Location>code7788 >text

Six, Spring Boot integration Spring Security before and after the separation of the authentication process best practices

Popularity:395 ℃/2024-11-06 14:59:55

Spring Security default authentication process and its advantages and disadvantages

1, Spring Security default authentication process summary

Fourth, Spring Boot integration Spring Security certification processThe certification process is described in detail with the following core processes

  1. SecurityContextPersistenceFilter: () before get security context from security context repository, get unauthenticated security context when not logged in state; () after get security context from security context holder and update to security context repository
  2. LogoutFilter: if it is a logout request, clear the security context authentication information and redirect to the login page, otherwise it is not processed
  3. UsernamePasswordAuthenticationFilter: if it is a login request, verify the username and password in the request parameters, generate a new authenticated security context and save it to the security context repository after successful verification and then redirect it to the target URL, otherwise it will not be processed.
  4. DefaultLoginPageGeneratingFilter: if it is a request for a login page, return the default login page, otherwise it is not processed
  5. DefaultLogoutPageGeneratingFilter: if it is a request for a logout page, return the default logout page, otherwise it will not be processed.

2. Advantages and disadvantages

  1. Provides a complete and secure authentication process
  2. The default session-based authentication process for non-front-to-back projects has slowly been retired from the history books.
  3. Separate certification process for front and back not provided

III. Ideas for certification of front- and rear-separation projects

1, before and after the separation of the project certification process (based on the default process optimization)

  1. Front-end input username and password to submit to back-end
  2. The back-end obtains the username and password and verifies it, generates a token (similar to sessionId) after successful verification and returns it to the front-end, generates an authenticated security context (similar to session) and stores it in the security context repository.
  3. The front-end gets the token and carries it in the request header of each subsequent request (similar to a cookie)
  4. The backend gets the token in the request header, gets the security context through the token, and sets it to the security context holder
  5. When the front-end submits an exit request, the back-end gets the token in the request header and removes the security context from the security context repository via the token

2、The default implementation of the key components corresponding to the certification process of the front and back separation project

There are four key components that can be seen in the front-to-back separation program certification process

  1. Filter to get the security context from the security context repository by token in the request header on each request (default SecurityContextPersistenceFilter)
  2. Clear the security context's filter (default LogoutFilter) from the security context repository via the token in the request header on logout
  3. Authenticate username password at login and generate token and security context, add security context to filter in security context repository (default UsernamePasswordAuthenticationFilter)
  4. Security context repository (default HttpSessionSecurityContextRepository)

3. Limitations of the default implementation

  1. UsernamePasswordAuthenticationFilter gets request parameters from a form, not compliant with the RESTFUL development specification
  2. AuthenticationManager, a key component of authentication, is not injected into the Spring container, resulting in custom authentication filters not being available directly from the Spring container
  3. UsernamePasswordAuthenticationFilter only implements the authentication part of the security context generated after successful authentication and add a security context in the warehouse process can not be controlled, you can only use the default HttpSession or RequestAttributes way, can not be customized!

4. Ideas for rectification

  1. Customize SecurityContextRepositoryImpl to implement a security context repository SecurityContextRepository to implement a security context repository based on distributed caching
  2. Custom RestfulUsernamePasswordAuthenticationFilter inherits AbstractAuthenticationProcessingFilter and implements RESTFUL development specification-compliant logins.
  3. Custom UserDetailsImpl implements the UserDetails interface to make it easy to add custom properties
  4. Customize UserDetailsServiceImpl to implement the UserDetailsService interface, implement the database-based authentication method, and generate token settings into the UserDetails

5. Rectified certification process

  1. Front-end input username and password to submit to back-end
  2. back endAbstractAuthenticationProcessingFilterCalling subclassesRestfulUsernamePasswordAuthenticationFilter(used form a nominal expression)attemptAuthenticationmethod to obtain authentication information
  3. RestfulUsernamePasswordAuthenticationFilter gets the username password in the request and calls loadUserByUsername of UserDetailsService to get the user's information
  4. UserDetailsServiceImpl queries the user by username, sets the user information into the created UserDetailsImpl object, and generates a token to set into the UserDetailsImpl object.
  5. AbstractAuthenticationProcessingFiltercall (programming)SecurityContextRepositoryImplPreserving the security context
  6. SecurityContextRepositoryImpl gets the security context and the token from its authentication information, adds the token and the security context to the distributed cache
  7. Returning the token to the front end
  8. The front-end gets the token and carries it in the request header for each request
  9. SecurityContextPersistenceFilter/SecurityContextHolderFiltercall (programming)SecurityContextRepositoryImpl(used form a nominal expression)loadContextGetting the security context
  10. SecurityContextRepositoryImpl gets the token in the request header, uses the token to get the security context from the distributed cache and returns the
  11. Front-end submission of logout requests
  12. LogoutFilter calls SecurityContextRepositoryImpl's saveContext, where the parameter security context is the null value security context
  13. SecurityContextRepositoryImpl determines the null security context, obtains the token in the request header, and uses the token to delete the security context from the distributed cache.

IV. Summary

1, design before and after the separation of project certification process principles

  1. Fit the native Spring Security processing flow as closely as possible, and try to use the components provided by Spring Security
  2. Interface design conforms to the RESTFUL interface specification
  3. Use distributed cache to store login credentials, more suitable for distributed projects

2. Other notes

  1. Here said before and after the separation of the project certification process best program, is the best program in my opinion, is not the industry's best recognized program, a thousand readers have a thousand Hamlet, welcome in the comments section or private message to discuss the best program in your mind!
  2. The code below implements the program, so stay tuned!
<Previous Next>