Research And Design On Java Web 3A Security Framework

With the development of Internet,Java and REST software architecture,there are two main application forms in Java Web: traditional page-based Web application and RESTful API,Web application is widely used in various fields of Internet.Due to its simple style,scalability,and loose coupling feature,REST style has been favored by Internet companies,and are widely used in distributed,micro-service architecture and mobile application,The current mainstream Java security framework has a good support for authentication and role based access control model applying to the traditional web page application but lack support for the RESTful API authentication,authorization and audit,We face a situation in which the RESTful API authentication needs can not be meet,the control granularity in role based access control model is too large and resources can not be controlled dynamically.Aiming at the existing problems of Java security framework,this paper researches and designs a security framework based on Java Web and Spring Security,which focuses on providing authentication support for RESTful API,fine-grained,dynamic access control,and audit solutions,since Spring Security has provided a good support for traditional web application.First,this paper introduces the existing Java security framework,RESTful API security development status and existing problems.Second,introduces key technologies related to the framework design,briefly describes the support of Spring Security to Web application,and depicts the authentication and authorization technology of RESTful API.Then the overall design ideas and modification of Spring Security framework are introduced.Finally we present the specific implementation of each module in the framework and shows how the framework are used in the application case.The authentication module utilizes JSON Web Token,and is implemented by combining Spring Security's filter mechanism with the built-in authentication mode,The access control module supports the Rest ACL access control language,and AOP is exploited to strengthen the fine-grained authorization,because the filter mechanism can only achieve a rough authorization,We also use the Spring AOP mechanism to implement audit module.Overall,our framework is built based on Spring Security,extends the authentication and authorization module in Spring Security to support REST model,deeply intergrates withJSON Web Token and Rest ACL.For access control,we design policy definitions,policy evaluations and policy configurations in order to provide a unified and convenient access control solution for the RESTful application.