Java Spring Boot VS. Netcore (ix) Spring Security vs. Netcore Security

Talking about security, such as now on the market some OAuth2 \ Oidc-openid Connect, identity authentication, authorization, and so on, the following first Java Security

This piece of stuff is a lot more complicated than spring Security or. Netcore Security, 1.1-point comparison note

Spring Security

Part:

Securitycontextholder provides several ways to access the SecurityContext. SecurityContext, save authentication information and request the corresponding security information. Authentication, showing spring security-specific principals. Grantedauthority, the reaction, in the application scope you, gives the principal permission. Userdetails, through your application DAO, provides the necessary information to build the authentication object. Userdetailsservice, create a userdetails that passes a string type of user name (or certificate ID or other).

The Securitycontextholder object of the Spring security type. The HttpContext object in Netcore is similar to the security block, of course. HttpContext in Netcore has other duties, and here's HttpContext authentication.

Securitycontextholder: Provides us with the context object and policy related to get securitycontext, here are three kinds of acquisition according to different strategies:

Threadlocalsecuritycontextholderstrategyinheritablethreadlocalsecuritycontextholderstrategyglobalsecuritycontextholderstr Ategy

Of course, you can also customize policy processing with separate custom processing

Else {            try  {                Class<?> clazz = class.forname (strategyname);                Constructor<?> customstrategy = clazz.getconstructor ();                 = (securitycontextholderstrategy) customstrategy.newinstance ();             Catch (Exception var2) {                reflectionutils.handlereflectionexception (var2);            }

SecurityContext: We can obtain authorization information through this object

Securitycontextholder.getcontext (). Getauthentication ()

 Public Interface extends Principal, Serializable {    Collectionextends grantedauthority> getauthorities ();    Object getcredentials ();    Object getdetails ();    Object Getprincipal ();     Boolean isauthenticated ();     void setauthenticated (booleanthrows  illegalargumentexception;}

Here we go with. HttpContext.User.Identity identity information in Netcore is consistent

If the Security getauthentication in spring has been granted the identity information, then is this identity authorized and what is the identity information? We can get the relevant treatment here.

Then get the information about the person you want to access now

Object principal=  Securitycontextholder.getcontext (). Getauthentication (). Getprincipal ();

Here with. Netcore Authentication The method class is, the following also encapsulates the Principal (ClaimsPrincipal type), of course, the external also provides that is the user strong turn ClaimsPrincipal

 Public Abstract Task<authenticateinfo> Getauthenticateinfoasync

Look down. Netcore the following strong turn:

  var  as ClaimsPrincipal;

And this is actually in spring. See Getprincipal () get to the client's information when you get the object object is not userdeatils

So there's one in Spring Security.

Object principal=  securitycontextholder.getcontext (). Getauthentication (). Getprincipal ();         if instanceof userdetails) {            = ((userdetails) principal). GetUserName ();         Else {            = principal.tostring ();        }

Here with. The extended login information in Netcore needs to process the identity information of the parties, which I use. Necore The Windows Identity party information to give an example

if (result?) . Principal is WindowsPrincipal wp) {  ID. Addclaim (new  Claim (Jwtclaimtypes.subject, WP. Identity.name));}

This is the same principle as the spring Security above.

. Netcore

First leave the session this login processing, here is the authentication certification, the following simple introduction

Authenticationbuilder: Create authentication authenticationschemeoptions: Authentication parameter Authenticationhandler: Authentication processing Authenticationmiddleware: Certified Middleware

. Netcore under the first

Add authentication Service Give parameters

Services. Addauthentication (              + =                  {"Cookies";                  " OIDC " ;                             })

And then add the authorization authentication middleware, said to have the authorization is the middleware to handle, here can go to see the middleware principle, processing completes will write the information to the HttpContext context object The authentication information, simultaneously exposes the security access to the HttpContext

App. Useauthentication ();

These methods are exposed to HttpContext and exposed to AuthenticationManager objects through Signinasync, Signoutasync processing (asynchronous) in the code.

SignIn will write locally authenticated information to the authentication-related objects, while the middleware provides secure access to the HttpContext.

So in the code we usually do this: This provides authentication management read-only secure Access object operations

 Public Abstract get; }

It also expands exposure to identity information.

 Public Abstract Get set; }

What is this thing used for? Actually, it's for us to get certified identity information.

Can look at the following identity information, below the isauthenticated, Name, AuthenticationType

HttpContext.User.Identity

IsAuthenticated: Is the identity of this user certified

Name: Who is the identity of this user?

AuthenticationType: Identity Type

This one says here, probably not enough detail ~

Java Spring Boot VS. Netcore (ix) Spring Security vs. Netcore Security