns an Authorization Grant, which represents the resource owner’s Authorization credentials;
- Client with authorization request authorization server for authentication, request access token;
- The authorization server authenticates the client, authenticates the authorization and, if valid, returns the access token;
- The client requests access to protected resources from the resource server with access permission.
- The resource server validates the access token and, if valid, accepts the access request and returns the protected resource.
summary
This article provides an overview of Spring Security. Spring-cloud-security provides a basic set of components for building secure applications and services. It encapsulates the relevant implementation of Spring-Securtiy, Spring-Security-OAuth2 and Spring-Securtiy-JWT. Meanwhile, it provides its own security features and is committed to providing the ability to quickly create common security patterns for micro-services in Spring-Cloud.