Framework/Spring Security
Framework
ApiHug SDK spring security extension
The security framework provides authentication, authorization, and protection against common attacks.
ApiHug offers a minimalist and efficient security solution, different from traditional frameworks like Apache Shiro or Spring Security.
It is still based on resource (API) permission management, combined with roles, creating a very simple RBAC (Role-Based Access Control) structure that is ready to use out of the box.
How to define the protocol at the Proto layer: Minimal Authentication & Authorization
Currently, the Aspect SecurityAspect only supports BEFORE checks, meaning it validates before entering the resource (API) business logic.
Configuration path: hope.security; Configuration object: HopeSecurityProperties.
| Configuration | Remarks |
|---|---|
enabled | Whether to enable ApiHug Security. |
jwt | JWT configuration. |
jwt.base64Secret | Base64 secret. |
jwt.secret | Secret. |
jwt.tokenValidityInSecondsForRememberMe | Validity period for Remember Me, default is 30 days. |
jwt.tokenValidityInSeconds | Default validity time, 7 days. |
The simplest way to disable Spring Security is to remove its dependency from the project.
By doing this, we’ll remove all security-related configurations and defaults provided by Spring Security:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>...</version>
</dependency>
Removing this dependency eliminates all Spring Security features from the application.
But if you want leverage some Spring security components, we recommend you to disable the spring security autoconfiguration manually:
Excluding Spring Security Auto-Configuration
Spring Boot automatically configures security when we include spring-boot-starter-security in our classpath. To disable it, exclude the auto-configuration by adding the following property to application.properties:
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
If we want to disable Spring Security completely, we should use spring.autoconfigure.exclude without creating a SecurityConfiguration class.
Manually configuring the Spring Security class overrides the application.properties configuration, so exclusion in the application.properties has no effect when both are used together.