Directory
1. Theoretical part
Introduction
How to pass the certification
API authentication
Configure API release
Fine-grained authentication configuration
end
2. Practical part
1. Theoretical part
Introduction
- Secure is based on JWT encapsulation. Every time a request is made, the API request that needs to be authenticated will be intercepted, and the Token carried in the request header will be authenticated.
- If the token expires, does not exist, or is wrong, the authentication will fail, and then the corresponding API cannot be accessed.
- SpringBlade’s security framework Secure in Blade-Tool
- This chapter introduces the basic usage of Secure.
How to pass the certification
- First, you need to access the Auth interface, pass in the account name and password, and obtain the information after the authorization is successful.
- Start
AuthApplication
,UserApplication
,BladeLogApplication
three services - Call http://localhost/blade-auth/token to pass in the corresponding parameters, as shown in the figure below, it means that the authentication information is obtained successfully
("c3dvcmQ6c3dvcmRfc2VjcmV0" is the base64 encoding converted from the clientId:clientSecret string, this is variable)
4. Get tokenType
and accessToken
from the returned Json, splice them together and separate them with commas
5. Set the request header to blade-auth
, and the corresponding value of the request header is tokenType
+ ' '
+ accessToken
(All subsequent interface calls need to bring the request header as Authorization
and the value is c3dvcmQ6c3dvcmRfc2VjcmV0
)
6. Call http://localhost/blade-demo/api/info?name=Chill again and find that Hello, My Name Is: Chill
is returned, indicating that the authentication is successful!
7. In theory, all business APIs need to be authenticated to ensure the security of the entire system. However, there are some special cases where APIs can be called without authentication. Here, the Secure API release configuration is required.
8. Even if the authentication of some business APIs is successful, it may be necessary to determine whether it can be called based on the role permissions. Here, Secure’s finer-grained authentication configuration is required.
Extended: passwords may be encrypted twice
For example, this admin is md5 encrypted
Fill in the obtained Authorization and Blade-Auth
(Just fill in name:vulue in the request parameter Params)
API Authentication
Configure API release
- If you use the SpringBoot version, go to the corresponding configuration file and add the interface release configuration
2. If you use SpringCloud, open nacos, find the corresponding configuration file and add the interface release configuration
3. If you need to intercept all requests under a certain api, you can change it to /api/**
, where **
represents all requests from the lower layer
4. Restart the project and remove the request header. You can see that the request is successful, indicating that the API release
configuration is successful
Fine-grained authentication configuration
- The authentication configuration uses the
@PreAuth
annotation of the Secure module - In order to be able to play the role of comparison, release the permission of
count
(as long as the token authentication is passed, the API can be called).
@GetMapping("count") @PreAuth("permitAll()") public Integer count(Integer cnt) { return cnt * 10; }
3. Judging the authority of info
, the caller needs to have the role authority of test
to call
@GetMapping("info") @PreAuth("hasRole('test')") public String info(String name) { return "Hello, My Name Is: " + name; }
4. Call /api/count
to find that the request is successful.
5. Calling /api/info
found that it changed back to Request Unauthorized
, because our admin
account is not assigned test
code>role
6. Try to change back to admin
permission
@GetMapping("info") @PreAuth("hasRole('administrator')") public String info(String name) { return "Hello, My Name Is: " + name; }
7. Call /api/info
to find that the request is successful.
End
- The Secure framework implements two layers of API authentication.
- The first layer verifies whether the Token carried in the request is legal, and those that do not require Token verification can be released through configuration.
- The second layer checks whether the logic of the
@PreAuth
configuration is met, and returnsRequest Unauthorized
if not. - The annotation
@PreAuth
supports class level and method level, and put it in the class level to authenticate all methods of the class. - The annotation
@PreAuth
also supports Spring el expressions, which is very scalable, and more functions are waiting for you to explore~ - Spring el document address: Spring Framework Reference Documentation
2. Practical part
README.md Book Bansheng/Network Security Knowledge System-Actual Center-Code Cloud-Open Source China (gitee.com)https:/ /gitee.com/shubansheng/Treasure_knowledge/blob/master/README.md
GitHub – BLACKxZONE/Treasure_knowledgehttps://github.com/BLACKxZONE/Treasure_knowledge
For more information, please refer to the springBlade development manual:
https://www.kancloud.cn/smallchill/blade/