Concept popularization

About permissions , Let's start with a few core concepts

• authentication
• to grant authorization
• authentication

authentication

for instance ： enter one user name / password , Click to log in , The business logic executed in the background is authentication ----------> Verify user name / Is the password correct , Can I log in to the system , This is authentication

to grant authorization

for instance ： Different users have different permissions through system authorization , Authorization is to grant permission to related users or roles to operate resources , Of course, there are also many third-party system licenses .

authentication

for instance ; The same system , After different people log in successfully , The permissions are different , When the user operates , The background will verify whether the corresponding operation can be performed , This is authentication , namely Verify whether the user has the operation permission of the corresponding resource .

For monomer application authentication 、 to grant authorization 、 authentication

We know ： The core of the permission problem is to solve authentication 、 Authentication and authorization issues .

Let's first look at how to deal with the above problems in monomer applications .

How to handle authentication

In monomer application , For user login , The user name will be verified first / password , It usually involves the encryption of passwords , The general judgment is whether the corresponding password after encryption is equal to the password stored in the database , If it's equal , Login succeeded .

If the user logs in successfully , Generally, it will return the credentials related to the user's successful login .

• If it is JWT Words , Will return Token
• If conversation is used , Will pass Set-Cookie return SessionId To the client

How authorization is handled

In monomer applications , Authorization is to modify user related role information , Or modify the role related permission information . Generally, after the user logs in again , The latest permission information takes effect .

How to handle authentication

Single applications usually pass through interceptors （Spring Security、Apache Shrio They are essentially interceptors ）, Block user requests .

In this case, the authentication scheme will also be JWT still HTTP Sessions are handled separately

• If it is JWT Words , The user information will be obtained through decryption
• If it is a conversational way , According to the conversation ID, From storage （ It's usually Redis） To get user information .

Either way , Finally, the permission verification is performed on the corresponding request according to the user information .

Generally, there are two authentication methods , But it's all role-based .

• One is Implicit role-based authentication , namely Directly determine whether you have the operation permission of the corresponding resource according to the role , For example, the role is administrator , You can delete the user , The role is an ordinary user , Only user information can be viewed .
  This is generally applicable in simple systems , A common way is through annotations , Indicate which interface can be accessed by which role . But this method will become difficult to maintain in complex systems .

• The other is Accurate role-based authentication , Such authentication scheme , Roles are usually assigned explicit permissions , The corresponding authentication method is Find out the specific permission set according to the user role , Then make further judgment . This method is more effective and convenient in complex systems .

Under the microservice Architecture authentication 、 to grant authorization 、 authentication

In microservices , Authentication of permission processing 、 Authorization function implementation , No difference with single application .