dromara / sureness Goto Github PK

View Code? Open in Web Editor NEW

846.0 30.0 157.0 8.29 MB

A simple and efficient security framework that focus on protection of API.

Home Page: https://usthe.com/sureness

License: Apache License 2.0

Java 86.02% JavaScript 9.26% CSS 4.72%

restful-api authentication authorization shiro spring-security jwt ktor javalin quarkus spring

sureness's Introduction

Sureness | 中文文档

A simple and efficient jvm security framework that focus on the protection of REST API.

Home Page: usthe.com/sureness | su.usthe.com

🎡 Introduction

Sureness is a simple and efficient open-source security framework that focus on the protection of REST API.
Provide authentication and authorization, based on RBAC.
No specific framework dependency (supports Javalin, Spring Boot, Quarkus, Ktor, Micronaut and more).
Supports dynamic modification of permissions.
Supports WebSockets and HTTP containers (Servlet and JAX-RS).
Supports JWT, Basic Auth, Digest Auth, and can custom auth methods.
High performance with Dictionary Matching Tree.
Good extension interface, demos and documentation.

Sureness has a sensible default configuration, is easy to customize, and is not couple to any one framework, which enables developers to quickly and safely protect their projects in multiple scenarios.

🔍 Compare

~	Sureness	Shiro	Spring Security
Multi Framework Support	support	support need modify	not support
REST API	support	support need modify	support
Websocket	support	not support	not support
Path Match	dictionary matching tree	ant match	ant match
Annotation Support	support	support	support
Servlet	support	support	support
JAX-RS	support	not support	not support
Dynamic Permissions	support	support need modify	support need modify
Performance	fast	slower	slower
Learning Curve	simple	simple	steep

📈 Benchmark

Benchmark test shows Sureness to lose 0.026ms performance compared to frameless application, Shiro lose 0.088ms, Spring Security lose 0.116ms.
In contrast, Sureness basically does not consume performance, and the performance (TPS loss) is 3 times that of Shiro and 4 times that of Spring Security.
The performance gap will be further widened as the api matching chain increases.

Detail see Benchmark Test

✌ Framework Sample Support

🔨 Quick Start

🐕 Some Conventions

Based RBAC, User-Role-Resource.
We treat API requests as a resource, resource format like requestUri===httpMethod.
That is the request uri + request method(post,get,put,delete...) is considered as a resource as a whole.
eg: /api/v2/book===get
User belongs some Role -- Role owns Resource -- User can access the resource.

Resource path matching see: URI Match

🐖 Add Sureness In Your Project

When use maven or gradle build project, add coordinate

<dependency>
    <groupId>com.usthe.sureness</groupId>
    <artifactId>sureness-core</artifactId>
    <version>1.1.0</version>
</dependency>

compile group: 'com.usthe.sureness', name: 'sureness-core', version: '1.1.0'

🐵 Use the Default Configuration to Configure Sureness

The default configuration -DefaultSurenessConfig uses the document datasource sureness.yml as the auth datasource.
It supports JWT auth, Basic auth, Digest authentication.

@Bean
public DefaultSurenessConfig surenessConfig() {
    return new DefaultSurenessConfig();
}

🐮 Load Auth Config DataSource

Sureness authentication requires us to provide our own account data, role permission data, etc. These data may come from text, relational databases, non-relational databases, annotations, etc.
We provide interfaces SurenessAccountProvider, PathTreeProvider for user implement to load data from the dataSource where they want.

SurenessAccountProvider - Account datasource provider interface.
PathTreeProvider - Resource uri-role datasource provider interface.

Default Document DataSource Config - sureness.yml, see: Default Document DataSource
Annotation DataSource Config Detail - AnnotationLoader, see: Annotation DataSource

If the configuration resource data comes from text, please refer to Sureness integration Spring Boot sample(configuration file scheme)
If the configuration resource data comes from dataBase, please refer to Sureness integration Spring Boot sample(database scheme)

🐐 Add an Interceptor Intercepting All Requests

The essence of Sureness is to intercept all rest requests for authenticating and authorizing.
The interceptor can be a filter or a Spring interceptor, it intercepts all request to check them.

SubjectSum subject = SurenessSecurityManager.getInstance().checkIn(servletRequest)

🐰 Implement Auth Exception Handling Process

Sureness uses exception handling process:

If auth success, method - checkIn will return a SubjectSum object containing user information.
If auth failure, method - checkIn will throw different types of auth exceptions.

Users need to continue the subsequent process based on these exceptions.(eg: return the request response)

Here we need to customize the exceptions thrown by checkIn, passed directly when auth success, catch exception when auth failure and do something:

try {
    SubjectSum subject = SurenessSecurityManager.getInstance().checkIn(servletRequest);
} catch (ProcessorNotFoundException | UnknownAccountException | UnsupportedSubjectException e4) {
    // Create subject error related execption 
} catch (DisabledAccountException | ExcessiveAttemptsException e2 ) {
    // Account disable related exception
} catch (IncorrectCredentialsException | ExpiredCredentialsException e3) {
    // Authentication failure related exception
} catch (UnauthorizedException e5) {
    // Authorization failure related exception
} catch (SurenessAuthenticationException | SurenessAuthorizationException e) {
    // other sureness exception
}

Detail see: Default Sureness Auth Exception

Have Fun

🥐 Advanced Use

Sureness supports custom subject, custom subjectCreator, custom processor and more.

Before advanced custom extension, let's first understand the general process of Sureness:

As in the above process, Subject is created by SubjectCreate according to the request body, and different authentication processors process the supported Subjects.

Sureness provides the following common interfaces as extension points:

Subject: Authenticated authorized user's account interface, provide the account's username,password, request resources, roles, etc.
SubjectCreate: Create subject interface, provider create method.
Processor: Process subject interface, where happen authentication and authorization.
PathTreeProvider: Resource data provider, it can load data from txt or database,etc.
SurenessAccountProvider: Account data provider, it can load data from txt or database,etc.

Refer to Extension Point for the extended documentation.

🥊 Custom Subject

Implment Subject, add custom subject content
Implment SubjectCreate to create custom subject
Implment Processor to support custom subject

See Custom Subject

🔫 Custom SubjectCreator

Implment SubjectCreate to create your custom subject

See Custom SubjectCreator

🪓 Custom Processor

A subject also can support by different processor, so we can custom processor to support custom subject Implment Processor, set which subject can support and implment processing details

See Custom Processor

🏹 Custom Datasource

Implment PathTreeProvider, load in DefaultPathRoleMatcher
Implment SurenessAccountProvide, load in processor

See Custom Datasource

Detail please refer to Sureness integration Spring Boot sample(database scheme)

🙋 Contributing

Very welcome to Contribute this project, go further and better with Sureness.

Components of Repository:

See CONTRIBUTING

💪 Why Is High Performance

🌞 Friend's Links

HertzBeat An open-source, real-time monitoring system with custom-monitor and agentLess: Github
JustAuth A Java library of third-party authorized login: Github
MaxKey Leading-Edge Enterprise-Class open source IAM Identity and Access management product: Github
PhalApi PHP Api Framework: Website

💬 Join discussion

QQ Group: 390083213
Github Discussion
Gitter Channel

🛡️ License

Apache License, Version 2.0

🎟️ Thanks

sureness's People

Contributors

Stargazers

Watchers

Forkers

thinker1017 melopoz kevin1573 monsdio jacshon chris-yang 20111564 gitter-badger fate-xjc yeyeyeoye herofire 99kyuu sjlzz1221 sevenma zh370565973 elairs hellojray jangocheng fcdml floodboad yianz issues-translate-bot loyin wangscript007 usual-life caroniu airpupa imyaba toanpv90 chenhuan2020 lkg xjmongo sunxusmile wjxjasin pengchengyin xiejiajun yinjiuming sky20086 cizi2018 hardweight wosuxiongmao leexming yqxxgh waerly tydhot yy35959199 zhiyusun advance-climber jaychuo spsl yubingzhang andy521 cryboy007 wittech small-tangerine wwwk ccczone hqgordon imloama sunshibiao chinesetony zhuomingliang jsuzsj shliu11 houtianyun bertluo bianyafeng niubangcha a1135656335 dannylincn smlcat wuwengithub langjuxu x8mouse jhooomn liuyu520 messaging24 lipingyuan65 charliexcl scutcr7 lizhenhua2016 wepoiuopijsdfnxcvl young-wan mikedevatos mu-l winsomexjs yufengjiaoyu anywhere zhengxaioyi daiyiy githubmj allureyc orangetope666 plkkoko windgoogle 66ttdream peggypro wangzhongwei csusupremerb fyz9628

sureness's Issues

找不到 sureness.yml 文件的位置

Describe the bug
2020-12-29 15:40:37,223 ERROR [io.qua.run.Application] (Quarkus Main Thread) Failed to start application (with profile dev): com.usthe.sureness.matcher.SurenessLoadDataException: sureness file: sureness.yml not found, please create
the file if you need config resource

Used Version
sureness 0.4
quarkus 1.10.5.Final

To Reproduce
Steps to reproduce the behavior:
mvnw quarkus:dev

Expected behavior
如果采用 mvnw package的方式打包，java -jar xxx.jar 运行可以正常。期望 mvnw quarkus:dev 开发方式也正常

测试-使用中文提一个issue

这是一个翻译测试内容哦
使用版本
0.2

内容复现
启动

预期效果
测试内容，无异常效果

Misjudging diff permission configurations as same config

Describe the bug
Misjudging different permission configurations as duplicate configurations under certain conditions.
eg: config sureness.yml resourceRole:

/api/v6/book/*===get===[role1]
/api/v6/book===post===[role2]

The /api/v6/book===post===[role2] was ignored by mistake.
sureness log: [sureness]-The path resource: /api/v6/book===post===[role2] has match same method, ignore it.

Used Version
lastst: v1.0.4

Expected behavior

The config /api/v6/book===post===[role2] can not be ignored when sureness init.

怎么获取当前已经登录的用户ID呢？

新手请教

Spring Cloud Gateway Authentication

Is your feature request related to a problem? Please describe.
I want to use database to authentication at the gateway. I followed sample-tom and spring-webflux-sureness.

SurenessConfiguration

@Configuration
public class SurenessConfiguration {

    private static final Logger logger = LoggerFactory.getLogger(SurenessConfiguration.class);

    @Bean
    ProcessorManager processorManager(SurenessAccountProvider accountProvider) {
        if (logger.isDebugEnabled()) {
            logger.debug("DefaultProcessorManager init");
        }
        return new DefaultProcessorManager(Arrays.asList(new JwtProcessor()));
    }

    /**
     * @param databasePathTreeProvider the path tree resource load from database
     */
    @Bean
    TreePathRoleMatcher pathRoleMatcher(PathTreeProvider databasePathTreeProvider) {
        // pathRoleMatcher init
        DefaultPathRoleMatcher pathRoleMatcher = new DefaultPathRoleMatcher();
        pathRoleMatcher.setPathTreeProvider(databasePathTreeProvider);
        pathRoleMatcher.buildTree();
        if (logger.isDebugEnabled()) {
            logger.debug("DefaultPathRoleMatcher init");
        }
        return pathRoleMatcher;
    }

    @Bean
    SubjectFactory subjectFactory() {
        // SubjectFactory init
        SubjectFactory subjectFactory = new SurenessSubjectFactory();
        subjectFactory.registerSubjectCreator(Arrays.asList(new JwtSubjectReactiveCreator()));
        return subjectFactory;
    }

    /**
     * surenessSecurityManager init
     */
    @Bean
    SurenessSecurityManager securityManager(ProcessorManager processorManager,
                                            TreePathRoleMatcher pathRoleMatcher, SubjectFactory subjectFactory) {
        SurenessSecurityManager securityManager = SurenessSecurityManager.getInstance();
        securityManager.setPathRoleMatcher(pathRoleMatcher);
        securityManager.setSubjectFactory(subjectFactory);
        securityManager.setProcessorManager(processorManager);
        if (logger.isDebugEnabled()) {
            logger.debug("SurenessSecurityManager init");
        }
        return securityManager;
    }
}

application.yml

spring:
  cloud:
    nacos:
      discovery:
        server-addr: 192.168.1.252:8848
    gateway:
      default-filters:
        - SurenessAuth
      routes:
        - id: auth
          uri: lb://auth
          predicates:
            - Path=/auth/**

An error occurred when I requested http://localhost:8083/auth/token.

com.usthe.sureness.processor.exception.UnsupportedSubjectException: this request can not create subject by creators,please config no subject creator by default
	at com.usthe.sureness.mgt.SurenessSecurityManager.checkIn(SurenessSecurityManager.java:72) ~[sureness-core-1.0.3.jar:na]
	at com.zetacn.zetagateway.sureness.filter.SurenessFilter.filter(SurenessFilter.java:38) ~[classes/:na]

如何动态更新资源权限？

通过管理后台界面添加了资源和对应的角色授权，目前需要重启服务才能更新权限，如何动态更新资源权限？

support ldap

support ladp auth

请问如何在基于 graphql-java 的 GraphQL 实现中使用 sureness 库？

请问如何在基于 graphql-java 的 GraphQL 实现中使用 sureness 库？
服务器框架是用的 Ktor，感觉 sureness 似乎只能对 RESTful 进行保护

no security module in sureness-core the latest version

import com.usthe.sureness.security.XssSqlServletRequestWrapper; not found,

api can be accessed by any role when accessRole not config

Is your feature request related to a problem? Please describe.
api can be accessed by any role when accessRole not config

Describe the solution you'd like
Before
/api/v1/getSource3===get===[] means /api/v1/getSource3===get can be accessed by any role or no role

After
/api/v1/getSource3===get===[] means /api/v1/getSource3===get can not be accessed by any role

path can not match case the pattern `**` can not turn null when it in last.

the pattern /**/swagger-resources/**===get can not match the request uri /api/swagger-resources
so is the /xxx/** can not match the request /xxx , the pattern ** can not turn null when it in last.

Unable to get supported roles

Describe the bug
DefaultPathRoleMatcher.matchRole(Subject subject) Method always returns a null value

Used Version
1.0.7, tag or branch used

To Reproduce
Steps to reproduce the behavior:

Go to '...'
Click on '....'
Scroll down to '....'
See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

End User Registration 「使用者登记」

Who is using sureness？

Thank you very much for your attention and support to sureness. This is the biggest motivation for us to move forward.

The original intention of this issue

Learn more about the practical use scenarios of sureness and listen to the community to make sureness better.
We want to attract more partners to contribute to sureness.

We look forward to your registration

You can refer to the below:

Organization: usthe
Location: chengdu, China
Contact: [email protected]
Purpose: Integrate existing gateways to protect api security

Thanks again for your participation!

sureness community

谁在使用 sureness？

非常感谢大家对 sureness 的关注和支持，这是我们前进最大的动力。

这个 issue 的出发点

聆听社区的声音，了解实际使用场景，让 sureness 解决实际的问题
吸引更多的开发者参与和贡献

我们期待您的登记

信息参考如下：

组织：usthe
地点：成都，**
联系方式： [email protected]
使用场景：集成现有网关来对api进行安全保护
使用感受：xxxxx

多谢您的支持！

sureness 社区

有没有兴趣支持Graphql跟ABAC权限模型

有一些时候角色并不是很好的选择。
如：我想针对每个前端按钮进行权限控制。
针对某一个用户做权限控制，而不影响到其他相同的权限。

同时第二个想法：
是否可以侵入到响应模型字段，比如admin角色下展示用户的明文密码，审计员则不展示用户的密码，用户自己展示自己的加密密码。

support multi Principal in sureness subject

Is your feature request related to a problem? Please describe.
sometime we want to insert more thing about user in subject, but their only one Principal

Describe the solution you'd like
add multi Principal interface method in sureness subject

websocket如何验证token？

我想通过sureness验证websocket的token，token在头部传输，运行了演示项目，没明白怎么验证websocket的token，和验证rest接口是一样的吗？

support example use sureness protect jfinal - https://jfinal.com/

Describe the solution you'd like

support example use sureness protect jfinal - https://jfinal.com/

加密使用md5是不是不太安全呢？

我看*配置文件中用户凭证加密是md5加盐，md5目前应该算不太安全的算法了吧

30-minute demo video

Use Sureness integration Spring Boot sample(database scheme)
Sample-Tom

Using hardcoded cryptographic key when creating and verifing Json Web Token.

Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector on Java language(Our main concern is the secure implementation and use of Json Web Token). We found your great public repository (i.e., sureness) from Github, and several security issues detected by our detector are shown in the following. The specific security issues we found are as follows:
(1) Location: Package: com.usthe.sureness.util Class: JsonWebTokenUtil.class
Security issue: Using predictable/constant cryptographic key when creating and verifing Json Web Token.

Using a hard-coded secret does not conform to the security implementation specification of JWT, which may bring security risks to your system. It is recommended that you use a more secure way to store the secret used to generate the JWT. （For the hazards of hardcoded keys, you can refer to CWE-321, NIST Special Publication 800-57).

I noticed that you mentioned that users can change the key used to generate JWT signatures, probably for ease of use, you still provide a default key for generating and verifying JWTs. Developers who don't understand JWT may directly use this hardcoded key to generate JWT, which brings some security risks. Therefore, it is recommended that you store this hardcoded key in a more secure way.

We wish the above security issues cloud truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forwart to your reply. Thanks.

Sureness Spring Boot Starter

Describe the solution you'd like
Sureness Spring Boot Starter, to use Sureness in Spring Boot more simply.

support example use sureness protect quarkus- https://quarkus.pro/

Describe the solution you'd like
support example use sureness protect quarkus- https://quarkus.pro/

03dbc91a03ab26b694a3ee7ce54e2ae50e1ed050

googlehosts/hosts@03dbc91

Feature support a all custom process flow example

Describe the solution you'd like

Feature support a all custom process flow example in sampel-tom

custom subject subjectCreator processor
support refresh token demo

使用数据库作为数据源，如何做到动态配置而且生效

使用数据库作为数据源，如何做到动态配置而且生效，不希望重启应用，谢谢；能否提供一个接口去主动刷新缓存里的resourceRole和excludedResource

support example use sureness protect spring webflux

Describe the solution you'd like
support example use sureness protect spring webflux

Support API Gateway - Soul

Describe the solution you'd like
Support API Gateway - Soul
https://dromara.org/projects/soul/overview/

too much read sureness.yml times when auth may make system down

Javalin Plugin

So i was looking at the tutourial on the Javalin website, and I saw that there is a lot of calls to app.XXX methods. We can probably throw these into a JavalinPlugin, and publish it for simplicity when using with javalin.

I want to use Sureness in an admin panel, And im gonna put in the leg work anyway. Is there interest for this?

有计划支持spring webflux的webfilter吗？

你好，我这边项目使用的是spring webflux，好像无法集成sureness，有计划支持webflux吗？或者能否给个大概的思路。

support example use sureness protect micronaut- https://micronaut.io/

Describe the solution you'd like
support example use sureness protect micronaut- https://micronaut.io/

Jshd

Describe the bug
A clear and concise description of what the bug is.

Used Version
the version , tag or branch used

To Reproduce
Steps to reproduce the behavior:

Go to '...'
Click on '....'
Scroll down to '....'
See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.
Change encrypted key code

spring-boot-starter-sureness模块下调整建议

spring-boot-starter-sureness

建议使用 spring-boot 官方建议的命名规范，使用 xxx-spring-boot-starter
建议SurenessFilter 可以自定义注入，并非配置sureness.container=servlet 就一定需要他。比如我在某个项目中，只有部分的 openapi 需要此鉴权。如果配置excludedResource: 又太过繁琐。或者增加FilterUrlPatterns配置

support example use sureness protect ktor - https://ktor.kotlincn.net/

Describe the solution you'd like
support example use sureness protect ktor - https://ktor.kotlincn.net/

@RequiresRoles can not support one more role, eg: @RequiresRoles(roles = {"role1", "role2"}, mapping = "/resource", method = "post")

Describe the bug
Use AnnotationLoader provide PathTree resource,
@RequiresRoles can not support one more role
eg: input @RequiresRoles(roles = {"role1", "role2"}, mapping = "/resource", method = "post")
there where some error happen when running

Used Version
0.2

To Reproduce
Steps to reproduce the behavior:
@RequiresRoles(roles = {"role1", "role2"}, mapping = "/resource", method = "post")

support netty http

Describe the solution you'd like
support netty http

对于DELETE请求会提示“Invalid CORS request”

添加了sureness后，通过jquery发送delete请求会提示“Invalid CORS request”，通过curl命令发送delete请求也正常，get和post请求正常，spring boot 已经配置跨域，请问是不是sureness导致的？

throw uncatched exception when request jwt is not base64

Describe the bug
throw uncatched exception when request jwt is not base64

Used Version
v0.2

To Reproduce
request a not base64 jwt

Expected behavior
throw uncatched exception when request jwt is not base64

spring-gateway-sureness can't start

Describe the bug
spring-gateway-sureness module can't start normally.

2021-06-23 11:17:02.535  WARN 12300 --- [           main] o.s.boot.SpringApplication               : Unable to close ApplicationContext

java.lang.IllegalStateException: Failed to introspect Class [org.springframework.cloud.gateway.config.GatewayAutoConfiguration$NettyConfiguration] from ClassLoader [sun.misc.Launcher$AppClassLoader@18b4aac2]
	at org.springframework.util.ReflectionUtils.getDeclaredMethods(ReflectionUtils.java:481) ~[spring-core-5.2.5.RELEASE.jar:5.2.5.RELEASE]
	at org.springframework.util.ReflectionUtils.doWithMethods(ReflectionUtils.java:358) ~[spring-core-5.2.5.RELEASE.jar:5.2.5.RELEASE]
	at org.springframework.util.ReflectionUtils.getUniqueDeclaredMethods(ReflectionUtils.java:414) ~[spring-core-5.2.5.RELEASE.jar:5.2.5.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.lambda$getTypeForFactoryMethod$2(AbstractAutowireCapableBeanFactory.java:743) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
	at java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1688) ~[na:1.8.0_292]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getTypeForFactoryMethod(AbstractAutowireCapableBeanFactory.java:742) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.determineTargetType(AbstractAutowireCapableBeanFactory.java:681) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.predictBeanType(AbstractAutowireCapableBeanFactory.java:649) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.isFactoryBean(AbstractBeanFactory.java:1605) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.doGetBeanNamesForType(DefaultListableBeanFactory.java:523) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanNamesForType(DefaultListableBeanFactory.java:494) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeansOfType(DefaultListableBeanFactory.java:616) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeansOfType(DefaultListableBeanFactory.java:608) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
	at org.springframework.context.support.AbstractApplicationContext.getBeansOfType(AbstractApplicationContext.java:1242) ~[spring-context-5.2.5.RELEASE.jar:5.2.5.RELEASE]
	at org.springframework.boot.SpringApplication.getExitCodeFromMappedException(SpringApplication.java:869) [spring-boot-2.2.6.RELEASE.jar:2.2.6.RELEASE]
	at org.springframework.boot.SpringApplication.getExitCodeFromException(SpringApplication.java:857) [spring-boot-2.2.6.RELEASE.jar:2.2.6.RELEASE]
	at org.springframework.boot.SpringApplication.handleExitCode(SpringApplication.java:844) [spring-boot-2.2.6.RELEASE.jar:2.2.6.RELEASE]
	at org.springframework.boot.SpringApplication.handleRunFailure(SpringApplication.java:795) [spring-boot-2.2.6.RELEASE.jar:2.2.6.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:325) [spring-boot-2.2.6.RELEASE.jar:2.2.6.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1226) [spring-boot-2.2.6.RELEASE.jar:2.2.6.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1215) [spring-boot-2.2.6.RELEASE.jar:2.2.6.RELEASE]
	at gateway.GatewayApplication.main(GatewayApplication.java:13) [classes/:na]
Caused by: java.lang.NoClassDefFoundError: reactor/netty/transport/ProxyProvider$TypeSpec
	at java.lang.Class.getDeclaredMethods0(Native Method) ~[na:1.8.0_292]
	at java.lang.Class.privateGetDeclaredMethods(Class.java:2701) ~[na:1.8.0_292]
	at java.lang.Class.getDeclaredMethods(Class.java:1975) ~[na:1.8.0_292]
	at org.springframework.util.ReflectionUtils.getDeclaredMethods(ReflectionUtils.java:463) ~[spring-core-5.2.5.RELEASE.jar:5.2.5.RELEASE]
	... 21 common frames omitted
Caused by: java.lang.ClassNotFoundException: reactor.netty.transport.ProxyProvider$TypeSpec
	at java.net.URLClassLoader.findClass(URLClassLoader.java:382) ~[na:1.8.0_292]
	at java.lang.ClassLoader.loadClass(ClassLoader.java:418) ~[na:1.8.0_292]
	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:352) ~[na:1.8.0_292]
	at java.lang.ClassLoader.loadClass(ClassLoader.java:351) ~[na:1.8.0_292]
	... 25 common frames omitted

Used Version
master branch
commit id: 6ff484a

To Reproduce
just start the spring-gateway-sureness

Expected behavior
spring-gateway-sureness starts normally.

Solution
spring-cloud-dependencies is incompatible with spring-boot version.

Release Train	Boot Version
2020.0.x aka Ilford	2.4.x, 2.5.x (Starting with 2020.0.3)

update root `pom.xml`

<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>2.5.1</version>

        SubjectSum subject = SurenessSecurityManager.getInstance().checkIn(servletRequest);
        Object principal = subject.getPrincipal();
        System.out.println(principal);    //  null

0.4.1版本，jwt 认证方式

bug-SurenessCommonUtil findUserAgent throw error

Describe the bug

SurenessCommonUtil findUserAgent throw error not found ws.rs.container.. when use servlet not ws.rs

Used Version
sureness-0..2

Additional context

suggest remove the findUserAgent