10,000 words long text, SpringSecurity implements the permission system design

On October 16, 2022October 23, 2022

(Star ImportNew to improve Java skills)

RBAC is called role-based permission control, and this paragraph will explain RBAC from several aspects, such as what is RBAC, model classification, what are permissions, use of user groups, and case analysis

Draw a mind map below

RBAC is called user role permission control, through the role association of users, role association permissions, in this way, the permissions given to the user by the inter-order, as shown in the following figure

For the usual system, there are multiple users with the same permissions, in the assignment, to assign the specified user to the relevant permissions, modify the time to modify the permissions of these users in turn, with the role of this permission, when modifying the permissions, only need to modify the role, you can achieve the modification of the relevant permissions. Doing so increases efficiency and reduces the occurrence of permission vulnerabilities.

For the RBAC model, it is divided into the following models: RBAC0, RBAC1, RBAC2, RBAC3, these four models, this paragraph will introduce these four models in turn, the most commonly used model is RBAC0.

RBAC0 is the simplest RBAC model, which contains two types.

Users and roles are many-to-one relationships, that is, a user only plays one role, and a role can have multiple roles. Users and roles are many-to-many relationships, that is, a user can play multiple roles at the same time, and a role can have multiple users.

This system has a single function, fewer personnel, here is a chestnut, Zhang San is both administrative and responsible for finance, at this time Zhang San has two permissions, namely administrative authority, and financial authority two parts.

Compared to the RBAC0 model, subroles are added and the concept of inheritance is introduced.

Here the RBAC2 model, on the basis of the RBAC0 model, adds some features, as well as limitations

That is, the same user cannot have two mutually exclusive roles, for example, in a financial system, a user cannot have both accountant and auditor roles.

That is, with one role, the members are fixed, for example, for the CEO role, the same role, there can only be one user.

That is, for that role, if you want to get a higher role, you need to get a lower-level role first. For example, for the two permissions of deputy general manager and manager, it is necessary to have the authority of deputy general manager before you can have manager authority, of which the authority of deputy general manager is a prerequisite for manager authority.

That is, a user can have two roles, but the two roles cannot be used at the same time, and you need to switch roles to enter another role. For example, for the roles of general manager and commissioner, the system can only have one role for a period of time, and cannot operate on both roles at the same time.

That is, RBAC1, RBAC2, both models are all cumulative, called the unified model.

Permissions are a collection of resources, and the resources here refer to all the content in the software, that is, the permissions to operate the page, the access rights to the page, and the permission to add, delete, check and modify the data. Take a chestnut. For the system in the following figure,

Owning, plan management, customer management, contract management, inbound and outbound notification management, food security traceability, food statistics query, equipment management of these pages, access to these pages, and whether access to the menu belong to the authority.

For user groups, it is to divide a large number of users into a group and grant roles in batches, that is, to grant permissions in batches. For example, for a department, a department has more than 10,000 employees, these employees all have the same role, if there is no user group, you may need to grant related roles one by one, after having a user group, you only need to divide these users into a group, and then set the group to grant roles, which is equivalent to granting roles to these users.

Pros: reduced workload, easy to understand, increased multi-level management, etc. The latest interview questions are sorted out, click the Java interview library applet to brush the questions online.

Start by adding dependencies

Spring Boot basics are not introduced, recommend this practical tutorial: https://github.com/javastacks/spring-boot-best-practice

Then add the relevant provider

Finally launch the project and view the relevant password in the log

The provider can see the relevant login interface

Enter a user name and associated password

In the configuration file, write the relevant login and password

On the login page, enter your username and password to log in normally. In addition, the Spring series of interview questions and answers are all sorted out, WeChat search Java technology stack, sent in the background: interview, can be read online.

The custom class inherits the WebSecurityConfigurerAdapter code as follows

That is, the configured user name is admin, the password is 123, and the role is admin

Here are some methods to intercept

That is, the interception of all method access is done here.

This is a small demo with the purpose of logging in and returning the token generated by jwt

Recommended Spring Boot basic tutorial and practical examples:

https://github.com/javastacks/spring-boot-best-practice

Add web dependencies

Import JWT and Security dependencies

Create a related JavaBean

Write utility classes to generate tokens, refresh tokens, and validate tokens

Write a Filter to detect JWT

The latest interview questions are sorted out, click the Java interview library applet to brush the questions online.

In the code above, write the userDetailsService, class, to implement its validation process

Write the implementation class of the login business whose login method returns a JWTUtils token

Spring Boot basics are not introduced, recommend this practical tutorial:

https://github.com/javastacks/spring-boot-best-practice

run, the return result is token

Here’s the JSON login for SpringSecurity

Here you need to rewrite the UsernamePasswordAnthenticationFilter class, as well as configure SpringSecurity

This completes logging into SpringSecurity using json.

The latest interview questions are sorted out, click the Java interview library applet to brush the questions online.

The following needs to be configured in the Config class

That is, use this method to encrypt the password, and at the time of the business layer, use this encryption method

That is, the password is encrypted using BCryptPasswordEncoder, saving the database

SpringSecurity is certified using a database here

Design the data table here

This focuses on configuring SpringConfig

It focuses on the RBAC permission configuration, as well as the simple use of SpringSecurity, as well as the use of SpringSecurity + JWT to complete the separation of the front and back ends, as well as the configuration of json login, and password encryption.

From:小小___

Link: https://segmentfault.com/a/1190000023052493

– EOF –

Time in a distributed system tells you in the vernacular that a small white can understand: What is a distributed computing system?

Make a note of the failure caused by a custom Redis distributed lock

Got a harvest after reading this article? Please forward and share it with more people

Follow “ImportNew” to improve your Java skills

Likes and looks are the biggest support ❤️