Shrio framework

This is the back-end small class of the monastery. Each article is shared from

[background introduction] [knowledge analysis] [common problems] [solutions] [coding practice] [extended thinking] [more discussion] [References]

Eight aspects of in-depth analysis of back-end knowledge / skills. This article shares:

[shrio framework]

Hello, I am the 12th student of Shenzhen Branch of it Academy. I am an honest, pure and kind java programmer.

Today, I'd like to share with you a knowledge point of Java task 10 on the official website of the Academy: shrio

1. Background introduction

2. Knowledge analysis

3. Frequently asked questions

4. Solutions

5. Coding practice

6. Expand thinking

7. References

8. More discussion

1. Background introduction

Apache Shiro is a security framework, and its role: authentication, authorization, encryption, session management, integration with the web, caching, etc. Today I want to talk about two points, identity authentication and permission management. Here, we use the combination of springboot Security + oauth2 + JWT to realize identity authentication and permission management.

2. Knowledge analysis

2.1. Main functions of spring security:

2.2. Spring security configuration

2.3. Authentication process of spring cloud oauth2

2.4. Application scenarios of JWT

2.5. JWT certification process

2.1. Main functions of spring security:

1. Authentication is the process of authenticating the subject. It usually refers to users, devices or other resources that can perform operations in the application.

2 authorization refers to deciding whether to allow an authenticated subject to perform an operation.

2.2. Spring security configuration

1. First, introduce spring security related dependencies

2. Write a configuration class that inherits websecurityconfigureradapter and adds @ enablewebsecurity to the configuration class to enable Web security.

2. Configure httpsecurity, that is, configure authentication rules, which URLs need authentication, which do not, and what permissions you need to have to access.

3. To enable the method level security configuration, you need to add @ enableglobalmethodsecurity to the configuration class. The method level security controls three methods: secureenable, jsr250enabled and prepostenabled, of which prepostenabled is the most used. Prepostenabled includes preauthorize and postauthorize. Generally, only preauthorize is used.

2.3. Authentication process of spring cloud oauth2

Oauth2 is a standard authorization protocol, which allows different clients to access the protected resources in the form of authentication and authorization. There are three main roles in the process of authentication and authorization:

(1) Service provider authorization server

(2) Resource server

(3) Client client

Oauth2's certification process is as follows:

(1) The user (resource holder) opens the client, and the client accesses the user authorization.

(2) The user agrees to the authorization.

(3) The client requests authorization from the authorization server.

(4) The authorization server authenticates the client, including the authentication of user information. After the authentication is successful, the authorization is given to the token.

(5) After the client obtains the token, it carries the token to request resources from the resource server.

(6) The resource server confirms that the token is correct and releases the resource to the client.

2.4. Application scenarios of JWT

Before that, let's first understand what JWT is, that is, JSON web token is an open standard. JWT defines a compact and self-contained standard, which aims to wrap the information of each subject as JSON objects. The subject information is encrypted and verified by digital signature. Long is yo red HMAC algorithm or RSA (asymmetric encryption of public and private keys) algorithm to sign JWT, with high security.

(1) Authentication: This is the most common scenario for using JWT. Once the user logs in and obtains the JWT successfully, each subsequent request will carry the JWT. The JWT contains user information, permission points and other information. According to the information contained in the JWT, the resource service can control the resource range that the JWT can access.

(2) Information exchange: JWT is a way to safely transmit information between parties. JWT uses signature encryption with high security.

2.5. JWT certification process

The client requests JWT by providing the user name and password box. After the server judges that the user name and password are correct, the server encrypts the user information and authority points and returns them to the client in the form of JWT. In each subsequent request, the client obtaining the JWT needs to carry the JWT. The advantage of this is that future requests do not need to judge the requesting user and the user's permission again through the permission task service.

3. Frequently asked questions

3.1. What are the shortcomings of oauth2?

A: the defect is that each request requires a remote scheduling authentication service within the resource service to verify the correctness of the token and the permissions of the token to the user. There is an additional internal request.

3.2. What are the parts of the structure of JWT?

A: it consists of three parts: header, payload and signature

3. Several characteristics of JWT?

(1) JWT is not encrypted by default, but it can also be encrypted. After the original token is generated, it can be encrypted again with the key.

(2) Secret data cannot be written to JWT without encryption.

(3) JWT can be used not only for authentication, but also for exchanging information. The effective use of JWT can reduce the number of server queries to the database.

(4) The biggest disadvantage of JWT is that because the server does not save the session state, it cannot revoke a token or change the permission of the token during use. That is, once the JWT is signed, it will always be valid until it expires, unless the server deploys additional logic.

(5) JWT itself contains authentication information. Once it is leaked, anyone can obtain all the permissions of the token. In order to reduce embezzlement, the validity period of JWT should be set relatively short. For some important permissions, users should be authenticated again.

(6) In order to reduce embezzlement, JWT should not use HTTP protocol for explicit transmission, but HTTPS protocol for transmission.

4. Solutions

5. Coding practice

6. Expand thinking

7. References

CSDN, Baidu Encyclopedia

8. More discussion

That's all for today's sharing. You are welcome to like, forward, leave messages and make bricks~

Skill tree It Academy

"We believe that everyone can become an engineer. From now on, find a senior brother to introduce you, control your learning rhythm, and stop being confused on the way to learning.".

Here is the skill tree In it academy, thousands of senior brothers have found their own learning route here. Learning is transparent and growth is visible. Senior brothers have 1-to-1 free guidance.

Come and study with me~

Tencent Video:

Ppt link video link