A simple and efficient security framework that focus on protection of REST API. (面向REST API的高性能认证鉴权框架 )
Alternatives To Sureness
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
Springdoc Openapi2,780513310 days ago144April 01, 202328apache-2.0Java
Library for OpenAPI 3 with spring-boot
Spring Boot Vuejs1,982
16 days ago18mitJava
Example project showing how to build a Spring Boot App providing a GUI with Vue.js
Solon1,67017819 hours ago640August 28, 202316apache-2.0Java
🔥 Java 新的生态:更快、更小、更简单!!!启动快 5 ~ 10 倍;qps 高 2~ 3 倍;运行时内存节省 1/3 ~ 1/2;打包可以缩到 1/2 ~ 1/10
Aws Serverless Java Container1,38389163 days ago36July 20, 202358apache-2.0Java
A Java wrapper to run Spring, Jersey, Spark, and other apps inside AWS Lambda.
Elide95717123 days ago197June 11, 202289otherJava
Elide is a Java library that lets you stand up a GraphQL/JSON-API web service with minimal effort.
6 months ago32February 18, 202222apache-2.0Java
A simple and efficient security framework that focus on protection of API.
Spring Lemon654
5 months ago3July 01, 202211otherJava
Helper library for Spring Boot web applications
Perfect Ssm579
5 years ago4apache-2.0Java
:grapes:更完善的Spring+SpringMVC+Mybatis+easyUI后台管理系统(RESTful API+redis)
6 years ago5mitJava
A demonstration of a completely stateless and RESTful token-based authorization system using JSON Web Tokens (JWT) and Spring Security.
8 days ago7Java
Source code for the tutorials published on the Javadevjournal site.
Alternatives To Sureness
Select To Compare

Alternative Project Comparisons


sureness | 中文文档

A simple and efficient jvm security framework that focus on the protection of REST API.

License Maven GitHub pull request check contexts Gitter GitHub Release Date star star

sureness - Jvm security framework that focus on protection of rest api | Product Hunt

Home Page: or

🎡 Introduction

Sureness is a simple and efficient open-source security framework that focus on the protection of REST API.
Provide authentication and authorization, based on RBAC.
No specific framework dependency (supports Javalin, Spring Boot, Quarkus, Ktor, Micronaut and more).
Supports dynamic modification of permissions.
Supports WebSockets and mainstream HTTP containers (Servlet and JAX-RS).
Supports JWT, Basic Auth, Digest Auth, and can be extended to support custom authentication methods.
High performance due to dictionary matching tree.
Good extension interface, demos and documentation.

Sureness has a sensible default configuration, is easy to customize, and is not couple to any one framework, which enables developers to quickly and safely protect their projects in multiple scenarios.

🔍 Compare
~ sureness shiro spring security
Multi Framework Support support support need modify not support
REST API support support need modify support
Websocket support not support not support
Path Match dictionary matching tree ant match ant match
Annotation Support support support support
Servlet support support support
JAX-RS support not support not support
Dynamic Modification of Permissions support support need modify support need modify
Performance fast slower slower
Learning Curve simple simple steep
📈 Benchmark


Benchmark test shows sureness to lose 0.026ms performance compared to frameless application, shiro lose 0.088ms, spring security lose 0.116ms.
In contrast, sureness basically does not consume performance, and the performance (TPS loss) is 3 times that of shiro and 4 times that of spring security.
The performance gap will be further widened as the api matching chain increases.

Detail see Benchmark Test

✌ Framework Sample Support

🔨 Quick Start

🐕 Some Conventions

  • Based RBAC, User-Role-Resource.
  • We treat API requests as a resource, resource format like requestUri===httpMethod.
    That is the request uri + request method(post,get,put,delete...) is considered as a resource as a whole.
    eg: /api/v2/book===get
  • User belongs some Role -- Role owns Resource -- User can access the resource.

Resource path matching see: URI Match

🐖 Add Sureness In Your Project

When use maven or gradle build project, add coordinate

compile group: 'com.usthe.sureness', name: 'sureness-core', version: '1.0.3'

🐵 Use the Default Configuration to Configure Sureness

The default configuration -DefaultSurenessConfig uses the document datasource sureness.yml as the auth datasource.
It supports JWT auth, Basic auth, Digest authentication.

public DefaultSurenessConfig surenessConfig() {
    return new DefaultSurenessConfig();

🐮 Load Auth Config DataSource

Sureness authentication requires us to provide our own account data, role permission data, etc. These data may come from text, relational databases, non-relational databases, annotations, etc.
We provide interfaces SurenessAccountProvider, PathTreeProvider for user implement to load data from the dataSource where they want.

  • SurenessAccountProvider - Account datasource provider interface.
  • PathTreeProvider - Resource uri-role datasource provider interface.

Default Document DataSource Config - sureness.yml, see: Default Document DataSource
Annotation DataSource Config Detail - AnnotationLoader, see: Annotation DataSource

If the configuration resource data comes from text, please refer to Sureness integration springboot sample(configuration file scheme)
If the configuration resource data comes from dataBase, please refer to Sureness integration springboot sample(database scheme)

🐐 Add an Interceptor Intercepting All Requests

The essence of sureness is to intercept all rest requests for authenticating and Authorizing.
The interceptor can be a filter or a spring interceptor, it intercepts all request to check them.

SubjectSum subject = SurenessSecurityManager.getInstance().checkIn(servletRequest)

🐰 Implement Auth Exception Handling Process

Sureness uses exception handling process:

  • If auth success, method - checkIn will return a SubjectSum object containing user information.
  • If auth failure, method - checkIn will throw different types of auth exceptions.

Users need to continue the subsequent process based on these exceptions.(eg: return the request response)

Here we need to customize the exceptions thrown by checkIn, passed directly when auth success, catch exception when auth failure and do something:

try {
    SubjectSum subject = SurenessSecurityManager.getInstance().checkIn(servletRequest);
} catch (ProcessorNotFoundException | UnknownAccountException | UnsupportedSubjectException e4) {
    // Create subject error related execption 
} catch (DisabledAccountException | ExcessiveAttemptsException e2 ) {
    // Account disable related exception
} catch (IncorrectCredentialsException | ExpiredCredentialsException e3) {
    // Authentication failure related exception
} catch (UnauthorizedException e5) {
    // Authorization failure related exception
} catch (SurenessAuthenticationException | SurenessAuthorizationException e) {
    // other sureness exception

Detail sureness auth exception see: Default Sureness Auth Exception

Have Fun

🥐 Advanced Use

Sureness supports custom subject, custom subjectCreator, custom processor and more.

Before advanced custom extension, let's first understand the general process of sureness:


As in the above process, Subject is created by SubjectCreate according to the request body, and different authentication processors process the supported Subjects.

Sureness provides the following common interfaces as extension points:

  • Subject: Authenticated authorized user's account interface, provide the account's username,password, request resources, roles, etc.
  • SubjectCreate: Create subject interface, provider create method.
  • Processor: Process subject interface, where happen authentication and authorization.
  • PathTreeProvider: Resource data provider, it can load data from txt or database,etc.
  • SurenessAccountProvider: Account data provider, it can load data from txt or database,etc.

Refer to Extension Point for the extended documentation.

  1. 🥊 Custom Subject

Implment Subject, add custom subject content
Implment SubjectCreate to create custom subject
Implment Processor to support custom subject

See Custom Subject

  1. 🔫 Custom SubjectCreator

Implment SubjectCreate to create your custom subject

See Custom SubjectCreator

  1. 🪓 Custom Processor

A subject also can support by different processor, so we can custom processor to support custom subject Implment Processor, set which subject can support and implment processing details

See Custom Processor

  1. 🏹 Custom Datasource

Implment PathTreeProvider, load in DefaultPathRoleMatcher
Implment SurenessAccountProvide, load in processor

See Custom Datasource

Detail please refer to Sureness integration springboot sample(database scheme)

🙋 Contributing

Very welcome to Contribute this project, go further and better with sureness.

Components of Repository:


💪 Why Is High Performance


🌞 Friend's Links

  • JustAuth A Java library of third-party authorized login: Github
  • MaxKey Leading-Edge Enterprise-Class open source IAM Identity and Access management product: Github
  • PhalApi PHP Api Framework: Website

🛡️ License

Apache License, Version 2.0

Popular Rest Api Projects
Popular Spring Projects
Popular Application Programming Interfaces Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.
Rest Api
Spring Boot
Spring Security