Skip to main content

Security Mechanisms

The ThingsIoT platform provides a comprehensive security framework covering authentication, authorization, transmission, storage, and other layers.

1. JWT Token Authentication

  • Stateless authentication: a JWT (JSON Web Token)-based mechanism eliminates the need for the server to store session state.
  • Token expiration and refresh: token validity periods can be configured, and expired tokens can be refreshed.
  • Request interception: the API gateway centrally validates tokens and directly blocks unauthorized requests.

2. RBAC Permission Model

  • Role-based access control: a three-layer user → role → permission model.
  • Fine-grained permissions:
    • Menu permissions control page access.
    • API permissions control API calls.
    • Data permissions isolate data at the project and gateway levels.
  • Multiple roles: one user can have multiple roles, and the effective permissions are the union of all assigned permissions.

3. Request Rate Limiting

  • IP-level rate limiting: limits the request frequency from a single IP address to prevent malicious attacks.
  • User-level rate limiting: limits API call frequency for an individual user.
  • Circuit breaking: automatically opens the circuit when a downstream service is abnormal to prevent cascading failures.

4. Data Security

  • Sensitive-data encryption: critical fields such as passwords and keys are stored in encrypted form.
  • Transmission encryption: HTTPS encrypts all Web traffic, and MQTT supports TLS-encrypted transmission.
  • Data isolation: project-level data buckets isolate tenant data so that one tenant cannot view another tenant's data.

5. Audit Logs (Planned)

  • Record all user operations.
  • Support queries by user, time, and operation type.
  • Meet compliance-audit requirements.

Security Architecture

┌─────────────────────────────────────────────────────┐
│ Client Request │
└────────────────────┬────────────────────────────────┘
│ HTTPS
┌────────────────────▼────────────────────────────────┐
│ Spring Cloud Gateway │
│ ① JWT Validation ② IP/User Rate Limits ③ CORS │
└────────────────────┬────────────────────────────────┘
│ Route Distribution
┌────────────────────▼────────────────────────────────┐
│ Microservice Layer │
│ ④ RBAC Authorization ⑤ Data-Permission Filtering │
└────────────────────┬────────────────────────────────┘

┌────────────────────▼────────────────────────────────┐
│ Data Layer │
│ ⑥ Sensitive-Field Encryption ⑦ Project Isolation │
└─────────────────────────────────────────────────────┘