java - What is the best way to perform permission verification in a distributed system?

Question

As the title states, in the project, there is a separate system as the permission system. The current approach is that every time a request is made to the business system, it will be intercepted by the business system and the requested URL will be passed to the permission system for verification. Verify whether the user making the request has the permission.

Or you can also obtain all the permissions of the user from the permission system and verify them in the business system

No matter which method is used, I feel that it can be tampered with in the middle, and it does not feel very unsafe

I would like to ask if it is better to perform permission verification in a distributed system. Thank you, senior

Answer 1

The original poster’s problem has nothing to do with permissions, it’s purely about the security of interface calls. The general methods are:

1. The content is transmitted in clear text, but a check code is added. The check code is generated by a key agreed by both parties. The tamperer cannot generate the correct check code.

2. Encrypt and decrypt the entire transmission using the agreed key.

Answer 2

After logging in, request the permission system and put the returned permission menu and other information into the cache (use Map or Nosql to implement it yourself. It is recommended to use Nosql cluster. Please note that if the menu is updated, clear the user's redis data first, and then synchronize the latest information to redis, redis takes it from the database if there is no information), and then returns the Java Web Token (including timestamp, identification, etc.).

Https and Spring-Security (access interface permissions, CSRF prevention) are used for project security. Each interface must be signed, and the token must be timestamped.

Answer 3

This is a bit like the problem solved by OAuth2.0