Oauth2 Introduction: Oauth2 is to define a secure, open and simple standard for the authorization of user resources, the third party can obtain the user's authorization information without knowing the user's account number and password, and this is safe.
Simply put, when the user logs on to the site, need account and password, but you do not have an account and password, you need to register the site's account and password, but you do not want to register, if I have (Qq,github, Weibo, Facebook) third-party website account, Just log in to the current site to access the resources of the site is good? Is there such an implementation?
The answer is yes, of course, the uniform specification, which is used to OAUH2.
OUAH2 has 4 implementation modes (refer to Nanyi's http://www.ruanyifeng.com/blog/2014/05/oauth_2_0.html)
(1) Authorization Code mode
When users visit the site, choose QQ Login, Facebook login, or micro-blog landing time, the site will import you into Qq,facebook, Weibo landing page (that is, authentication server) input account and password, when the authorization is successful, will obtain a unique authorization code (Auth code), The client then gets this auth code attached to the previous redirect URL, to the Qq,facebook, request token, to the authentication server (Qq,facebook) to submit the request header Check authorization code and redirect URL, confirm the error, return token and update the token
(2) Password mode
Users to improve their account and password to the client. The client uses this information to request authorization code from the server provider, and after the authentication server is authenticated, the return token allows the user to access the site's resources through a token.
(3) Easy mode
Without a third-party application server, directly in the browser to the authentication server to request tokens, skip the authorization code this step.
(4) Client mode
means that the client authenticates to the "service provider" in its own name, rather than on behalf of the user. Strictly speaking, the client mode is not a problem that the OAuth framework solves. In this mode, the user directly to the client registration, the client on its own behalf of the "service provider" to provide services, in fact, there is no authorization problem.
Spring Security Introduction:
Spring Security is a framework that focuses on providing authentication and authorization for Java applications, filtering requests for URLs using the servlet filter internally, and doing some security processing before the application processes the request. Spring Security provides a number of filters that can intercept servlet requests and pass them on to authentication and Access Decision manager processing for enhanced security. Depending on your needs, you can use the appropriate filters to protect your application.
Spring Security and Oath2 custom permission control
Spring Security +oauth2 +spring boot dynamically define permissions