Security Mechanisms
The ThingsIoT platform provides a comprehensive security framework covering authentication, authorization, transmission, storage, and other layers.
1. JWT Token Authentication
- Stateless authentication: a JWT (JSON Web Token)-based mechanism eliminates the need for the server to store session state.
- Token expiration and refresh: token validity periods can be configured, and expired tokens can be refreshed.
- Request interception: the API gateway centrally validates tokens and directly blocks unauthorized requests.
2. RBAC Permission Model
- Role-based access control: a three-layer user → role → permission model.
- Fine-grained permissions:
- Menu permissions control page access.
- API permissions control API calls.
- Data permissions isolate data at the project and gateway levels.
- Multiple roles: one user can have multiple roles, and the effective permissions are the union of all assigned permissions.
3. Request Rate Limiting
- IP-level rate limiting: limits the request frequency from a single IP address to prevent malicious attacks.
- User-level rate limiting: limits API call frequency for an individual user.
- Circuit breaking: automatically opens the circuit when a downstream service is abnormal to prevent cascading failures.
4. Data Security
- Sensitive-data encryption: critical fields such as passwords and keys are stored in encrypted form.
- Transmission encryption: HTTPS encrypts all Web traffic, and MQTT supports TLS-encrypted transmission.
- Data isolation: project-level data buckets isolate tenant data so that one tenant cannot view another tenant's data.
5. Audit Logs (Planned)
- Record all user operations.
- Support queries by user, time, and operation type.
- Meet compliance-audit requirements.
Security Architecture
┌─────────────────────────────────────────────────────┐
│ Client Request │
└────────────────────┬────────────────────────────────┘
│ HTTPS
┌────────────────────▼────────────────────────────────┐
│ Spring Cloud Gateway │
│ ① JWT Validation ② IP/User Rate Limits ③ CORS │
└────────────────────┬────────────────────────────────┘
│ Route Distribution
┌────────────────────▼────────────────────────────────┐
│ Microservice Layer │
│ ④ RBAC Authorization ⑤ Data-Permission Filtering │
└────────────────────┬────────────────────────────────┘
│
┌────────────────────▼────────────────────────────────┐
│ Data Layer │
│ ⑥ Sensitive-Field Encryption ⑦ Project Isolation │
└─────────────────────────────────────────────────────┘