The article explains why many interviewers mock the Redis‑based token design, then systematically presents technical and security reasons—controllable logout, multi‑device SSO, high performance, dynamic permissions—and provides concrete implementation details, comparison with pure JWT, and best‑practice responses.
The article explains how MCP adds an AI‑friendly protocol layer on top of traditional Java backend services, enabling models to call tools safely, and outlines the security, governance, and testing practices Java engineers need to adopt.
This guide walks through three common PHP password‑hashing techniques—md5, password_hash (BCrypt), and crypt—showing complete registration and login code samples, highlighting security drawbacks of md5 and recommending stronger, salted hashing for safe user authentication.
This article explains why strict permission management is essential for data security, walks through the evolution of access‑control models—from simple user‑permission tables to classic RBAC, RBAC1, RBAC2, role inheritance, constraints, user groups, organizational mapping, and finally presents ideal database schemas for scalable, maintainable permission systems.
The article explains how using the literal string "null" as a username can confuse users, cause debugging nightmares, introduce security risks, and break data consistency, and it provides concrete Java validation code to reject such illegal inputs before they reach the backend.
Learn how to build a secure authentication system in Spring Boot 3 that restricts each user to a single active session, stores tokens in Redis, and implements automatic JWT token refresh, with detailed code examples and step‑by‑step explanations.
The article explains how treating the literal string "null" as a valid username leads to user confusion, debugging nightmares, security risks, and data inconsistencies, and provides practical validation techniques and code examples to safely reject such illegal inputs in backend systems.
This article explains how to protect systems from massive malicious traffic reaching millions of queries per second by combining gateway rate limiting, distributed circuit breaking, device fingerprinting, behavior analysis, dynamic rule engines, and real‑time risk scoring, illustrated with Nginx‑Lua, Sentinel, Drools, and Flink examples.
The article explains why data desensitization is essential for enterprises, classifies common masking techniques, and provides concrete implementation guides for database, log, and output level masking in Java applications using MyBatis plugins and Fastjson filters, complete with sample code and configuration.
This guide explains Spring Security 6.4’s one-time token login feature, covering its concept, authentication flow, core components, and step‑by‑step implementation with code samples, enabling developers to add secure magic‑link authentication to Spring Boot applications.
This guide explains the JWT standard, its three‑part structure, the authentication flow, and a double‑token solution using short‑lived access tokens and long‑lived refresh tokens, with full PHP code examples, middleware interception, configuration, and client‑side renewal logic.
This article explores how to create and use custom authorization annotations in Spring Security to achieve more flexible, expressive, and maintainable permission checks, covering the basics of Spring Security, advantages of custom annotations, step‑by‑step implementation, and additional use‑case scenarios.
This article examines common Java jar obfuscation tools, identifies their limitations for protecting both proprietary code and third‑party dependencies, and proposes a lightweight Maven‑based encryption combined with a runtime agent that decrypts classes on demand while keeping performance impact under five percent.
This article walks through the theory behind RSA, illustrates two battlefield‑style scenarios for encryption and signing, and then shows how to integrate RSA‑based request/response encryption into a Spring Boot application using Maven, annotations, configuration files, and a JavaScript front‑end, complete with code snippets and troubleshooting tips.
This article walks you through implementing RSA‑based encryption and digital signatures in a Spring Boot application, covering the theory of asymmetric cryptography, practical code snippets for Maven, configuration, controller annotations, and a JavaScript client that encrypts requests and verifies responses to protect API data from eavesdropping and tampering.
This article explains Spring Security's core functions, underlying filter‑based mechanism, various request‑access control methods, the distinction between hasRole and hasAuthority, how to encrypt passwords with BCryptPasswordEncoder, and the complete username‑password authentication process for securing backend applications.
This article explains how to augment the classic Role‑Based Access Control (RBAC) model with row‑level data permissions, detailing rule definition, database design, role‑rule binding, and an AOP‑based implementation for dynamic SQL filtering.
When security testers need to scan thousands of web back‑ends for weak or universal passwords, WebCrack provides a fast, generic solution that automatically identifies login parameters, evaluates login success, applies dynamic dictionaries, rechecks results, and supports custom rules for a wide range of CMS platforms.
This guide explains how to protect sensitive Spring Boot configuration data by integrating the open‑source jasypt‑spring‑boot plugin, covering dependency addition, secret key setup, encryption of plaintext values, and customizing encrypted property syntax for seamless decryption at runtime.
Learn how to secure a Spring Boot service by limiting request frequency per IP and URL using a custom interceptor combined with Redis distributed locks, automatically blocking abusive IPs after a configurable number of hits within a set time window.
This article details the discovery, official announcement, prerequisite conditions, and step‑by‑step reproduction of the critical Spring Framework remote code execution vulnerability (CVE‑2022‑22965), including exploit payloads, JSP backdoor creation, and practical mitigation insights.
This article presents a comprehensive design of the Cleaner anti‑crawler system, detailing its background, current challenges, related research, system architecture—including a Flink‑based data processing center, a strategy‑driven ban center, and a lightweight ban store—and evaluates its effectiveness in real‑time bot mitigation.
This article explains the modular configuration of Spring Security's OAuth2 components, showcases the core config classes for client, resource, and authorization servers, and details the default filter chain and customizable filter configurers used by Spring Authorization Server.
This article explains how to secure sensitive Spring Boot configuration properties such as database credentials by integrating the Jasypt library, configuring encryption keys, generating encrypted values through test code, and applying the encrypted strings in application.yml, including deployment‑time salt handling for enhanced security.
This article explains the fundamentals of permission management, detailing the classic RBAC0 model and its extensions RBAC1‑RBAC3, and explores how roles, users, groups, organizations, and positions interrelate in both single‑system and distributed micro‑service architectures, including practical table designs and framework options.
This guide introduces Casbin, an efficient open‑source authorization library, outlines its supported languages, key features, what it does not handle, core concepts, installation via Composer, and provides a complete PHP example with model and policy files to enforce access control.
The article explores practical approaches for authenticating internal service APIs, comparing plain token usage, IP whitelisting, and salted signature schemes with timestamps, and explains their implementation details, security trade‑offs, and suitability for a B2B cloud‑operated platform.
The article explains permission system fundamentals, classifies page, function, and data permissions, compares DAC, MAC, RBAC, and ABAC models, details RBAC variants, and demonstrates a practical Egg framework plugin implementation that configures roles, resources, and data rules to achieve flexible, secure backend access control.
The article explains how permission control in a front‑back separation architecture defines resources and permissions, outlines the distinct responsibilities of frontend and backend in enforcing access, and provides practical implementation examples with component tags and Java interceptor code.
This article walks through practical methods for securing internal API calls—starting with simple token checks, then enhancing security with IP whitelisting, salted signatures, and timestamped requests—while weighing trade‑offs like HTTPS overhead and time synchronization.
This article explains how to implement role‑based access control in Spring Security by embedding roles into UserDetails, configuring HttpSecurity with hasRole/hasAnyRole/hasAuthority, handling anonymous users, and using permitAll, providing code examples and detailed explanations for each approach.
This article explains how to protect commercial PHP projects from source leakage by using the open‑source screw‑plus extension to encrypt and obfuscate code, covering PHP extension lifecycle, hook mechanisms, encryption workflow, implementation details, and practical advantages and limitations.
The article examines Spring Data REST’s CVE‑2017‑8046 remote‑code‑execution flaw, showing how a malicious JSON Patch path is turned into an unchecked SpEL expression that can run arbitrary commands, reproduces the exploit on a sample Spring Boot app, and advises upgrading to versions that include the path‑verification fix.
