Skip to content

Sureness
Sureness

sureness / Sureness
9 个月 前同步成功

通知 32
Star 813
Fork 161
Sureness
Sureness

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

提交 07d59bf4 编写于 作者: sinat_25235033's avatar sinat_25235033
浏览文件
操作

set english as docs default language

上级 4eb4af03
隐藏空白更改
内联 并排
Showing with 731 addition and 621 deletion
README.md
浏览文件 @ 07d59bf4
......@@ -55,7 +55,7 @@ api的保护可以认为:认证-请求携带的认证信息是否校验通过
`eg: /api/v2/book===get` `get`方式请求`/api/v2/book`接口数据
- 角色资源映射: 用户所属角色--角色拥有资源--用户拥有资源(用户就能访问此`api`)
资源路径匹配详见 [url路径匹配](docs/path-match.md)
资源路径匹配详见 [url路径匹配](docs/cn/path-match.md)
##### 项目中加入sureness
......@@ -110,7 +110,7 @@ SurenessSecurityManager.getInstance().checkIn(servletRequest)
}
```
异常详见 [默认异常](docs/default-exception.md)
异常详见 [默认异常](docs/cn/default-exception.md)
##### 加载配置数据
......@@ -118,7 +118,7 @@ SurenessSecurityManager.getInstance().checkIn(servletRequest)
这些配置数据可能来自文本,关系数据库,非关系数据库
我们提供了配置数据接口`SurenessAccountProvider`, `PathTreeProvider`, 用户可以实现此接口实现自定义配置数据源
当前我们也提供默认文本形式的配置数据实现 `DocumentResourceDefaultProvider`, 用户可以配置`sureness.yml`来配置数据
默认文本数据源`sureness.yml`配置详见文档 [默认数据源](docs/default-datasource.md)
默认文本数据源`sureness.yml`配置详见文档 [默认数据源](docs/cn/default-datasource.md)
我们提供了使用代码`DEMO`
默认文本数据源具体实现,请参考[使用sureness10分钟搭建权限项目--sample-bootstrap](https://github.com/tomsun28/sureness/tree/master/sample-bootstrap)
......
README_EN.md
浏览文件 @ 07d59bf4
......@@ -45,7 +45,7 @@
`eg: /api/v2/book===get`
- User belongs some Role -- Role owns Resource -- User can access the resource
Resource path matching see: [Uri Match](docs/en/path-match.md)
Resource path matching see: [Uri Match](docs/path-match.md)
##### Add sureness In Project
......@@ -94,7 +94,7 @@ Authentication passed directly, failure throw exception, catch exception and do
}
```
Detail sureness exception see: [Default Sureness Exception](docs/en/default-exception.md)
Detail sureness exception see: [Default Sureness Exception](docs/default-exception.md)
### Load Config DataSource
......@@ -103,7 +103,7 @@ The dataSource can load from txt, dataBase or no dataBase etc.
We provide interfaces `SurenessAccountProvider`, `PathTreeProvider` for user implement to load data from the dataSource where they want.
Also, we provide default dataSource implement which load dataSource from txt(sureness.yml), user can defined their data in sureness.yml.
Default Document DataSource Config - sureness.yml, see: [Default DataSource](docs/en/default-datasource.md)
Default Document DataSource Config - sureness.yml, see: [Default DataSource](docs/default-datasource.md)
If the configuration resource data comes from text, please refer to [10 Minute Tutorial's Program--sample-bootstrap](https://github.com/tomsun28/sureness/tree/master/sample-bootstrap)
If the configuration resource data comes from dataBase, please refer to [30 Minute Tutorial's Program--sample-tom](https://github.com/tomsun28/sureness/tree/master/sample-tom)
......
docs/README.md
浏览文件 @ 07d59bf4
# sureness - 面向restful api的权限认证
# `sureness`
> A simple and efficient open-source java security framework that focus on the protection of restful api.
> A simple and efficient open-source jvm security framework that focus on the protection of restful api.
[![License](https://img.shields.io/badge/license-Apache%202-4EB1BA.svg)](https://www.apache.org/licenses/LICENSE-2.0.html)
![GitHub pull request check contexts](https://img.shields.io/github/status/contexts/pulls/tomsun28/sureness/8?label=pull%20checks)
[![Gitter](https://img.shields.io/gitter/room/usthe/sureness?label=sureness&color=orange&logo=gitter&logoColor=red)](https://gitter.im/usthe/sureness)
![GitHub Release Date](https://img.shields.io/github/release-date/tomsun28/sureness?color=blue&logo=figshare&logoColor=red)
## <font color="green">`Introduction`</font>
## Background
现在很多网站都进行了前后端分离,后端提供rest api,前端调用接口获取数据渲染。这种架构下如何保护好后端所提供的rest api使得更加重视。
api的保护可以认为:认证-请求携带的认证信息是否校验通过,鉴权-认证通过的用户拥有指定api的权限才能访问此api。然而不仅于此,什么样的认证策略, jwt, basic,digest,oauth还是多支持, 权限配置是写死代码还是动态配置,我想动态赋权怎么办,云原生越来越火用的框架是quarkus等新秀不是spring生态咋弄,http实现不是servlet而是jax-rs规范咋整, to be or not to be, this is a question
> 目前`java`主流的权限框架有`shiro,spring security`, 下面对于它们的探讨都是个人之见,接受纠正
> `shiro`对于`restful api`原生支持不太友好,需要改写一些代码,2年前一个项目 [booshiro](https://gitee.com/tomsun28/bootshiro) 就是改造`shiro`,使其在过滤链就能匹配不同的`rest`请求进行权限校验,之后给`shiro commit`几次`pr`,`fix`其在过滤链匹配时的危险漏洞,总的来说`shiro`很强大但其起源并非面向`web`,对`restful`不是很友好
> `spring security`很强大,与`spring`深度集成,离开`spring`,比如`javalin`和之前用过的`osgi`框架`karaf`就用不了了
> 如果不用注解配置,它们都会在链式匹配这块,用请求的url和配置的链一个一个`ant`匹配(匹配过程中会有缓存等提高性能),但匹配的链过多时还是比较耗性能(根据算法时间复杂度判断,暂未测试验证)
> 我们希望能解决这些,提供一个**针对restful api**,**无框架依赖**,可以**动态修改权限**,**多认证策略**,**更快速度**,**易用**的认证鉴权框架
> Sureness is a new, permission project which we learn from apache shiro and add some ideas to create it
> Authentication for restful api, based on RBAC, Mainly focused on the protection of restful api
> No specific framework dependency(support springboot, quarkus, javalin, ktor and more)
> Support dynamic modification of permissions
> Support mainstream http container(servlet and jax-rs)
> Supports JWT, Basic Auth... Can extend custom supported authentication methods
> High performance due dictionary matching tree
> Good extension interface, demo and document.
## <font color="green">Introduction</font>
> `sureness` 是我们在使用 `java` 权限框架 `shiro` 之后,吸取其良好设计加上一些想法实现的全新认证鉴权项目
> 面对 `restful api` 的认证鉴权,基于 `rbac` (用户-角色-资源)主要关注于对 `restful api` 的安全保护
> 无特定框架依赖(本质就是过滤器处拦截判断,已有springboot,quarkus,javalin,ktor等demo)
> 支持动态修改权限配置(动态修改哪些api需要被认证,可以被谁访问)
> 支持主流http容器 servlet 和 jax-rs
> 支持多种认证策略, `jwt, basic auth` ... 可扩展自定义支持的认证方式
> 基于改进的字典匹配树拥有的高性能
> 良好的扩展接口, demo和文档
>`sureness`的低配置,易扩展,不耦合其他框架,能使开发者对自己的项目多场景快速安全的进行保护
> The low configuration of sureness, easy to expand, and not coupled with other frameworks, enables developers to quickly and safely protect their projects in multiple scenarios.
##### Framework Sample Support
......
docs/_coverpage.md
浏览文件 @ 07d59bf4
![logo](_media/favicon.ico)
# sureness - 面向restful api的认证鉴权
# sureness <small>0.0.2.8 for jvm</small>
> A Simple and Efficient Open-source Jvm Security Framework that Focus on Protection of Restful Api.
> Focusing on Protection of Restful Api.
- 基于 `rbac` (用户-角色-资源)主要关注于对 `restful api` 的安全保护
- 无特定框架依赖(springboot,quarkus,javalin,ktor等demo)
- 支持主流http容器 servlet 和 jax-rs
- 支持动态权限配置
- 支持多种认证策略
- Based on RBAC, Multiple certification
- Dynamic modification of permissions
- No framework dependency
[GitHub](https://github.com/tomsun28/sureness/)
[Gitee](https://gitee.com/tomsun28/sureness/)
[Get Started](/README.md)
[Get Started](README.md)
![color](#e3f1ec)
\ No newline at end of file
docs/_navbar.md
浏览文件 @ 07d59bf4
- 仓库
- [GITHUB](https://github.com/tomsun28/sureness ':ignore')
- [GITEE](https://gitee.com/tomsun28/sureness ':ignore')
- Repository
- [GITHUB](https://github.com/tomsun28/sureness ':ignore')
- [GITEE](https://gitee.com/tomsun28/sureness ':ignore')
- :cn: 中文Chinese
- [:us: English](/en/)
- :us: English
- [:cn: 中文](/cn/)
- 其它
- Other
- [About Us](https://usthe.com)
- [回到主页](/)
\ No newline at end of file
- [HOME](/)
\ No newline at end of file
docs/_sidebar.md
浏览文件 @ 07d59bf4
- 入门
- [介绍](README.md "introduce")
- [快速开始](quickstart.md "quick start greatest")
- [URI路径匹配](path-match.md)
- [默认数据源](default-datasource.md)
- [默认认证方式](default-auth.md)
- [默认异常](default-exception.md)
- Start
- [Introduce](README.md "introduce")
- [Quick Start](quickstart.md "quick start greatest")
- [URI Match](path-match.md)
- [Default Datasource](default-datasource.md)
- [Default Auth](default-auth.md)
- [Default Exception](default-exception.md)
- 进阶扩展
- [扩展点](extend-point.md)
- [自定义Subject Creator](custom-subject-creator.md)
- [自定义Subject](custom-subject.md)
- [自定义数据源](custom-datasource.md)
- [自定义Processor](custom-processor.md)
- Advanced Extend
- [Extend Point](extend-point.md)
- [Custom Subject Creator](custom-subject-creator.md)
- [Custom Subject](custom-subject.md)
- [Custom Datasource](custom-datasource.md)
- [Custom Processor](custom-processor.md)
- 集成案例
- [10分钟项目集成](sample-bootstrap.md)
- [30分钟项目集成](sample-tom.md)
- [Quarkus项目集成](sample-quarkus.md)
- [Spring-Webflux项目集成](sample-spring-webflux.md)
- [Javalin项目集成](sample-javalin.md)
- [Ktor项目集成](sample-ktor.md)
- Integration Demo
- [10 Minute Tutorial](sample-bootstrap.md)
- [30 Minute Tutorial](sample-tom.md)
- [Quarkus-Sureness Sample ](sample-quarkus.md)
- [Spring-Webflux-Sureness Sample](sample-spring-webflux.md)
- [Javalin-Sureness Sample](sample-javalin.md)
- [Ktor-Sureness Sample](sample-ktor.md)
- 其它
- [设计文档](design.md)
- [参与贡献](contributing.md)
- Others
- [Design](design.md)
- [Contribute To Us](contributing.md)
- [Changelog](https://github.com/tomsun28/sureness/releases ':ignore')
docs/cn/README.md 0 → 100644
浏览文件 @ 07d59bf4
# sureness - 面向restful api的权限认证
> A simple and efficient open-source java security framework that focus on the protection of restful api.
[![License](https://img.shields.io/badge/license-Apache%202-4EB1BA.svg)](https://www.apache.org/licenses/LICENSE-2.0.html)
![GitHub pull request check contexts](https://img.shields.io/github/status/contexts/pulls/tomsun28/sureness/8?label=pull%20checks)
[![Gitter](https://img.shields.io/gitter/room/usthe/sureness?label=sureness&color=orange&logo=gitter&logoColor=red)](https://gitter.im/usthe/sureness)
![GitHub Release Date](https://img.shields.io/github/release-date/tomsun28/sureness?color=blue&logo=figshare&logoColor=red)
## Background
现在很多网站都进行了前后端分离,后端提供rest api,前端调用接口获取数据渲染。这种架构下如何保护好后端所提供的rest api使得更加重视。
api的保护可以认为:认证-请求携带的认证信息是否校验通过,鉴权-认证通过的用户拥有指定api的权限才能访问此api。然而不仅于此,什么样的认证策略, jwt, basic,digest,oauth还是多支持, 权限配置是写死代码还是动态配置,我想动态赋权怎么办,云原生越来越火用的框架是quarkus等新秀不是spring生态咋弄,http实现不是servlet而是jax-rs规范咋整, to be or not to be, this is a question
> 目前`java`主流的权限框架有`shiro,spring security`, 下面对于它们的探讨都是个人之见,接受纠正
> `shiro`对于`restful api`原生支持不太友好,需要改写一些代码,2年前一个项目 [booshiro](https://gitee.com/tomsun28/bootshiro) 就是改造`shiro`,使其在过滤链就能匹配不同的`rest`请求进行权限校验,之后给`shiro commit`几次`pr`,`fix`其在过滤链匹配时的危险漏洞,总的来说`shiro`很强大但其起源并非面向`web`,对`restful`不是很友好
> `spring security`很强大,与`spring`深度集成,离开`spring`,比如`javalin`和之前用过的`osgi`框架`karaf`就用不了了
> 如果不用注解配置,它们都会在链式匹配这块,用请求的url和配置的链一个一个`ant`匹配(匹配过程中会有缓存等提高性能),但匹配的链过多时还是比较耗性能(根据算法时间复杂度判断,暂未测试验证)
> 我们希望能解决这些,提供一个**针对restful api**,**无框架依赖**,可以**动态修改权限**,**多认证策略**,**更快速度**,**易用**的认证鉴权框架
## <font color="green">Introduction</font>
> `sureness` 是我们在使用 `java` 权限框架 `shiro` 之后,吸取其良好设计加上一些想法实现的全新认证鉴权项目
> 面对 `restful api` 的认证鉴权,基于 `rbac` (用户-角色-资源)主要关注于对 `restful api` 的安全保护
> 无特定框架依赖(本质就是过滤器处拦截判断,已有springboot,quarkus,javalin,ktor等demo)
> 支持动态修改权限配置(动态修改哪些api需要被认证,可以被谁访问)
> 支持主流http容器 servlet 和 jax-rs
> 支持多种认证策略, `jwt, basic auth` ... 可扩展自定义支持的认证方式
> 基于改进的字典匹配树拥有的高性能
> 良好的扩展接口, demo和文档
>`sureness`的低配置,易扩展,不耦合其他框架,能使开发者对自己的项目多场景快速安全的进行保护
##### Framework Sample Support
- [x] spring [sample-bootstrap](cn/sample-bootstrap.md)
- [x] springboot [sample-tom](cn/sample-tom.md)
- [x] quarkus [sample-quarkus](cn/sample-quarkus.md)
- [x] javalin [sample-javalin](cn/sample-javalin.md)
- [x] ktor [sample-ktor](cn/sample-ktor.md)
- [x] spring webflux [spring-webflux-sureness](cn/sample-spring-webflux.md)
- [x] more samples todo
docs/en/_coverpage.md docs/cn/_coverpage.md
浏览文件 @ 07d59bf4
![logo](../_media/favicon.ico)
# sureness
# sureness <small>0.0.2.8 for jvm</small>
> A Simple and Efficient Open-source Jvm Security Framework that Focus on Protection of Restful Api.
- Authentication for restful api, based on RBAC, Mainly focused on the protection of restful api
- No specific framework dependency(support springboot, quarkus, javalin, ktor and more)
- Supports JWT, Basic Auth... Can extend custom supported authentication methods
- Support mainstream http container(servlet and jax-rs)
- Support dynamic modification of permissions
- 基于 `rbac` (用户-角色-资源)主要关注于对 `restful api` 的安全保护
- 无特定框架依赖(springboot,quarkus,javalin,ktor等demo)
- 支持主流http容器 servlet 和 jax-rs
- 支持动态权限配置
- 支持多种认证策略
[GitHub](https://github.com/tomsun28/sureness/)
[Gitee](https://gitee.com/tomsun28/sureness/)
[Get Started](/en/README.md)
[Get Started](cn/README.md)
![color](#e3f1ec)
\ No newline at end of file
docs/cn/_navbar.md 0 → 100644
浏览文件 @ 07d59bf4
- 仓库
- [GITHUB](https://github.com/tomsun28/sureness ':ignore')
- [GITEE](https://gitee.com/tomsun28/sureness ':ignore')
- :cn: 中文Chinese
- [:us: English](/)
- 其它
- [About Us](https://usthe.com)
- [回到主页](/cn/)
\ No newline at end of file
docs/cn/_sidebar.md 0 → 100644
浏览文件 @ 07d59bf4
- 入门
- [介绍](cn/README.md "introduce")
- [快速开始](cn/quickstart.md "quick start greatest")
- [URI路径匹配](cn/path-match.md)
- [默认数据源](cn/default-datasource.md)
- [默认认证方式](cn/default-auth.md)
- [默认异常](cn/default-exception.md)
- 进阶扩展
- [扩展点](cn/extend-point.md)
- [自定义Subject Creator](cn/custom-subject-creator.md)
- [自定义Subject](cn/custom-subject.md)
- [自定义数据源](cn/custom-datasource.md)
- [自定义Processor](cn/custom-processor.md)
- 集成案例
- [10分钟项目集成](cn/sample-bootstrap.md)
- [30分钟项目集成](cn/sample-tom.md)
- [Quarkus项目集成](cn/sample-quarkus.md)
- [Spring-Webflux项目集成](cn/sample-spring-webflux.md)
- [Javalin项目集成](cn/sample-javalin.md)
- [Ktor项目集成](cn/sample-ktor.md)
- 其它
- [设计文档](cn/design.md)
- [参与贡献](cn/contributing.md)
- [Changelog](https://github.com/tomsun28/sureness/releases ':ignore')
docs/en/contributing.md docs/cn/contributing.md
浏览文件 @ 07d59bf4
参与贡献
=======================================
非常欢迎参与项目贡献,帮助sureness走得更远更好。对项目代码有疑问或者建议请直接联系 @tomsun28
仓库的组成部分:
- [sureness的核心代码--sureness-core](https://github.com/tomsun28/sureness/tree/master/core)
- [使用sureness10分钟搭建权限项目--sample-bootstrap](https://github.com/tomsun28/sureness/tree/master/sample-bootstrap)
- [使用sureness30分钟搭建权限项目--sample-tom](https://github.com/tomsun28/sureness/tree/master/sample-tom)
Contributing to sureness
=======================================
......
docs/cn/custom-datasource.md 0 → 100644
浏览文件 @ 07d59bf4
## 自定义数据源
自定义前需要了解sureness提供的扩展接口,详见 [进阶扩展](cn/extend-point.md)
实现 `PathTreeProvider`的接口, 加载到`DefaultPathRoleMatcher`
实现 `SurenessAccountProvider`的接口,加载到需要的`processor`
具体扩展实践请参考 [使用sureness30分钟项目集成案例](cn/sample-tom.md)
docs/cn/custom-processor.md 0 → 100644
浏览文件 @ 07d59bf4
## 自定义processor
自定义前需要了解sureness提供的扩展接口,详见 [进阶扩展](cn/extend-point.md)
一个`subject`当然也可以被不同的`processor`处理,所以可以单独自定义`processor`
实现`Processor`接口,设置支持的`subject`,实现处理该`subject`的逻辑
具体扩展实践请参考 [使用sureness30分钟项目集成案例](cn/sample-tom.md)
\ No newline at end of file
docs/cn/custom-subject-creator.md 0 → 100644
浏览文件 @ 07d59bf4
## 自定义subject creator
自定义subject creator是我们使用频率最高的扩展,当请求体对象并不是servlet或者jax-rs标准api时, 我们就需要自定义subject creator,
使其通过请求对象获取我们需要的请求信息(请求路径,请求方法,认证信息等), 从而创建出对应的subject
自定义前需要了解sureness提供的扩展接口,详见 [进阶扩展](cn/extend-point.md)
- `SubjectCreate`: 创建`Subject`接口,根据请求内容创建不同类型的`Subject`对象
实现`SubjectCreate`接口方法,根据不同的请求对象创建出对应需要的的`subject`
具体扩展实践请参考 [sample-spring-webflux项目集成案例](cn/sample-spring-webflux.md)
\ No newline at end of file
docs/cn/custom-subject.md 0 → 100644
浏览文件 @ 07d59bf4
## 自定义subject
自定义前需要了解sureness提供的扩展接口,详见 [进阶扩展](cn/extend-point.md)
实现`Subject`接口,添加自定义的`subject`内容
实现`SubjectCreate`接口方法,创建出自定义的`subject`
实现`Processor`接口,支持处理自定义的`subject`
具体扩展实践请参考 [使用sureness30分钟项目集成案例](cn/sample-tom.md)
\ No newline at end of file
docs/en/default-auth.md docs/cn/default-auth.md
浏览文件 @ 07d59bf4
## Default support auth type
## 默认支持的认证方式
Now sureness supports JWT, Basic Auth... also can extend custom supported authentication methods(by extend interface `Processor`,`Subject`,`SubjectCreate`).
`sureness`目前默认支持的认证方式有`bearer jwt`,`basic auth`, 当然用户可以通过扩展`Processor`,`Subject``SubjectCreate`接口实现自定义的认证方式
#### `bearer jwt`
`jwt` - `json web token`, is a very popular cross-domain, stateless, security authentication solution.
why we call `bearer jwt` here is because `jwt` is put into the `bearer token` in the http request header, eg: `Authorization: Bearer jsonWebTokenValue`
`jwt``json web token`,是目前很流行的跨域,无状态,安全认证解决方案,介绍详见[网络](http://www.ruanyifeng.com/blog/2018/07/json_web_token-tutorial.html)
我们这里为啥叫`bearer jwt`是因为`jwt`是放入到http请求头的`bearer token`里面,即: `Authorization: Bearer jsonWebTokenValue`
eg:
```
GET /api/v1/source1 HTTP/1.1
......@@ -13,12 +13,12 @@ Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzUxMiIsInppcCI6IkRFRiJ9.eNocjEEOwiAQRe8y65IwCBQ4hlvjotAhVqs1DBoT492l7F5e_vtfuNYFAliUPs3aCrIuCW1nFDHlUaBVqJOLJpkIA_ArtnHd7o0X5s43egim8qayy6lCQOOUd15JHIA-zy4OUo5dlG2lFp46KDjvR0fKhfgCIU8r0-8PAAD__w.f-3klWWDpEO3uDLlx2S53DV2cYernwVEDwcC6z1JexocbZoxRKmASTOuky1qMCxy_hV8-RbuMjDmI3ASa_FQOw
```
we can use it in postman: add jwt in Bearer Token.
我们可以在`postman`如下使用它: 将`jwt`值塞入`Bearer Token`.
![jwtPostmanUse](../_images/jwtPostmanUse.png)
#### `basic auth`
`basic auth` - `Basic access authentication`, is a classic `http` basic authentication method.
This authentication method encrypts the string `base64` composed of the account password and puts it in the `Authorization` of the request header, eg: `Authorization: Basic base64encode(username+":"+password)`
`basic auth``Basic access authentication`,经典的`http`基本认证方式,介绍详见[网络](https://www.jianshu.com/p/4cd42f7359f4)
这种认证方式是将账户密码组成的字符串`base64`加密,放入到请求头的 `Authorization`中, 即:`Authorization: Basic base64encode(username+":"+password)`
eg:
```
GET /api/v1/source1 HTTP/1.1
......@@ -27,14 +27,12 @@ Content-Type: application/json
Authorization: Basic dG9tOjMyMTEz
```
we can use it in postman: add username password in `Basic Auth` type's `Authorization`, postman would encrypt it automatically.
我们可以在`postman`如下使用它: 在`Basic Auth`类型的`Authorization`中输入账户密码即可,`postman`会自动对其`base64`加密.
![basicAuthPostmanUse](../_images/basicAuthPostmanUse.png)
#### other auth type
Sureness currently supports these two types for the time being, and will continue to expand other basic authentication methods in the future.
Of course, you can easily customize the authentication method, detail [Custom Subject](en/custom-subject.md)
#### 其他认证方式
目前sureness暂支持这两种,之后会陆续扩展其他基本认证方式,当然你也可以很轻松的自定义认证方式,详见[自定义Subject](cn/custom-subject.md)
We provide the demo to use default authentication method, detail please refer to [10 Minute Tutorial's Program--sample-bootstrap](en/sample-bootstrap.md)
Also we provide the demo to custom authentication method, detail please refer to [30 Minute Tutorial's Program--sample-tom](en/sample-tom.md)
我们提供了默认认证方式的使用`DEMO`,请参考 [使用sureness10分钟项目集成案例](cn/sample-bootstrap.md)
当然我们也提供了自定义认证方式的扩展`DEMO`,请参考 [使用sureness30分钟项目集成案例](cn/sample-tom.md)
docs/en/default-datasource.md docs/cn/default-datasource.md
浏览文件 @ 07d59bf4
## Default Config DataSource
## 默认数据源
`sureness`认证鉴权当然也需要我们自己的配置数据:账户数据,角色权限数据等
这些配置数据可能来自文本,关系数据库,非关系数据库
我们提供了配置数据接口`SurenessAccountProvider`, `PathTreeProvider`, 用户可以实现此接口实现自定义配置数据源
当然我们也提供默认文本形式的配置数据实现 `DocumentResourceDefaultProvider`
用户可以创建文件`sureness.yml`来配置数据,配置样例如下:
Sureness need dataSource to authenticate and authorize, eg: role data, user data etc.
The dataSource can load from txt, dataBase or no dataBase etc.
We provide interfaces `SurenessAccountProvider`, `PathTreeProvider` for user implement to load data from the dataSource where they want.
Also, we provide default dataSource implement which load dataSource from txt(sureness.yml), user can defined their data in sureness.yml.
eg:
```
## -- sureness.yml txt dataSource-- ##
## -- sureness.yml文本数据源 -- ##
# load api resource which need be protected.
# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post is be role2,role3,role4 supported access
# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get is be all role or no role supported access
# 加载到匹配字典的资源,也就是需要被保护的,设置了所支持角色访问的资源
# 没有配置的资源也默认被认证保护,但不鉴权
# eg: /api/v2/host===post===[role2,role3,role4] 表示 /api/v2/host===post 这条资源支持 role2,role3,role4这三种角色访问
# eg: /api/v1/getSource3===get===[] 表示 /api/v1/getSource3===get 这条资源支持所有角色或无角色访问
resourceRole:
- /api/v2/host===post===[role2,role3,role4]
- /api/v2/host===get===[role2,role3,role4]
......@@ -25,21 +28,20 @@ resourceRole:
- /api/v1/source1===put===[role1,role2]
- /api/v1/source2===get===[]
# load api resource wich do not need be proetcted, means them need be filtering.
# these api resource can be access by everyone
# 需要被过滤保护的资源,不认证鉴权直接访问
excludedResource:
- /api/v3/host===get
- /api/v3/book===get
- /api/v1/account/auth===post
# account info
# there are three account: admin root tom
# eg: admin has [role1,role2] ROLE, encrypted password is 0192023A7BBD73250516F069DF18B500
# eg: root has no ROLE, no encrypted password is 23456
# 用户账户信息
# 下面有 admin root tom三个账户
# eg: admin 拥有[role1,role2]角色,加盐密码为0192023A7BBD73250516F069DF18B500
# eg: root 没有角色,密码为明文23456
account:
- appId: admin
# if add salt, the password is encrypted password - the result MD5(password+salt)
# if no salt, the password is no encrypted password
# 如果填写了加密盐--salt,则credential为MD5(password+salt)的32位结果
# 没有盐认为不加密,credential为明文
credential: 0192023A7BBD73250516F069DF18B500
salt: 123
role: [role1,role2]
......@@ -52,5 +54,5 @@ account:
```
If the configuration resource data comes from text, please refer to [10 Minute Tutorial's Program--sample-bootstrap](en/sample-bootstrap.md)
If the configuration resource data comes from dataBase, please refer to [30 Minute Tutorial's Program--sample-tom](en/sample-tom.md)
我们提供了默认文本数据源使用`DEMO`,默认文本数据源具体实现,请参考 [使用sureness10分钟项目集成案例](cn/sample-bootstrap.md)
当然数据源也可以来自数据库等存储,我们提供了接口让用户轻松的自定义数据源,详见[自定义数据源](cn/custom-datasource.md)
\ No newline at end of file
docs/cn/default-exception.md 0 → 100644
浏览文件 @ 07d59bf4
## sureness 默认异常
`sureness`使用异常处理流程,我们需要对`checkIn`的认证鉴权流程中发生的认证失败或无权限访问等抛出的相应异常做自定义处理,
若认证鉴权成功,则直接通过,失败抛出特定异常,捕获异常,流程如下:
```
try {
SubjectSum subject = SurenessSecurityManager.getInstance().checkIn(servletRequest);
} catch (ProcessorNotFoundException | UnknownAccountException | UnsupportedSubjectException e4) {
// 账户创建相关异常
} catch (DisabledAccountException | ExcessiveAttemptsException e2 ) {
// 账户禁用相关异常
} catch (IncorrectCredentialsException | ExpiredCredentialsException e3) {
// 认证失败相关异常
} catch (UnauthorizedException e5) {
// 鉴权失败相关异常
} catch (RuntimeException e) {
// 其他自定义异常
}
```
sureness 默认支持的异常处理流程中的异常如下:
`sureness`异常 | 异常描述
--- | ---
SurenessAuthenticationException | 基础认证异常,认证相关的子异常应该继承此异常
SurenessAuthorizationException | 基础鉴权异常,鉴权相关的子异常应该继承此异常
ProcessorNotFoundException | 认证异常,未找到支持此subject的processor
UnknownAccountException | 认证异常,不存在此账户
UnSupportedSubjectException | 认证异常,不支持的请求,未创建出subject
DisabledAccountException | 认证异常,账户禁用
ExcessiveAttemptsException | 认证异常,账户尝试认证次数过多
IncrrectCredentialsException | 认证异常,密钥错误
ExpiredCredentialsException | 认证异常,密钥认证过期
UnauthorizedException | 鉴权异常,没有权限访问此资源
自定义异常需要继承`SurenessAuthenticationException``SurenessAuthorizationException`才能被最外层捕获
docs/cn/design.md 0 → 100644
浏览文件 @ 07d59bf4
### 高性能匹配
![pathRoleMatcher](../_images/PathRoleMatcher.svg)
### 处理流程
![sureness-core](../_images/sureness-core.svg)
docs/cn/extend-point.md 0 → 100644
浏览文件 @ 07d59bf4
## 进阶扩展
如果了解处理流程,就大概知道`sureness`提供的扩展点
`sureness`支持自定义`subject`,自定义`subjectCreator`注册,自定义`processor`处理器等
扩展之前需要了解以下接口:
- `Subject`: 认证鉴权对象接口,提供访问对象的账户密钥,请求资源,角色等信息
- `SubjectCreate`: 创建`Subject`接口,根据请求内容创建不同类型的`Subject`对象
- `Processor`: `Subject`处理接口,根据Subject信息,进行认证鉴权
- `PathTreeProvider`: 资源的数据源接口,实现从数据库,文本等加载数据
- `SurenessAccountProvider`: 用户的账户密钥信息接口,实现从数据库,文本等加载数据
`sureness`大致流程:
```mermaid
graph TD
A(用户请求体进来) --> B(s)
B(subjectCreate根据请求头内容创建不同的钥匙subject,每把钥匙都可以尝试) --> C(s)
C(不同的钥匙认证方式即不同的锁processor来处理进来的钥匙subject) --> D(s)
D(以上一次成功即成功并结束,失败即下一个钥匙锁尝试直到所有尝试结束)
```
\ No newline at end of file
docs/cn/path-match.md 0 → 100644
浏览文件 @ 07d59bf4
## URI路径匹配
我们配置的资源格式为:`requestUri===httpMethod`, 即请求的路径加上其请求方式(`post,get,put,delete...`)作为一个整体被视作一个资源
`eg: /api/v2/book===get` `get`方式请求`/api/v2/book`接口数据
这里的`requestUri`支持url路径匹配符匹配: `*`, `**`
通配符 | 描述
--- | ---
`*` | 匹配0个或1个目录
`**` | 匹配0个或多个目录
样例 | 说明
--- | ---
`/api/*/book` | 可以匹配 `/api/user/book``/api/book`
`/**` | 可以匹配任何路径
`/**/foo` | 可以匹配 `/api/user/book/foo`
匹配优先级: 原始字符串 > `*` > `**`
最长路径匹配原则:
eg: `requestUri``/app/book/foo`,若存在两个路径匹配模式`/app/**``/app/book/*`,则会匹配到`/app/book/*`
\ No newline at end of file
docs/cn/quickstart.md 0 → 100644
浏览文件 @ 07d59bf4
## 快速开始
##### <font color="red">使用前一些约定</font>
- `sureness`尽量简洁,基于`rbac`,但只有(角色-资源)的映射,没有(权限)动作映射
- 我们将`restful api`请求视作一个资源,资源格式为: `requestUri===httpMethod`
即请求的路径加上其请求方式(`post,get,put,delete...`)作为一个整体被视作一个资源
`eg: /api/v2/book===get` `get`方式请求`/api/v2/book`接口数据
- 角色资源映射: 用户所属角色--角色拥有资源--用户拥有资源(用户就能访问此`api`)
资源路径匹配详见 [url路径匹配](cn/path-match.md)
##### 项目中加入sureness
1. 项目使用`maven`构建,加入`maven`坐标
```
<dependency>
<groupId>com.usthe.sureness</groupId>
<artifactId>sureness-core</artifactId>
<version>0.0.2.7</version>
</dependency>
```
2. 项目使用`gradle`构建,`gradle`坐标
```
compile group: 'com.usthe.sureness', name: 'sureness-core', version: '0.0.2.7'
```
3. 项目为普通工程,加入`sureness-core.jar`依赖
```
在 mvnrepository 下载jar
https://mvnrepository.com/artifact/com.usthe.sureness/sureness-core
```
##### 添加拦截所有请求的过滤器入口
入口拦截器器实现一般可以是 `filter or spring interceptor`
在拦截器加入sureness的安全过滤器,如下:
入口,一般放在拦截所有请求的`filter`:
```
SurenessSecurityManager.getInstance().checkIn(servletRequest)
```
##### 实现相关异常处理
`sureness`使用异常处理流程,我们需要对`checkIn`抛出的异常做自定义处理,
安全过滤器,认证鉴权成功直接通过,失败抛出特定异常,捕获异常,如下:
```
try {
SubjectSum subject = SurenessSecurityManager.getInstance().checkIn(servletRequest);
} catch (ProcessorNotFoundException | UnknownAccountException | UnsupportedSubjectException e4) {
// 账户创建相关异常
} catch (DisabledAccountException | ExcessiveAttemptsException e2 ) {
// 账户禁用相关异常
} catch (IncorrectCredentialsException | ExpiredCredentialsException e3) {
// 认证失败相关异常
} catch (UnauthorizedException e5) {
// 鉴权失败相关异常
} catch (RuntimeException e) {
// 其他自定义异常
}
```
异常详见 [默认异常](cn/default-exception.md)
##### 加载配置数据
`sureness`认证鉴权当然也需要我们自己的配置数据:账户数据,角色权限数据等
这些配置数据可能来自文本,关系数据库,非关系数据库
我们提供了配置数据接口`SurenessAccountProvider`, `PathTreeProvider`, 用户可以实现此接口实现自定义配置数据源
当前我们也提供默认文本形式的配置数据实现 `DocumentResourceDefaultProvider`, 用户可以配置`sureness.yml`来配置数据
默认文本数据源配置详见 [默认数据源](cn/default-datasource.md)
我们提供了默认文本数据源使用`DEMO`,默认文本数据源具体实现,请参考 [使用sureness10分钟项目集成案例](cn/sample-bootstrap.md)
若权限配置数据来自数据库,请参考 [使用sureness30分钟项目集成案例](cn/sample-tom.md)
**HAVE FUN**
\ No newline at end of file
docs/cn/sample-bootstrap.md 0 → 100644
浏览文件 @ 07d59bf4
## Sample-bootstrap
[sureness 10分钟例子项目仓库地址](https://github.com/tomsun28/sureness/tree/master/sample-bootstrap)
- 基于`springboot`
- 从默认的配置文件`sureness.yml`加载账户信息,资源角色,过滤资源等信息
- 使用默认的`sureness-config`
- 使用默认的`jwt,basic auth`方式认证鉴权
- 例子中包含`restful api,websocket`
- 保护入口: `SurenessFilterExample`
- 推荐使用`postman`测试,测试样例为`sample-bootstrap-postman.json`,导入`postman`即可
docs/cn/sample-javalin.md 0 → 100644
浏览文件 @ 07d59bf4
## Sample-javalin-sureness
[javalin-sureness例子项目仓库地址](https://github.com/tomsun28/sureness/tree/master/samples/javalin-sureness)
- 基于`javalin, servlet`
- 从默认的配置文件`sureness.yml`加载账户信息,资源角色,过滤资源等信息
- 使用默认的`sureness-config`
- 使用默认的`jwt,basic auth`方式认证鉴权
- 例子中包含`restful api`
- 保护入口: `Application`
- 推荐使用`postman`测试
docs/cn/sample-ktor.md 0 → 100644
浏览文件 @ 07d59bf4
## Sample-ktor-sureness
[ktor-sureness例子项目仓库地址](https://github.com/tomsun28/sureness/tree/master/samples/ktor-sureness)
- 基于`ktor, servlet`
- 从默认的配置文件`sureness.yml`加载账户信息,资源角色,过滤资源等信息
- 使用默认的`sureness-config`
- 使用默认的`jwt,basic auth`方式认证鉴权
- 例子中包含`restful api`
- 保护入口: `Application.kt`
- 推荐使用`postman`测试
docs/cn/sample-quarkus.md 0 → 100644
浏览文件 @ 07d59bf4
## Sample-quarkus-sureness
[quarkus-sureness例子项目仓库地址](https://github.com/tomsun28/sureness/tree/master/samples/quarkus-sureness)
- 基于`quarkus, jax-rs`
- 从默认的配置文件`sureness.yml`加载账户信息,资源角色,过滤资源等信息
- 使用默认的`sureness-config`
- 使用默认的`jwt,basic auth`方式认证鉴权
- 例子中包含`restful api`
- 保护入口: `SurenessFilterExample`
- 推荐使用`postman`测试
docs/cn/sample-spring-webflux.md 0 → 100644
浏览文件 @ 07d59bf4
## Sample-spring-webflux-sureness
[spring-webflux-sureness例子项目仓库地址](https://github.com/tomsun28/sureness/tree/master/samples/spring-webflux-sureness)
- 基于`spring-webflux`
- 自定义 subject creator (BasicSubjectReactiveCreator, JwtSubjectReactiveCreator, NoneSubjectReactiveCreator) 适配 ServerHttpRequest 请求体
- 从默认的配置文件`sureness.yml`加载账户信息,资源角色,过滤资源等信息
- 使用默认的`jwt,basic auth`方式认证鉴权
- 例子中包含`restful api`
- 保护入口: `SurenessFilterExample`
- 推荐使用`postman`测试
\ No newline at end of file
docs/cn/sample-tom.md 0 → 100644
浏览文件 @ 07d59bf4
## Sample-tom
[sureness 30分钟例子项目仓库地址](https://github.com/tomsun28/sureness/tree/master/sample-tom)
- 基于`springboot,jpa...`
- 自定义数据源,使用从数据库加载账户信息,资源角色,过滤资源等信息,这样便于动态调整
- 除了使用了默认的`jwt,basic auth`方式认证鉴权,新增自定义认证鉴权(自定义`subject subjectCreator processor...`)
- 推荐使用`postman`测试,测试样例为`sample-tom-postman.json`,导入`postman`即可
\ No newline at end of file
docs/contributing.md
浏览文件 @ 07d59bf4
参与贡献
=======================================
非常欢迎参与项目贡献,帮助sureness走得更远更好。对项目代码有疑问或者建议请直接联系 @tomsun28
仓库的组成部分:
- [sureness的核心代码--sureness-core](https://github.com/tomsun28/sureness/tree/master/core)
- [使用sureness10分钟搭建权限项目--sample-bootstrap](https://github.com/tomsun28/sureness/tree/master/sample-bootstrap)
- [使用sureness30分钟搭建权限项目--sample-tom](https://github.com/tomsun28/sureness/tree/master/sample-tom)
Contributing to sureness
=======================================
......
docs/custom-datasource.md
浏览文件 @ 07d59bf4
## 自定义数据源
## Custom Datasource
自定义前需要了解sureness提供的扩展接口,详见 [进阶扩展](extend-point.md)
Suggest take a look at the interface sureness provided, detail [Advanced Use](extend-point.md)
实现 `PathTreeProvider`的接口, 加载到`DefaultPathRoleMatcher`
实现 `SurenessAccountProvider`的接口,加载到需要的`processor`
`Implment PathTreeProvider, load in DefaultPathRoleMatcher`
`Implment SurenessAccountProvide, load in processor`
具体扩展实践请参考 [使用sureness30分钟项目集成案例](sample-tom.md)
Detail please refer to [30 Minute Tutorial's Program--sample-tom](sample-tom.md)
docs/custom-processor.md
浏览文件 @ 07d59bf4
## 自定义processor
## Custom Processor
自定义前需要了解sureness提供的扩展接口,详见 [进阶扩展](extend-point.md)
Suggest take a look at the interface sureness provided, detail [Advanced Use](extend-point.md)
一个`subject`当然也可以被不同的`processor`处理,所以可以单独自定义`processor`
实现`Processor`接口,设置支持的`subject`,实现处理该`subject`的逻辑
`A subject also can support by different processor, so we can custom processor to support custom subject`
`implment Processor, define which subject can support and implment processing details`
具体扩展实践请参考 [使用sureness30分钟项目集成案例](sample-tom.md)
\ No newline at end of file
Detail please refer to [30 Minute Tutorial's Program--sample-tom](sample-tom.md)
docs/custom-subject-creator.md
浏览文件 @ 07d59bf4
## 自定义subject creator
## custom subject creator
自定义subject creator是我们使用频率最高的扩展,当请求体对象并不是servlet或者jax-rs标准api时, 我们就需要自定义subject creator,
使其通过请求对象获取我们需要的请求信息(请求路径,请求方法,认证信息等), 从而创建出对应的subject
Custom subject creator is our most frequently used extension.
When the request body object is not a servlet or jax-rs standard api, we need to customize the subject creator,
make it obtain the request information we need (request path, request method, authentication information, etc.) through the request object, thereby creating the corresponding subject.
自定义前需要了解sureness提供的扩展接口,详见 [进阶扩展](extend-point.md)
Suggest take a look at the interface sureness provided, detail [Advanced Use](extend-point.md)
- `SubjectCreate`: 创建`Subject`接口,根据请求内容创建不同类型的`Subject`对象
- `SubjectCreate`: Create a `Subject` interface and create different types of `Subject` objects according to the request content.
实现`SubjectCreate`接口方法,根据不同的请求对象创建出对应需要的的`subject`
Implement the `SubjectCreate` interface method, and create the corresponding `subject` according to different request objects.
具体扩展实践请参考 [sample-spring-webflux项目集成案例](sample-spring-webflux.md)
\ No newline at end of file
Detail please refer to [sample-spring-webflux-sureness](sample-spring-webflux.md)
\ No newline at end of file
docs/custom-subject.md
浏览文件 @ 07d59bf4
## 自定义subject
## Custom Subject
自定义前需要了解sureness提供的扩展接口,详见 [进阶扩展](extend-point.md)
Suggest take a look at the interface sureness provided, detail [Advanced Use](extend-point.md)
实现`Subject`接口,添加自定义的`subject`内容
实现`SubjectCreate`接口方法,创建出自定义的`subject`
实现`Processor`接口,支持处理自定义的`subject`
`Implment Subject, add custom subject content`
`Implment SubjectCreate to create custom subject`
`Implment Processor to support custom subject`
具体扩展实践请参考 [使用sureness30分钟项目集成案例](sample-tom.md)
\ No newline at end of file
Detail please refer to [30 Minute Tutorial's Program--sample-tom](sample-tom.md)
docs/default-auth.md
浏览文件 @ 07d59bf4
## 默认支持的认证方式
## Default support auth type
`sureness`目前默认支持的认证方式有`bearer jwt`,`basic auth`, 当然用户可以通过扩展`Processor`,`Subject``SubjectCreate`接口实现自定义的认证方式
Now sureness supports JWT, Basic Auth... also can extend custom supported authentication methods(by extend interface `Processor`,`Subject`,`SubjectCreate`).
#### `bearer jwt`
`jwt``json web token`,是目前很流行的跨域,无状态,安全认证解决方案,介绍详见[网络](http://www.ruanyifeng.com/blog/2018/07/json_web_token-tutorial.html)
我们这里为啥叫`bearer jwt`是因为`jwt`是放入到http请求头的`bearer token`里面,即: `Authorization: Bearer jsonWebTokenValue`
`jwt` - `json web token`, is a very popular cross-domain, stateless, security authentication solution.
why we call `bearer jwt` here is because `jwt` is put into the `bearer token` in the http request header, eg: `Authorization: Bearer jsonWebTokenValue`
eg:
```
GET /api/v1/source1 HTTP/1.1
......@@ -13,12 +13,12 @@ Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzUxMiIsInppcCI6IkRFRiJ9.eNocjEEOwiAQRe8y65IwCBQ4hlvjotAhVqs1DBoT492l7F5e_vtfuNYFAliUPs3aCrIuCW1nFDHlUaBVqJOLJpkIA_ArtnHd7o0X5s43egim8qayy6lCQOOUd15JHIA-zy4OUo5dlG2lFp46KDjvR0fKhfgCIU8r0-8PAAD__w.f-3klWWDpEO3uDLlx2S53DV2cYernwVEDwcC6z1JexocbZoxRKmASTOuky1qMCxy_hV8-RbuMjDmI3ASa_FQOw
```
我们可以在`postman`如下使用它: 将`jwt`值塞入`Bearer Token`.
we can use it in postman: add jwt in Bearer Token.
![jwtPostmanUse](_images/jwtPostmanUse.png)
#### `basic auth`
`basic auth``Basic access authentication`,经典的`http`基本认证方式,介绍详见[网络](https://www.jianshu.com/p/4cd42f7359f4)
这种认证方式是将账户密码组成的字符串`base64`加密,放入到请求头的 `Authorization`中, 即:`Authorization: Basic base64encode(username+":"+password)`
`basic auth` - `Basic access authentication`, is a classic `http` basic authentication method.
This authentication method encrypts the string `base64` composed of the account password and puts it in the `Authorization` of the request header, eg: `Authorization: Basic base64encode(username+":"+password)`
eg:
```
GET /api/v1/source1 HTTP/1.1
......@@ -27,12 +27,14 @@ Content-Type: application/json
Authorization: Basic dG9tOjMyMTEz
```
我们可以在`postman`如下使用它: 在`Basic Auth`类型的`Authorization`中输入账户密码即可,`postman`会自动对其`base64`加密.
we can use it in postman: add username password in `Basic Auth` type's `Authorization`, postman would encrypt it automatically.
![basicAuthPostmanUse](_images/basicAuthPostmanUse.png)
#### 其他认证方式
目前sureness暂支持这两种,之后会陆续扩展其他基本认证方式,当然你也可以很轻松的自定义认证方式,详见[自定义Subject](custom-subject.md)
#### other auth type
Sureness currently supports these two types for the time being, and will continue to expand other basic authentication methods in the future.
Of course, you can easily customize the authentication method, detail [Custom Subject](custom-subject.md)
我们提供了默认认证方式的使用`DEMO`,请参考 [使用sureness10分钟项目集成案例](sample-bootstrap.md)
当然我们也提供了自定义认证方式的扩展`DEMO`,请参考 [使用sureness30分钟项目集成案例](sample-tom.md)
We provide the demo to use default authentication method, detail please refer to [10 Minute Tutorial's Program--sample-bootstrap](sample-bootstrap.md)
Also we provide the demo to custom authentication method, detail please refer to [30 Minute Tutorial's Program--sample-tom](sample-tom.md)
docs/default-datasource.md
浏览文件 @ 07d59bf4
## 默认数据源
`sureness`认证鉴权当然也需要我们自己的配置数据:账户数据,角色权限数据等
这些配置数据可能来自文本,关系数据库,非关系数据库
我们提供了配置数据接口`SurenessAccountProvider`, `PathTreeProvider`, 用户可以实现此接口实现自定义配置数据源
当然我们也提供默认文本形式的配置数据实现 `DocumentResourceDefaultProvider`
用户可以创建文件`sureness.yml`来配置数据,配置样例如下:
## Default Config DataSource
Sureness need dataSource to authenticate and authorize, eg: role data, user data etc.
The dataSource can load from txt, dataBase or no dataBase etc.
We provide interfaces `SurenessAccountProvider`, `PathTreeProvider` for user implement to load data from the dataSource where they want.
Also, we provide default dataSource implement which load dataSource from txt(sureness.yml), user can defined their data in sureness.yml.
eg:
```
## -- sureness.yml文本数据源 -- ##
## -- sureness.yml txt dataSource-- ##
# 加载到匹配字典的资源,也就是需要被保护的,设置了所支持角色访问的资源
# 没有配置的资源也默认被认证保护,但不鉴权
# eg: /api/v2/host===post===[role2,role3,role4] 表示 /api/v2/host===post 这条资源支持 role2,role3,role4这三种角色访问
# eg: /api/v1/getSource3===get===[] 表示 /api/v1/getSource3===get 这条资源支持所有角色或无角色访问
# load api resource which need be protected.
# eg: /api/v2/host===post===[role2,role3,role4] means /api/v2/host===post is be role2,role3,role4 supported access
# eg: /api/v1/getSource3===get===[] means /api/v1/getSource3===get is be all role or no role supported access
resourceRole:
- /api/v2/host===post===[role2,role3,role4]
- /api/v2/host===get===[role2,role3,role4]
......@@ -28,20 +25,21 @@ resourceRole:
- /api/v1/source1===put===[role1,role2]
- /api/v1/source2===get===[]
# 需要被过滤保护的资源,不认证鉴权直接访问
# load api resource wich do not need be proetcted, means them need be filtering.
# these api resource can be access by everyone
excludedResource:
- /api/v3/host===get
- /api/v3/book===get
- /api/v1/account/auth===post
# 用户账户信息
# 下面有 admin root tom三个账户
# eg: admin 拥有[role1,role2]角色,加盐密码为0192023A7BBD73250516F069DF18B500
# eg: root 没有角色,密码为明文23456
# account info
# there are three account: admin root tom
# eg: admin has [role1,role2] ROLE, encrypted password is 0192023A7BBD73250516F069DF18B500
# eg: root has no ROLE, no encrypted password is 23456
account:
- appId: admin
# 如果填写了加密盐--salt,则credential为MD5(password+salt)的32位结果
# 没有盐认为不加密,credential为明文
# if add salt, the password is encrypted password - the result MD5(password+salt)
# if no salt, the password is no encrypted password
credential: 0192023A7BBD73250516F069DF18B500
salt: 123
role: [role1,role2]
......@@ -54,5 +52,5 @@ account:
```
我们提供了默认文本数据源使用`DEMO`,默认文本数据源具体实现,请参考 [使用sureness10分钟项目集成案例](sample-bootstrap.md)
当然数据源也可以来自数据库等存储,我们提供了接口让用户轻松的自定义数据源,详见[自定义数据源](custom-datasource.md)
\ No newline at end of file
If the configuration resource data comes from text, please refer to [10 Minute Tutorial's Program--sample-bootstrap](sample-bootstrap.md)
If the configuration resource data comes from dataBase, please refer to [30 Minute Tutorial's Program--sample-tom](sample-tom.md)
docs/default-exception.md
浏览文件 @ 07d59bf4
## sureness 默认异常
`sureness`使用异常处理流程,我们需要对`checkIn`的认证鉴权流程中发生的认证失败或无权限访问等抛出的相应异常做自定义处理,
若认证鉴权成功,则直接通过,失败抛出特定异常,捕获异常,流程如下:
## Default Sureness Exception
`sureness` uses the exception handling process, we need to customize the corresponding exceptions thrown by the authentication failure or unauthorized access in the authentication process of `checkIn`.
If the authentication is successful, it will pass directly, if it fails, a specific exception will be thrown, and the exception will be caught, eg:
```
try {
SubjectSum subject = SurenessSecurityManager.getInstance().checkIn(servletRequest);
} catch (ProcessorNotFoundException | UnknownAccountException | UnsupportedSubjectException e4) {
// 账户创建相关异常
// Create subject error related execption
} catch (DisabledAccountException | ExcessiveAttemptsException e2 ) {
// 账户禁用相关异常
// Account disable related exception
} catch (IncorrectCredentialsException | ExpiredCredentialsException e3) {
// 认证失败相关异常
// Authentication failure related exception
} catch (UnauthorizedException e5) {
// 鉴权失败相关异常
// Authorization failure related exception
} catch (RuntimeException e) {
// 其他自定义异常
// other sureness exception
}
```
sureness 默认支持的异常处理流程中的异常如下:
`sureness`异常 | 异常描述
--- | ---
SurenessAuthenticationException | 基础认证异常,认证相关的子异常应该继承此异常
SurenessAuthorizationException | 基础鉴权异常,鉴权相关的子异常应该继承此异常
ProcessorNotFoundException | 认证异常,未找到支持此subject的processor
UnknownAccountException | 认证异常,不存在此账户
UnSupportedSubjectException | 认证异常,不支持的请求,未创建出subject
DisabledAccountException | 认证异常,账户禁用
ExcessiveAttemptsException | 认证异常,账户尝试认证次数过多
IncrrectCredentialsException | 认证异常,密钥错误
ExpiredCredentialsException | 认证异常,密钥认证过期
UnauthorizedException | 鉴权异常,没有权限访问此资源
sureness exception | exception note
--- | ---
SurenessAuthenticationException | basic authenticated exception,Authentication related extend it
SurenessAuthorizationException | basic authorized exception,Authorization related extend it
ProcessorNotFoundException | authenticated,not found process support this subject
UnknownAccountException | authenticated,unknown account
UnSupportedSubjectException | authenticated,unSupport request
DisabledAccountException | authenticated,account disable
ExcessiveAttemptsException | authenticated,excessive attempts
IncorrectCredentialsException | authenticated, incorrect credential
ExpiredCredentialsException | authenticated,expired credential
UnauthorizedException | authorized,no permission access this resource
自定义异常需要继承`SurenessAuthenticationException``SurenessAuthorizationException`才能被最外层捕获
Custom exception should extend SurenessAuthenticationException or SurenessAuthorizationException
\ No newline at end of file
docs/design.md
浏览文件 @ 07d59bf4
### 高性能匹配
### Why Is High Performance
![pathRoleMatcher](_images/PathRoleMatcher.svg)
### 处理流程
### Process flow
![sureness-core](_images/sureness-core.svg)
```mermaid
graph TD
A(request in) --> B(s)
B(subjectCreate creates different key - subjects based on the request header content,every key can be tried once) --> C(s)
C(Different key authentication methods<differnet lock - processors> to process incoming key - subjects) --> D(s)
D(Once successful is successful and ends, failure means the next key lock attempt until the end of all attempts)
```
\ No newline at end of file
docs/en/README.md 已删除 100644 → 0
浏览文件 @ 4eb4af03
# `sureness`
> A simple and efficient open-source jvm security framework that focus on the protection of restful api.
[![License](https://img.shields.io/badge/license-Apache%202-4EB1BA.svg)](https://www.apache.org/licenses/LICENSE-2.0.html)
![GitHub pull request check contexts](https://img.shields.io/github/status/contexts/pulls/tomsun28/sureness/8?label=pull%20checks)
[![Gitter](https://img.shields.io/gitter/room/usthe/sureness?label=sureness&color=orange&logo=gitter&logoColor=red)](https://gitter.im/usthe/sureness)
![GitHub Release Date](https://img.shields.io/github/release-date/tomsun28/sureness?color=blue&logo=figshare&logoColor=red)
## <font color="green">`Introduction`</font>
> Sureness is a new, permission project which we learn from apache shiro and add some ideas to create it
> Authentication for restful api, based on RBAC, Mainly focused on the protection of restful api
> No specific framework dependency(support springboot, quarkus, javalin, ktor and more)
> Support dynamic modification of permissions
> Support mainstream http container(servlet and jax-rs)
> Supports JWT, Basic Auth... Can extend custom supported authentication methods
> High performance due dictionary matching tree
> Good extension interface, demo and document.
> The low configuration of sureness, easy to expand, and not coupled with other frameworks, enables developers to quickly and safely protect their projects in multiple scenarios.
##### Framework Sample Support
- [x] spring [sample-bootstrap](en/sample-bootstrap.md)
- [x] springboot [sample-tom](en/sample-tom.md)
- [x] quarkus [sample-quarkus](en/sample-quarkus.md)
- [x] javalin [sample-javalin](en/sample-javalin.md)
- [x] ktor [sample-ktor](en/sample-ktor.md)
- [x] spring webflux [spring-webflux-sureness](en/sample-spring-webflux.md)
- [x] more samples todo
docs/en/_navbar.md 已删除 100644 → 0
浏览文件 @ 4eb4af03
- Repository
- [GITHUB](https://github.com/tomsun28/sureness ':ignore')
- [GITEE](https://gitee.com/tomsun28/sureness ':ignore')
- :us: 英文English
- [:cn: Chinese](/)
- Other
- [About Us](https://usthe.com)
- [HOME](/en/)
\ No newline at end of file
docs/en/_sidebar.md 已删除 100644 → 0
浏览文件 @ 4eb4af03
- Start
- [Introduce](en/README.md "introduce")
- [Quick Start](en/quickstart.md "quick start greatest")
- [URI Match](en/path-match.md)
- [Default Datasource](en/default-datasource.md)
- [Default Auth](en/default-auth.md)
- [Default Exception](en/default-exception.md)
- Advanced Extend
- [Extend Point](en/extend-point.md)
- [Custom Subject Creator](en/custom-subject-creator.md)
- [Custom Subject](en/custom-subject.md)
- [Custom Datasource](en/custom-datasource.md)
- [Custom Processor](en/custom-processor.md)
- Integration Demo
- [10 Minute Tutorial](en/sample-bootstrap.md)
- [30 Minute Tutorial](en/sample-tom.md)
- [Quarkus-Sureness Sample ](en/sample-quarkus.md)
- [Spring-Webflux-Sureness Sample](en/sample-spring-webflux.md)
- [Javalin-Sureness Sample](en/sample-javalin.md)
- [Ktor-Sureness Sample](en/sample-ktor.md)
- Others
- [Design](en/design.md)
- [Contribute To Us](en/contributing.md)
- [Changelog](https://github.com/tomsun28/sureness/releases ':ignore')
docs/en/custom-datasource.md 已删除 100644 → 0
浏览文件 @ 4eb4af03
## Custom Datasource
Suggest take a look at the interface sureness provided, detail [Advanced Use](en/extend-point.md)
`Implment PathTreeProvider, load in DefaultPathRoleMatcher`
`Implment SurenessAccountProvide, load in processor`
Detail please refer to [30 Minute Tutorial's Program--sample-tom](en/sample-tom.md)
docs/en/custom-processor.md 已删除 100644 → 0
浏览文件 @ 4eb4af03
## Custom Processor
Suggest take a look at the interface sureness provided, detail [Advanced Use](en/extend-point.md)
`A subject also can support by different processor, so we can custom processor to support custom subject`
`implment Processor, define which subject can support and implment processing details`
Detail please refer to [30 Minute Tutorial's Program--sample-tom](en/sample-tom.md)
docs/en/custom-subject-creator.md 已删除 100644 → 0
浏览文件 @ 4eb4af03
## custom subject creator
Custom subject creator is our most frequently used extension.
When the request body object is not a servlet or jax-rs standard api, we need to customize the subject creator,
make it obtain the request information we need (request path, request method, authentication information, etc.) through the request object, thereby creating the corresponding subject.
Suggest take a look at the interface sureness provided, detail [Advanced Use](en/extend-point.md)
- `SubjectCreate`: Create a `Subject` interface and create different types of `Subject` objects according to the request content.
Implement the `SubjectCreate` interface method, and create the corresponding `subject` according to different request objects.
Detail please refer to [sample-spring-webflux-sureness](en/sample-spring-webflux.md)
\ No newline at end of file
docs/en/custom-subject.md 已删除 100644 → 0
浏览文件 @ 4eb4af03
## Custom Subject
Suggest take a look at the interface sureness provided, detail [Advanced Use](en/extend-point.md)
`Implment Subject, add custom subject content`
`Implment SubjectCreate to create custom subject`
`Implment Processor to support custom subject`
Detail please refer to [30 Minute Tutorial's Program--sample-tom](en/sample-tom.md)
docs/en/default-exception.md 已删除 100644 → 0
浏览文件 @ 4eb4af03
## Default Sureness Exception
`sureness` uses the exception handling process, we need to customize the corresponding exceptions thrown by the authentication failure or unauthorized access in the authentication process of `checkIn`.
If the authentication is successful, it will pass directly, if it fails, a specific exception will be thrown, and the exception will be caught, eg:
```
try {
SubjectSum subject = SurenessSecurityManager.getInstance().checkIn(servletRequest);
} catch (ProcessorNotFoundException | UnknownAccountException | UnsupportedSubjectException e4) {
// Create subject error related execption
} catch (DisabledAccountException | ExcessiveAttemptsException e2 ) {
// Account disable related exception
} catch (IncorrectCredentialsException | ExpiredCredentialsException e3) {
// Authentication failure related exception
} catch (UnauthorizedException e5) {
// Authorization failure related exception
} catch (RuntimeException e) {
// other sureness exception
}
```
sureness exception | exception note
--- | ---
SurenessAuthenticationException | basic authenticated exception,Authentication related extend it
SurenessAuthorizationException | basic authorized exception,Authorization related extend it
ProcessorNotFoundException | authenticated,not found process support this subject
UnknownAccountException | authenticated,unknown account
UnSupportedSubjectException | authenticated,unSupport request
DisabledAccountException | authenticated,account disable
ExcessiveAttemptsException | authenticated,excessive attempts
IncorrectCredentialsException | authenticated, incorrect credential
ExpiredCredentialsException | authenticated,expired credential
UnauthorizedException | authorized,no permission access this resource
Custom exception should extend SurenessAuthenticationException or SurenessAuthorizationException
\ No newline at end of file
docs/en/design.md 已删除 100644 → 0
浏览文件 @ 4eb4af03
### Why Is High Performance
![pathRoleMatcher](../_images/PathRoleMatcher.svg)
### Process flow
```mermaid
graph TD
A(request in) --> B(s)
B(subjectCreate creates different key - subjects based on the request header content,every key can be tried once) --> C(s)
C(Different key authentication methods<differnet lock - processors> to process incoming key - subjects) --> D(s)
D(Once successful is successful and ends, failure means the next key lock attempt until the end of all attempts)
```
\ No newline at end of file
docs/en/extend-point.md 已删除 100644 → 0
浏览文件 @ 4eb4af03
## Advanced Use
If know sureness Process flow, maybe know the extends point.
Sureness supports custom subject, custom subjectCreator, custom processor and more.
Suggest look these interface before extending:
- `Subject`: Authenticated authorized user's account interface, provide the account's username,password, request resources, roles, etc.
- `SubjectCreate`: Create subject interface, provider create method.
- `Processor`: Process subject interface, where happen authentication and authorization.
- `PathTreeProvider`: Resource data provider, it can load data from txt or database,etc.
- `SurenessAccountProvider`: Account data provider, it can load data from txt or database,etc.
Sureness process flow:
```mermaid
graph TD
A(request in) --> B(s)
B(subjectCreate creates different key - subjects based on the request header content,every key can be tried once) --> C(s)
C(Different key authentication methods<differnet lock - processors> to process incoming key - subjects) --> D(s)
D(Once successful is successful and ends, failure means the next key lock attempt until the end of all attempts)
```
\ No newline at end of file
docs/en/path-match.md 已删除 100644 → 0
浏览文件 @ 4eb4af03
## URI Path Match
We treat restful requests as a resource, resource format like `requestUri===httpMethod`.
That is the request uri + request method(`post,get,put,delete...`) is considered as a resource as a whole.
`eg: /api/v2/book===get`
The `requestUri` here support url path match: `*`, `**`
Wildcard | Describe
--- | ---
`*` | Match 0 or 1 directories
`**` | Match 0 or more directories
Sample | Note
--- | ---
`/api/*/book` | can match `/api/user/book` or `/api/book` etc
`/**` | can match any path
`/**/foo` | can match `/api/user/book/foo` etc
Match priority: Raw string > `*` > `**`
Longest path matching principle:
eg: when `requestUri` is `/app/book/foo`,If there are two matching patterns - `/app/**` and `/app/book/*`,will match`/app/book/*`
\ No newline at end of file
docs/en/quickstart.md 已删除 100644 → 0
浏览文件 @ 4eb4af03
## Quick Start
##### <font color="red">Some Conventions</font>
- Based RBAC, only has role-resource, no permission action
- We treat restful requests as a resource, resource format like `requestUri===httpMethod`.
That is the request uri + request method(`post,get,put,delete...`) is considered as a resource as a whole.
`eg: /api/v2/book===get`
- User belongs some Role -- Role owns Resource -- User can access the resource
Resource path matching see: [Uri Match](en/path-match.md)
##### Add sureness In Project
1. When use maven build project, add maven coordinate
```
<dependency>
<groupId>com.usthe.sureness</groupId>
<artifactId>sureness-core</artifactId>
<version>0.0.2.8</version>
</dependency>
```
2. When use gradle build project, add gradle coordinate
```
compile group: 'com.usthe.sureness', name: 'sureness-core', version: '0.0.2.8'
```
3. When not java build project, add sureness-core.jar to classPath
```
download this jar at mvnrepository
https://mvnrepository.com/artifact/com.usthe.sureness/sureness-core
```
##### Add an Interceptor Intercepting All Requests
The interceptor can be a filter or a spring interceptor.
The interceptor intercepts all request to check them.
```
SurenessSecurityManager.getInstance().checkIn(servletRequest)
```
##### Implement Exception Flow When Exception Throw
Authentication passed directly, failure throw exception, catch exception and do something:
```
try {
SubjectSum subject = SurenessSecurityManager.getInstance().checkIn(servletRequest);
} catch (ProcessorNotFoundException | UnknownAccountException | UnsupportedSubjectException e4) {
// Create subject error related execption
} catch (DisabledAccountException | ExcessiveAttemptsException e2 ) {
// Account disable related exception
} catch (IncorrectCredentialsException | ExpiredCredentialsException e3) {
// Authentication failure related exception
} catch (UnauthorizedException e5) {
// Authorization failure related exception
} catch (RuntimeException e) {
// other sureness exception
}
```
Detail sureness exception see: [Default Sureness Exception](en/default-exception.md)
### Load Config DataSource
Sureness need dataSource to authenticate and authorize, eg: role data, user data etc.
The dataSource can load from txt, dataBase or no dataBase etc.
We provide interfaces `SurenessAccountProvider`, `PathTreeProvider` for user implement to load data from the dataSource where they want.
Also, we provide default dataSource implement which load dataSource from txt(sureness.yml), user can defined their data in sureness.yml.
Default Document DataSource Config - sureness.yml, see: [Default DataSource](en/default-datasource.md)
If the configuration resource data comes from text, please refer to [10 Minute Tutorial's Program--sample-bootstrap](en/sample-bootstrap.md)
If the configuration resource data comes from dataBase, please refer to [30 Minute Tutorial's Program--sample-tom](en/sample-tom.md)
**Have Fun**
\ No newline at end of file
docs/en/sample-bootstrap.md 已删除 100644 → 0
浏览文件 @ 4eb4af03
## Sample-bootstrap
[sureness 10 Minute Tutorial](https://github.com/tomsun28/sureness/tree/master/sample-bootstrap)
- Based on `springboot`
- Load data from default dataSource - `sureness.yml`
- Use default sureness config
- Use default `jwt,basic auth` to authenticate and authorize
- Contain `restful api,websocket`
- Project's protected entrance is `SurenessFilterExample`
- Suggest use postman to test, test case is in `sample-bootstrap-postman.json`, user can load it in postman
docs/en/sample-javalin.md 已删除 100644 → 0
浏览文件 @ 4eb4af03
## Sample-javalin-sureness
[javalin-sureness sample repository](https://github.com/tomsun28/sureness/tree/master/samples/javalin-sureness)
- Based on `javalin, servlet`
- Load data from default dataSource - `sureness.yml`
- Use default sureness config
- Use default `jwt,basic auth` to authenticate and authorize
- Contain `restful api`
- Project's protected entrance is `Application`
- Suggest use postman to test
docs/en/sample-ktor.md 已删除 100644 → 0
浏览文件 @ 4eb4af03
## Sample-ktor-sureness
[ktor-sureness sample repository](https://github.com/tomsun28/sureness/tree/master/samples/ktor-sureness)
- Based on `ktor, servlet`
- Load data from default dataSource - `sureness.yml`
- Use default sureness config
- Use default `jwt,basic auth` to authenticate and authorize
- Contain `restful api`
- Project's protected entrance is `Application.kt`
- Suggest use postman to test
docs/en/sample-quarkus.md 已删除 100644 → 0
浏览文件 @ 4eb4af03
## Sample-quarkus-sureness
[quarkus-sureness sample repository](https://github.com/tomsun28/sureness/tree/master/samples/quarkus-sureness)
- Based on `quarkus, jax-rs`
- Load data from default dataSource - `sureness.yml`
- Use default sureness config
- Use default `jwt,basic auth` to authenticate and authorize
- Contain `restful api`
- Project's protected entrance is `SurenessFilterExample`
- Suggest use postman to test
docs/en/sample-spring-webflux.md 已删除 100644 → 0
浏览文件 @ 4eb4af03
## Sample-spring-webflux-sureness
[spring-webflux-sureness sample repository](https://github.com/tomsun28/sureness/tree/master/samples/spring-webflux-sureness)
- Based on `spring-webflux`
- Custom subject creator (BasicSubjectReactiveCreator, JwtSubjectReactiveCreator, NoneSubjectReactiveCreator) adapt to ServerHttpRequest request body
- Load data from default dataSource - `sureness.yml`
- Use default `jwt,basic auth` to authenticate and authorize
- Contain `restful api`
- Project's protected entrance is `SurenessFilterExample`
- Suggest use postman to test
docs/en/sample-tom.md 已删除 100644 → 0
浏览文件 @ 4eb4af03
## Sample-tom
[sureness 30 Minute Tutorial](https://github.com/tomsun28/sureness/tree/master/sample-tom)
- Based on `springboot`
- Load data from mysql dataBase dataSource, then user can modify their data dynamically
- Apart from having default `jwt,basic auth`, it adds custom `subject subjectCreator processor` to define new auth type.
- Project's protected entrance is `SurenessFilterExample`
- Suggest use postman to test, test case is in `sample-tom-postman.json`, user can load it in postman
docs/extend-point.md
浏览文件 @ 07d59bf4
## 进阶扩展
## Advanced Use
如果了解处理流程,就大概知道`sureness`提供的扩展点
`sureness`支持自定义`subject`,自定义`subjectCreator`注册,自定义`processor`处理器等
If know sureness Process flow, maybe know the extends point.
Sureness supports custom subject, custom subjectCreator, custom processor and more.
Suggest look these interface before extending:
扩展之前需要了解以下接口:
- `Subject`: Authenticated authorized user's account interface, provide the account's username,password, request resources, roles, etc.
- `SubjectCreate`: Create subject interface, provider create method.
- `Processor`: Process subject interface, where happen authentication and authorization.
- `PathTreeProvider`: Resource data provider, it can load data from txt or database,etc.
- `SurenessAccountProvider`: Account data provider, it can load data from txt or database,etc.
- `Subject`: 认证鉴权对象接口,提供访问对象的账户密钥,请求资源,角色等信息
- `SubjectCreate`: 创建`Subject`接口,根据请求内容创建不同类型的`Subject`对象
- `Processor`: `Subject`处理接口,根据Subject信息,进行认证鉴权
- `PathTreeProvider`: 资源的数据源接口,实现从数据库,文本等加载数据
- `SurenessAccountProvider`: 用户的账户密钥信息接口,实现从数据库,文本等加载数据
`sureness`大致流程:
Sureness process flow:
```mermaid
graph TD
A(用户请求体进来) --> B(s)
B(subjectCreate根据请求头内容创建不同的钥匙subject,每把钥匙都可以尝试) --> C(s)
C(不同的钥匙认证方式即不同的锁processor来处理进来的钥匙subject) --> D(s)
D(以上一次成功即成功并结束,失败即下一个钥匙锁尝试直到所有尝试结束)
A(request in) --> B(s)
B(subjectCreate creates different key - subjects based on the request header content,every key can be tried once) --> C(s)
C(Different key authentication methods<differnet lock - processors> to process incoming key - subjects) --> D(s)
D(Once successful is successful and ends, failure means the next key lock attempt until the end of all attempts)
```
\ No newline at end of file
docs/index.html
浏览文件 @ 07d59bf4
......@@ -17,14 +17,14 @@
<script src="//cdn.jsdelivr.net/npm/docsify-edit-on-github"></script>
</head>
<body>
<div id="app">冲鸭!...</div>
<div id="app">Go Go!!</div>
<script>
var num = 0;
mermaid.initialize({ startOnLoad: false });
window.$docsify = {
auto2top: true,
coverpage: ['/', '/en/'],
coverpage: ['/', '/cn/'],
executeScript: true,
loadSidebar: true,
loadNavbar: true,
......@@ -33,13 +33,13 @@
name: 'sureness',
search: {
noData: {
'/': '没有结果!',
'/en/': 'No results!'
'/cn': '没有结果!',
'/': 'No results!'
},
paths: 'auto',
placeholder: {
'/': '搜索',
'/en': 'Search'
'/cn': '搜索',
'/': 'Search'
}
},
<!-- 字数统计 -->
......
docs/path-match.md
浏览文件 @ 07d59bf4
## URI路径匹配
## URI Path Match
We treat restful requests as a resource, resource format like `requestUri===httpMethod`.
That is the request uri + request method(`post,get,put,delete...`) is considered as a resource as a whole.
`eg: /api/v2/book===get`
The `requestUri` here support url path match: `*`, `**`
我们配置的资源格式为:`requestUri===httpMethod`, 即请求的路径加上其请求方式(`post,get,put,delete...`)作为一个整体被视作一个资源
`eg: /api/v2/book===get` `get`方式请求`/api/v2/book`接口数据
这里的`requestUri`支持url路径匹配符匹配: `*`, `**`
通配符 | 描述
Wildcard | Describe
--- | ---
`*` | 匹配0个或1个目录
`**` | 匹配0个或多个目录
`*` | Match 0 or 1 directories
`**` | Match 0 or more directories
样例 | 说明
Sample | Note
--- | ---
`/api/*/book` | 可以匹配 `/api/user/book``/api/book`
`/**` | 可以匹配任何路径
`/**/foo` | 可以匹配 `/api/user/book/foo`
`/api/*/book` | can match `/api/user/book` or `/api/book` etc
`/**` | can match any path
`/**/foo` | can match `/api/user/book/foo` etc
匹配优先级: 原始字符串 > `*` > `**`
最长路径匹配原则:
eg: `requestUri``/app/book/foo`,若存在两个路径匹配模式`/app/**``/app/book/*`,则会匹配到`/app/book/*`
\ No newline at end of file
Match priority: Raw string > `*` > `**`
Longest path matching principle:
eg: when `requestUri` is `/app/book/foo`,If there are two matching patterns - `/app/**` and `/app/book/*`,will match`/app/book/*`
\ No newline at end of file
docs/quickstart.md
浏览文件 @ 07d59bf4
## 快速开始
## Quick Start
##### <font color="red">使用前一些约定</font>
##### <font color="red">Some Conventions</font>
- `sureness`尽量简洁,基于`rbac`,但只有(角色-资源)的映射,没有(权限)动作映射
- 我们将`restful api`请求视作一个资源,资源格式为: `requestUri===httpMethod`
即请求的路径加上其请求方式(`post,get,put,delete...`)作为一个整体被视作一个资源
`eg: /api/v2/book===get` `get`方式请求`/api/v2/book`接口数据
- 角色资源映射: 用户所属角色--角色拥有资源--用户拥有资源(用户就能访问此`api`)
- Based RBAC, only has role-resource, no permission action
- We treat restful requests as a resource, resource format like `requestUri===httpMethod`.
That is the request uri + request method(`post,get,put,delete...`) is considered as a resource as a whole.
`eg: /api/v2/book===get`
- User belongs some Role -- Role owns Resource -- User can access the resource
资源路径匹配详见 [url路径匹配](path-match.md)
Resource path matching see: [Uri Match](path-match.md)
##### 项目中加入sureness
##### Add sureness In Project
1. 项目使用`maven`构建,加入`maven`坐标
1. When use maven build project, add maven coordinate
```
<dependency>
<groupId>com.usthe.sureness</groupId>
<artifactId>sureness-core</artifactId>
<version>0.0.2.7</version>
<version>0.0.2.8</version>
</dependency>
```
2. 项目使用`gradle`构建,`gradle`坐标
2. When use gradle build project, add gradle coordinate
```
compile group: 'com.usthe.sureness', name: 'sureness-core', version: '0.0.2.7'
compile group: 'com.usthe.sureness', name: 'sureness-core', version: '0.0.2.8'
```
3. 项目为普通工程,加入`sureness-core.jar`依赖
3. When not java build project, add sureness-core.jar to classPath
```
在 mvnrepository 下载jar
download this jar at mvnrepository
https://mvnrepository.com/artifact/com.usthe.sureness/sureness-core
```
##### 添加拦截所有请求的过滤器入口
##### Add an Interceptor Intercepting All Requests
入口拦截器器实现一般可以是 `filter or spring interceptor`
在拦截器加入sureness的安全过滤器,如下:
入口,一般放在拦截所有请求的`filter`:
The interceptor can be a filter or a spring interceptor.
The interceptor intercepts all request to check them.
```
SurenessSecurityManager.getInstance().checkIn(servletRequest)
```
##### 实现相关异常处理
`sureness`使用异常处理流程,我们需要对`checkIn`抛出的异常做自定义处理,
安全过滤器,认证鉴权成功直接通过,失败抛出特定异常,捕获异常,如下:
##### Implement Exception Flow When Exception Throw
Authentication passed directly, failure throw exception, catch exception and do something:
```
try {
SubjectSum subject = SurenessSecurityManager.getInstance().checkIn(servletRequest);
} catch (ProcessorNotFoundException | UnknownAccountException | UnsupportedSubjectException e4) {
// 账户创建相关异常
// Create subject error related execption
} catch (DisabledAccountException | ExcessiveAttemptsException e2 ) {
// 账户禁用相关异常
// Account disable related exception
} catch (IncorrectCredentialsException | ExpiredCredentialsException e3) {
// 认证失败相关异常
// Authentication failure related exception
} catch (UnauthorizedException e5) {
// 鉴权失败相关异常
// Authorization failure related exception
} catch (RuntimeException e) {
// 其他自定义异常
// other sureness exception
}
```
异常详见 [默认异常](default-exception.md)
##### 加载配置数据
Detail sureness exception see: [Default Sureness Exception](default-exception.md)
### Load Config DataSource
`sureness`认证鉴权当然也需要我们自己的配置数据:账户数据,角色权限数据等
这些配置数据可能来自文本,关系数据库,非关系数据库
我们提供了配置数据接口`SurenessAccountProvider`, `PathTreeProvider`, 用户可以实现此接口实现自定义配置数据源
当前我们也提供默认文本形式的配置数据实现 `DocumentResourceDefaultProvider`, 用户可以配置`sureness.yml`来配置数据
Sureness need dataSource to authenticate and authorize, eg: role data, user data etc.
The dataSource can load from txt, dataBase or no dataBase etc.
We provide interfaces `SurenessAccountProvider`, `PathTreeProvider` for user implement to load data from the dataSource where they want.
Also, we provide default dataSource implement which load dataSource from txt(sureness.yml), user can defined their data in sureness.yml.
默认文本数据源配置详见 [默认数据源](default-datasource.md)
Default Document DataSource Config - sureness.yml, see: [Default DataSource](default-datasource.md)
我们提供了默认文本数据源使用`DEMO`,默认文本数据源具体实现,请参考 [使用sureness10分钟项目集成案例](sample-bootstrap.md)
若权限配置数据来自数据库,请参考 [使用sureness30分钟项目集成案例](sample-tom.md)
If the configuration resource data comes from text, please refer to [10 Minute Tutorial's Program--sample-bootstrap](sample-bootstrap.md)
If the configuration resource data comes from dataBase, please refer to [30 Minute Tutorial's Program--sample-tom](sample-tom.md)
**HAVE FUN**
\ No newline at end of file
**Have Fun**
\ No newline at end of file
docs/sample-bootstrap.md
浏览文件 @ 07d59bf4
## Sample-bootstrap
[sureness 10分钟例子项目仓库地址](https://github.com/tomsun28/sureness/tree/master/sample-bootstrap)
[sureness 10 Minute Tutorial](https://github.com/tomsun28/sureness/tree/master/sample-bootstrap)
- 基于`springboot`
- 从默认的配置文件`sureness.yml`加载账户信息,资源角色,过滤资源等信息
- 使用默认的`sureness-config`
- 使用默认的`jwt,basic auth`方式认证鉴权
- 例子中包含`restful api,websocket`
- 保护入口: `SurenessFilterExample`
- 推荐使用`postman`测试,测试样例为`sample-bootstrap-postman.json`,导入`postman`即可
- Based on `springboot`
- Load data from default dataSource - `sureness.yml`
- Use default sureness config
- Use default `jwt,basic auth` to authenticate and authorize
- Contain `restful api,websocket`
- Project's protected entrance is `SurenessFilterExample`
- Suggest use postman to test, test case is in `sample-bootstrap-postman.json`, user can load it in postman
docs/sample-javalin.md
浏览文件 @ 07d59bf4
## Sample-javalin-sureness
[javalin-sureness例子项目仓库地址](https://github.com/tomsun28/sureness/tree/master/samples/javalin-sureness)
[javalin-sureness sample repository](https://github.com/tomsun28/sureness/tree/master/samples/javalin-sureness)
- 基于`javalin, servlet`
- 从默认的配置文件`sureness.yml`加载账户信息,资源角色,过滤资源等信息
- 使用默认的`sureness-config`
- 使用默认的`jwt,basic auth`方式认证鉴权
- 例子中包含`restful api`
- 保护入口: `Application`
- 推荐使用`postman`测试
- Based on `javalin, servlet`
- Load data from default dataSource - `sureness.yml`
- Use default sureness config
- Use default `jwt,basic auth` to authenticate and authorize
- Contain `restful api`
- Project's protected entrance is `Application`
- Suggest use postman to test
docs/sample-ktor.md
浏览文件 @ 07d59bf4
## Sample-ktor-sureness
[ktor-sureness例子项目仓库地址](https://github.com/tomsun28/sureness/tree/master/samples/ktor-sureness)
[ktor-sureness sample repository](https://github.com/tomsun28/sureness/tree/master/samples/ktor-sureness)
- Based on `ktor, servlet`
- Load data from default dataSource - `sureness.yml`
- Use default sureness config
- Use default `jwt,basic auth` to authenticate and authorize
- Contain `restful api`
- Project's protected entrance is `Application.kt`
- Suggest use postman to test
- 基于`ktor, servlet`
- 从默认的配置文件`sureness.yml`加载账户信息,资源角色,过滤资源等信息
- 使用默认的`sureness-config`
- 使用默认的`jwt,basic auth`方式认证鉴权
- 例子中包含`restful api`
- 保护入口: `Application.kt`
- 推荐使用`postman`测试
docs/sample-quarkus.md
浏览文件 @ 07d59bf4
## Sample-quarkus-sureness
[quarkus-sureness例子项目仓库地址](https://github.com/tomsun28/sureness/tree/master/samples/quarkus-sureness)
[quarkus-sureness sample repository](https://github.com/tomsun28/sureness/tree/master/samples/quarkus-sureness)
- Based on `quarkus, jax-rs`
- Load data from default dataSource - `sureness.yml`
- Use default sureness config
- Use default `jwt,basic auth` to authenticate and authorize
- Contain `restful api`
- Project's protected entrance is `SurenessFilterExample`
- Suggest use postman to test
- 基于`quarkus, jax-rs`
- 从默认的配置文件`sureness.yml`加载账户信息,资源角色,过滤资源等信息
- 使用默认的`sureness-config`
- 使用默认的`jwt,basic auth`方式认证鉴权
- 例子中包含`restful api`
- 保护入口: `SurenessFilterExample`
- 推荐使用`postman`测试
docs/sample-spring-webflux.md
浏览文件 @ 07d59bf4
## Sample-spring-webflux-sureness
[spring-webflux-sureness例子项目仓库地址](https://github.com/tomsun28/sureness/tree/master/samples/spring-webflux-sureness)
[spring-webflux-sureness sample repository](https://github.com/tomsun28/sureness/tree/master/samples/spring-webflux-sureness)
- 基于`spring-webflux`
- 自定义 subject creator (BasicSubjectReactiveCreator, JwtSubjectReactiveCreator, NoneSubjectReactiveCreator) 适配 ServerHttpRequest 请求体
- 从默认的配置文件`sureness.yml`加载账户信息,资源角色,过滤资源等信息
- 使用默认的`jwt,basic auth`方式认证鉴权
- 例子中包含`restful api`
- 保护入口: `SurenessFilterExample`
- 推荐使用`postman`测试
\ No newline at end of file
- Based on `spring-webflux`
- Custom subject creator (BasicSubjectReactiveCreator, JwtSubjectReactiveCreator, NoneSubjectReactiveCreator) adapt to ServerHttpRequest request body
- Load data from default dataSource - `sureness.yml`
- Use default `jwt,basic auth` to authenticate and authorize
- Contain `restful api`
- Project's protected entrance is `SurenessFilterExample`
- Suggest use postman to test
docs/sample-tom.md
浏览文件 @ 07d59bf4
## Sample-tom
[sureness 30分钟例子项目仓库地址](https://github.com/tomsun28/sureness/tree/master/sample-tom)
[sureness 30 Minute Tutorial](https://github.com/tomsun28/sureness/tree/master/sample-tom)
- 基于`springboot,jpa...`
- 自定义数据源,使用从数据库加载账户信息,资源角色,过滤资源等信息,这样便于动态调整
- 除了使用了默认的`jwt,basic auth`方式认证鉴权,新增自定义认证鉴权(自定义`subject subjectCreator processor...`)
- 推荐使用`postman`测试,测试样例为`sample-tom-postman.json`,导入`postman`即可
\ No newline at end of file
- Based on `springboot`
- Load data from mysql dataBase dataSource, then user can modify their data dynamically
- Apart from having default `jwt,basic auth`, it adds custom `subject subjectCreator processor` to define new auth type.
- Project's protected entrance is `SurenessFilterExample`
- Suggest use postman to test, test case is in `sample-tom-postman.json`, user can load it in postman
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册