Spring Security +oauth2 +spring boot dynamically define permissions

Source: Internet
Author: User

Oauth2 Introduction: Oauth2 is to define a secure, open and simple standard for the authorization of user resources, the third party can obtain the user's authorization information without knowing the user's account number and password, and this is safe.

Simply put, when the user logs on to the site, need account and password, but you do not have an account and password, you need to register the site's account and password, but you do not want to register, if I have (Qq,github, Weibo, Facebook) third-party website account, Just log in to the current site to access the resources of the site is good? Is there such an implementation?

The answer is yes, of course, the uniform specification, which is used to OAUH2.

OUAH2 has 4 implementation modes (refer to Nanyi's http://www.ruanyifeng.com/blog/2014/05/oauth_2_0.html)

(1) Authorization Code mode

When users visit the site, choose QQ Login, Facebook login, or micro-blog landing time, the site will import you into Qq,facebook, Weibo landing page (that is, authentication server) input account and password, when the authorization is successful, will obtain a unique authorization code (Auth code), The client then gets this auth code attached to the previous redirect URL, to the Qq,facebook, request token, to the authentication server (Qq,facebook) to submit the request header Check authorization code and redirect URL, confirm the error, return token and update the token

(2) Password mode

Users to improve their account and password to the client. The client uses this information to request authorization code from the server provider, and after the authentication server is authenticated, the return token allows the user to access the site's resources through a token.

(3) Easy mode

Without a third-party application server, directly in the browser to the authentication server to request tokens, skip the authorization code this step.

(4) Client mode

means that the client authenticates to the "service provider" in its own name, rather than on behalf of the user. Strictly speaking, the client mode is not a problem that the OAuth framework solves. In this mode, the user directly to the client registration, the client on its own behalf of the "service provider" to provide services, in fact, there is no authorization problem.

Spring Security Introduction:

Spring Security is a framework that focuses on providing authentication and authorization for Java applications, filtering requests for URLs using the servlet filter internally, and doing some security processing before the application processes the request. Spring Security provides a number of filters that can intercept servlet requests and pass them on to authentication and Access Decision manager processing for enhanced security. Depending on your needs, you can use the appropriate filters to protect your application.

Spring Security and Oath2 custom permission control

Spring Security +oauth2 +spring boot dynamically define permissions

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.