A simple and efficient open-source jvm security framework that focus on the protection of restful api.
Please use the space su.usthe.com when usthe.com/sureness cannot accessed.
Sureness is a new, permission project which we learn from apache shiro and add some ideas to create it
Authentication for restful api, based on RBAC, Mainly focused on the protection of restful api
No specific framework dependency(support springboot, quarkus, javalin, ktor and more)
Support dynamic modification of permissions Support mainstream http container(servlet and jax-rs)
Supports JWT, Basic Auth, Digest Auth... Can extend custom supported authentication methods
[High performance due dictionary matching tree](#Why Is High Performance)
Good extension interface, demo and document.
The low configuration of sureness, easy to expand, and not coupled with other frameworks, enables developers to quickly and safely protect their projects in multiple scenarios.
- spring sample-bootstrap
- springboot sample-tom
- quarkus sample-quarkus
- javalin sample-javalin
- ktor sample-ktor
- spring webflux sample-spring-webflux
- more samples todo
- Based RBAC, only has role-resource, no permission action
- We treat restful requests as a resource, resource format like
requestUri===httpMethod.
That is the request uri + request method(post,get,put,delete...) is considered as a resource as a whole.
eg: /api/v2/book===get - User belongs some Role -- Role owns Resource -- User can access the resource
Resource path matching see: Uri Match
When use maven or gradle build project, add coordinate
<dependency>
<groupId>com.usthe.sureness</groupId>
<artifactId>sureness-core</artifactId>
<version>0.4</version>
</dependency>
compile group: 'com.usthe.sureness', name: 'sureness-core', version: '0.4'
The default configuration -DefaultSurenessConfig uses the document datasource sureness.yml as the auth datasource.
It supports jwt, basic auth, digest auth authentication.
@Bean
public DefaultSurenessConfig surenessConfig() {
return new DefaultSurenessConfig();
}
Sureness need dataSource to authenticate and authorize, eg: role data, user data etc.
The dataSource can load from txt, dataBase, no dataBase or annotation etc.
We provide interfaces SurenessAccountProvider, PathTreeProvider for user implement to load data from the dataSource where they want.
SurenessAccountProvider - Account datasource provider interface
PathTreeProvider - Resource uri-role datasource provider interface
We provide default dataSource implement which load dataSource from txt(sureness.yml), user can defined their data in sureness.yml.
We also provider dataSource implement which load dataSource form annotation - AnnotationLoader.
Default Document DataSource Config - sureness.yml, see: Default Document DataSource
Annotation DataSource Config Detail, see: Annotation DataSource
If the configuration resource data comes from text, please refer to 10 Minute Tutorial's Program--sample-bootstrap
If the configuration resource data comes from dataBase, please refer to 30 Minute Tutorial's Program--sample-tom
The essence of sureness is to intercept all rest requests for authenticating and Authorizing.
The interceptor can be a filter or a spring interceptor, it intercepts all request to check them.
SubjectSum subject = SurenessSecurityManager.getInstance().checkIn(servletRequest)
sureness uses exception handling process:
- If auth success, method -
checkInwill return aSubjectSumobject containing user information. - If auth failure, method -
checkInwill throw different types of auth exceptions, and users need to continue the subsequent process based on these exceptions.(like return the request response)
Here we need to customize the exceptions thrown by checkIn,
passed directly when auth success, catch exception when auth failure and do something:
try {
SubjectSum subject = SurenessSecurityManager.getInstance().checkIn(servletRequest);
} catch (ProcessorNotFoundException | UnknownAccountException | UnsupportedSubjectException e4) {
// Create subject error related execption
} catch (DisabledAccountException | ExcessiveAttemptsException e2 ) {
// Account disable related exception
} catch (IncorrectCredentialsException | ExpiredCredentialsException e3) {
// Authentication failure related exception
} catch (UnauthorizedException e5) {
// Authorization failure related exception
} catch (SurenessAuthenticationException | SurenessAuthorizationException e) {
// other sureness exception
}
Detail sureness auth exception see: Default Sureness Auth Exception
Have Fun
If know sureness Process flow, maybe know these extend points
Sureness supports custom subject, custom subjectCreator, custom processor and more.
Suggest look these interface before extending:
Subject: Authenticated authorized user's account interface, provide the account's username,password, request resources, roles, etc.SubjectCreate: create subject interface, provider create methodProcessor: process subject interface, where happen authentication and authorizationPathTreeProvider: resource data provider, it can load data from txt or database,etcSurenessAccountProvider: account data provider, it can load data from txt or database,etc
Sureness Process Flow:
- Custom Datasource
Implment PathTreeProvider, load in DefaultPathRoleMatcher
Implment SurenessAccountProvide, load in processor
- Custom Subject
Implment Subject, add custom subject content
Implment SubjectCreate to create custom subject
Implment Processor to support custom subject
- Custom Processor
A subject also can support by different processor, so we can custom processor to support custom subject
Implment Processor, set which subject can support and implment processing details
Detail please refer to 30 Minute Tutorial's Program--sample-tom
Very welcome to Contribute this project, go further and better with sureness. If you have any questions or suggestions about the project code, please contact @tomsun28 directly.
Components of Repository:
- sureness's kernel code--sureness-core
- 10 Minute Tutorial's Program--sample-bootstrap
- 30 Minute Tutorial's Program--sample-tom
- Sample projects using sureness in each framework(javalin,ktor,quarkus)--samples
