RuoYiPlus
Security Compliance Capabilities

Core Positioning

In a nutshell: Build a defense-in-depth security system for enterprises, meeting Level 3 Information Security Protection and financial-grade security audit requirements, making business systems “natively compliant”.

What Problems It Solves

Compliance RequirementRuoYiPlus Security Solution
Level 3 Information Security Protection certificationIdentity verification + access control + security audit + data integrity + data confidentiality
Financial-grade auditBlockchain hash chain attestation + tamper-proof operation logs
Data privacy protectionAuto masking of sensitive fields + transport encryption + storage encryption
Risk preventionReal-time risk monitoring + abnormal behavior alerts + account freezing

Suitable Users

mindmap root((Security Compliance Users)) Financial Institutions Level 3 Protection certification Financial audit compliance Healthcare Industry HIPAA compliance Patient data protection Government Platforms Leveled protection Data security SaaS Enterprises Multi-tenant security isolation Data privacy compliance

User Roles

graph TB subgraph "Security Roles" SA["Security Administrator
Configure security policies"] AUDITOR["Auditor
Review operation logs"] ADMIN["System Administrator
Security operations"] DEV["Developer
Secure coding"] end SA -->|Configure| MFA["Multi-Factor Authentication"] SA -->|Configure| PWD["Password Policy"] AUDITOR -->|Review| LOG["Operation Logs"] AUDITOR -->|Generate| REPORT["Compliance Reports"] ADMIN -->|Manage| KEY["Key Management"] ADMIN -->|Monitor| ALERT["Security Alerts"] DEV -->|Follow| SECURE["Secure Coding Standards"]

1. Security System Architecture

graph TB subgraph "RuoYiPlus Security Compliance System" subgraph "Identity Authentication Layer" A1["IAM Center"] A2["Multi-Factor Authentication"] A3["SSO Single Sign-On"] end subgraph "Access Control Layer" B1["RBAC Permissions"] B2["Data Permissions"] B3["API Permissions"] end subgraph "Data Security Layer" C1["Encryption & Masking"] C2["Tamper Prevention"] C3["Data Classification"] end subgraph "Security Audit Layer" D1["Audit Center"] D2["Risk Alerts"] D3["Compliance Reports"] end subgraph "Security Protection Layer" E1["WAF"] E2["Injection Prevention"] E3["XSS Prevention"] E4["CSRF Prevention"] E5["DDoS Prevention"] E6["Key Management"] end end A1 --> B1 A2 --> B1 A3 --> B1 B1 --> C1 B2 --> C1 B3 --> C1 C1 --> D1 C2 --> D1 C3 --> D1 D1 --> E1

2. Identity Authentication Security

2.1 Multi-Factor Authentication (MFA)

graph LR A["User Login"] --> B{"MFA Required?"} B -->|Yes| C["Enter Password"] C --> D{"Select Verification Method"} D --> E["SMS OTP"] D --> F["Email OTP"] D --> G["TOTP"] D --> H["Hardware Key"] E --> I["Authentication Successful"] F --> I G --> I H --> I B -->|No| I
Authentication MethodSecurity LevelDescription
Password + CAPTCHA⭐⭐Basic two-factor
Password + SMS OTP⭐⭐⭐Dynamic SMS verification code
Password + Email OTP⭐⭐⭐Email verification code
Password + TOTP⭐⭐⭐⭐Time-based one-time password
Password + Hardware Key⭐⭐⭐⭐⭐FIDO2/U2F highest security

2.2 SSO Single Sign-On

sequenceDiagram participant User as User participant App1 as App 1 participant IAM as IAM Auth Center participant App2 as App 2 User->>App1: Access App 1 App1->>IAM: Not authenticated, redirect to auth User->>IAM: Enter credentials IAM->>IAM: Authentication success, issue Token IAM->>App1: Return Token User->>App2: Access App 2 App2->>IAM: Verify Token IAM->>App2: Token valid App2->>User: Direct access
ProtocolSupportedUse Case
OAuth 2.0Third-party app authorization
OIDCModern app SSO
SAML 2.0Enterprise SSO
LDAPEnterprise directory integration

2.3 Login Security Policy

security:
  login:
    password:
      min-length: 8
      require-uppercase: true
      require-lowercase: true
      require-digit: true
      require-special: true
      expiry-days: 90
      history-count: 5
    lockout:
      max-failed: 5
      lockout-duration: 30m
    abnormal:
      enabled: true
      notify-on-new-device: true
      block-high-risk: true

3. Access Control

3.1 RBAC Permission Model

graph TB A["User"] --> B["Role"] B --> C["Menu Permission"] B --> D["Operation Permission"] B --> E["Data Permission"] A --> F["Post"] F --> G["Role Inheritance"] F --> H["Data Scope"]

3.2 Data Permission Control

graph LR A["Data Request"] --> B{"Permission Type"} B -->|All Data| C["*"] B -->|Dept Data| D["dept_id = current.dept_id"] B -->|Own Data| E["creator_id = current.user_id"] B -->|Custom Data| F["region_id IN current.regions"] C --> G["Return Data"] D --> G E --> G F --> G

3.3 API Permission Control

// Method-level permission control
@RequiresPermissions(value = {"system:user:add", "system:user:edit"}, logical = Logical.OR)
public void saveUser(User user) { }

// Role permission control
@RequiresRoles(value = {"admin", "manager"})
public void exportReport() { }

// Custom permission check
@RequiresCustomPermissions(key = "data:export:financial")
public void exportFinancial() { }

4. Data Security

4.1 Sensitive Field Masking Flow

graph TB A["Data Query"] --> B["Masking Rule Match"] B --> C{"Field Type"} C -->|Phone| D["Middle 4 digits masked"] C -->|Email| E["Username masked"] C -->|ID Card| F["Birth date + last 4 digits"] C -->|Bank Card| G["Only last 4 digits"] C -->|Name| H["All but surname masked"] C -->|Password| I["Fully hidden"] D --> J["Return Masked Result"] E --> J F --> J G --> J H --> J I --> J

4.2 Transport and Storage Security

ConfigurationDescription
HTTPS EnforcedSite-wide HTTPS, HTTP auto-redirect
TLS VersionTLS 1.3 (compatible with TLS 1.2)
HSTSEnforce HTTPS usage
Database EncryptionAES encryption for sensitive fields

5. Audit Trail

5.1 Audit Event Collection

graph TB subgraph "Audit Event Collection" A1["Login Audit"] A2["Operation Audit"] A3["Permission Audit"] A4["Export Audit"] A5["Sensitive Audit"] A6["API Audit"] end subgraph "Audit Processing" B1["Event Parsing"] B2["Risk Scoring"] B3["Rule Matching"] end subgraph "Audit Storage" C1["Hot Data"] C2["Cold Data"] C3["Blockchain"] end A1 --> B1 A2 --> B1 A3 --> B1 A4 --> B1 A5 --> B1 A6 --> B1 B1 --> B2 B2 --> B3 B3 --> C1 B3 --> C2 B3 --> C3

5.2 Blockchain Hash Chain

graph TB subgraph "Genesis Block" A1["blockHash = SHA256"] A2["genesisData"] end subgraph "Block N" B1["blockHash = SHA256"] B2["previousHash"] B3["merkleRoot"] B4["signature"] end subgraph "Block N+1" C1["blockHash = SHA256"] C2["previousHash = Block N hash"] C3["merkleRoot"] C4["signature"] end A1 --> B2 B1 --> C2

6. Compliance Support

6.1 Level 3 Information Security Protection Coverage

graph LR A["Level 3 Protection Requirements"] --> B["Identity Verification"] A --> C["Access Control"] A --> D["Security Audit"] A --> E["Data Integrity"] A --> F["Data Confidentiality"] A --> G["Backup & Recovery"] B --> H["MFA/SSO"] C --> I["RBAC/Data Permissions"] D --> J["Audit Center"] E --> K["Blockchain Hash Chain"] F --> L["Encryption & Masking"] G --> M["Data Backup Solution"]
Protection RequirementImplementationCoverage
Identity VerificationMFA/SSO✅ Complete
Access ControlRBAC/Data Permissions✅ Complete
Security AuditAudit Center✅ Complete
Data IntegrityBlockchain Hash Chain✅ Complete
Data ConfidentialityEncryption & Masking✅ Complete
Backup & RecoveryData Backup Solution✅ Complete

7. Security Monitoring

7.1 Real-Time Risk Monitoring

graph TB subgraph "Risk Monitoring" A1["Remote Login"] A2["Brute Force"] A3["Abnormal Query"] A4["Batch Export"] A5["Permission Abuse"] end subgraph "Risk Assessment" B["Risk Engine"] end subgraph "Response Actions" C1["SMS Alert"] C2["Account Freeze"] C3["Log Marking"] C4["Require Approval"] C5["Real-Time Alert"] end A1 --> B A2 --> B A3 --> B A4 --> B A5 --> B B --> C1 B --> C2 B --> C3 B --> C4 B --> C5
Monitoring ItemRisk ThresholdResponse Action
Remote LoginLogin from new citySMS alert
Brute Force>10 failures in 5 minAccount freeze
Abnormal Query>100 queries/min per userLog marking
Batch Export>50 records/minRequire approval
Permission AbuseCore data access during off-hoursReal-time alert

8. Security Configuration Checklist

ConfigurationRecommended ValueDescription
Min Password Length12 charactersStrong password policy
Password Expiry90 daysEnforce periodic changes
Login Failure Lockout5 attemptsBrute force prevention
MFAEnforcedMust be enabled for admins
HTTPSEnforcedSite-wide encryption
Log Retention1 yearCompliance requirement
Session Timeout30 minutesAuto logout
API Rate Limit100 QPSDDoS prevention

Security Capability Overview

graph TB subgraph "Defense-in-Depth Security" L1["🔐 Identity Authentication Layer
MFA + SSO + Password Policy"] L2["🛡️ Access Control Layer
RBAC + Data Permissions + API Permissions"] L3["🔒 Data Security Layer
Masking + Encryption + Tamper Prevention"] L4["📋 Audit Trail Layer
Full-Chain Audit + Blockchain Attestation"] L5["🚨 Security Monitoring Layer
Real-Time Risk Monitoring + Auto Response"] end L1 --> L2 L2 --> L3 L3 --> L4 L4 --> L5
docs