- Framework
- ApiHug Spring Security Extension
Framework
ApiHug Spring Security Extension
ApiHug SDK spring security extension
The security framework provides authentication, authorization, and protection against common attacks.
️️⚠️ Apihug Security is not compatible with Spring Security at runtime.
ApiHug offers a minimalist and efficient security solution, different from traditional frameworks like Apache Shiro or Spring Security.
It is still based on resource (API) permission management, combined with roles, creating a very simple RBAC (Role-Based Access Control) structure that is ready to use out of the box.
Protocol
How to define the protocol at the Proto layer: Minimal Authentication & Authorization
Implementation
- SecurityAspect: Aspect
- SecurityContext: Runtime security context, including resource to CheckerAuthorization mapping
- HopeSecurityManager: Runtime security parameter assembly
- JWTFilter: JWT filter
Currently, the Aspect SecurityAspect only supports BEFORE checks, meaning it validates before entering the resource (API) business logic.
Configuration
Configuration path: hope.security; Configuration object: HopeSecurityProperties.
| Configuration | Remarks |
|---|---|
enabled | Whether to enable ApiHug Security. |
jwt | JWT configuration. |
jwt.base64Secret | Base64 secret. |
jwt.secret | Secret. |
jwt.tokenValidityInSecondsForRememberMe | Validity period for Remember Me, default is 30 days. |
jwt.tokenValidityInSeconds | Default validity time, 7 days. |
Disable Spring Security
️️⚠️ Apihug Security is not compatible with Spring Security at runtime.
The simplest way to disable Spring Security is to remove its dependency from the project.
By doing this, we’ll remove all security-related configurations and defaults provided by Spring Security:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>...</version>
</dependency>Removing this dependency eliminates all Spring Security features from the application.
But if you want leverage some Spring security components, we recommend you to disable the spring security autoconfiguration manually:
Excluding Spring Security Auto-Configuration
Spring Boot automatically configures security when we include spring-boot-starter-security in our classpath. To disable it, exclude the auto-configuration by adding the following property to application.properties:
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfigurationIf we want to disable Spring Security completely, we should use spring.autoconfigure.exclude without creating a SecurityConfiguration class.
Manually configuring the Spring Security class overrides the application.properties configuration, so exclusion in the application.properties has no effect when both are used together.
To be done 🏗️