Spring Security+Web3.0 signature verification

N17 uses Spring Security technology to solve platform security issues. Based on the Spring framework, Spring Security provides a complete solution for web application security. Generally speaking, the security of web applications includes two parts: user authentication (Authentication) and user authorization (Authorization).

When calling centralized data in DAPP or operating some centralized functions, DAPP calls MetaMask wallet to sign the data and pass it to the background, and the background verifies whether the signature data is the data signed by the current user wallet address to achieve authentication.

(a) User authentication: Verify whether a user is a legitimate subject in the system, that is, whether the user can access the system. User authentication generally requires the user to provide a user name and password. The system completes the authentication process by verifying the user name and password. Here, the Dapp front-end entry uses Web3.0 signature data, and the back-end uses Web3.0 combined with user authentication to verify the data twice.

(b) User authorization: Verify that a user has permission to perform an operation. In a system, different users have different permissions. For example, for a file, some users can only read it, while others can modify it. Generally speaking, the system assigns different roles to different users, and each role corresponds to a series of permissions.

If the system has many modules, each module needs to be authorized and authenticated. Therefore, the N17 platform chooses token-based authorization and authentication. The user successfully authenticates according to the username and password, and then obtains a series of permission values for the current user role, and uses the username as the key. The permission list is stored in the redis cache in the form of value, and the token is generated and returned according to the information related to the user name. The browser records the token in the cookie, and every time the api interface is called, the token is carried in the header request header by default. Spring Security parses the header to obtain token information, parses the token to obtain the current user name, and obtains the permission list from redis according to the user name. In this way, Spring Security can determine whether the current request has permission to access. The diagram is as follows: