In case of dynamic web application server needs to validate user in order to show adequate page.
since http protocol is stateless we need to use other option
first one is session
The first time someone login server create new Session and save them in some database and gives logged in user a Session ID.
User saves Session ID in cookies.
whenever logged in user sends request browser sends with Cookie(header have SessionID) and let server validate who requester is.
But there are probelm with session
Nowadays because of LoadBlancer one server might not have user's Session ID in it's database. so solution is to use Redis for sharing users SessionIDs.
But if Redis goes down it will be problem
So there are other way one is to use Sticky Session. LoadBlancer remember where User's session id is saved and sends User's request to that server only.
Not very scaleable
Now JWT
Instead of saving user's information with SesssionID server gives user a JSON format infomration with singnuatre.
now user send this JWT every time user sends request and sever can validate it.
JWT structure
everybody can decode header and payload part.
In order to validate this JWT server checks whether signature is same or not. in this case signature is signed with SHA256 algorthim.
flow of how JWT works.
Notice JWT is happening only after authentication is completed
JWT Cautions
1. since header and payload can be seen with anybody no senstive personal information should be loaded.
2. Sever only validate JWT is not modifed. it doesn't check who send it = use OAuth
3. how to disable JWT? = have blacklist of JWT in server
'WEB > Security' 카테고리의 다른 글
| [java brains] OAuth2 , Google (0) | 2021.04.26 |
|---|---|
| [java brains] JWT+ Spring Security (0) | 2021.04.18 |
| [java brains] JPA authentication (0) | 2021.04.14 |
| [java brains] how Spring Security Authentication works (0) | 2021.04.12 |
| [java brains] Filters , Configure (0) | 2021.04.12 |