single sign-on system
The core problem to be solved by single sign-on is: one site login, multiple sites can be accessed at the same time.
Single sign-on business process
1. Login page, user login
2. Determine if the username and password are correct
3. After the login is successful, a token is generated through the uuid , and the token is equivalent to the original jsessionid .
4. Save the user information in redis , the key is the token , and the value is the json converted from the user object .
5. Set the expiration time of the key to simulate the expiration time of the session , generally half an hour.
6. Write the token to the cookie . Cookies need to be bound to the second-level domain name to achieve cross-domain.
7. Respond to the browser with the token and the successful login result.
8. The browser pops up a successful login prompt box, click OK, the page jumps to the home page
9. In the process of home page rendering, send an ajax request to the single sign-on system, the server obtains the user information through the token and returns it to the browser, and the browser obtains the user name of the currently logged-in user from the returned user information, and displays it to on the home page. (There will be js cross-domain problems here, use jsonp to solve)
I want to access the order system. Before displaying the order confirmation page, I need to authenticate the user's identity and require the user to log in. Use springmvc 's interceptor implementation. Need to implement an interface HandlerInterceptor interface.
The business process is as follows:
1. Get the token from the cookie
2. If the token is empty, it means that the user is not logged in and needs to jump to the login page to log in. When redirecting to the login page, pass the url of the current system as a parameter, so that you can jump to the current system after the login is successful.
3. If the token is not empty, call the service in the single sign-on system and verify whether the user information exists according to the token
If it does not exist, it means that the user login has expired, and you need to jump to the login page to log in again. When redirecting to the login page, pass the url of the current system as a parameter, so that you can jump to the current system after the login is successful.
If it exists, it means that the user has logged in, query the order information according to the user id of the current user , and return the result data to the browser.
-----------------------------------------------------------------------------------------------------------------
In a cluster environment, if Session is used to store the user's login information, the user may be required to log in multiple times .
To solve this problem, we can solve this problem by using session replication, but the use of session replication will limit the number of server nodes in the cluster. Once there are too many servers in the cluster, the performance of the cluster will decline parabolically from high to low. .
Based on this, we think about using a dedicated session server to manage sessions uniformly , so that there is no limit to the number of nodes in the cluster. This specialized session server is a single sign-on system .
The single sign-on system uses redis to simulate Session to realize unified management of Session .
The business process of single sign-on is as follows:
1. The user logs in on the login page. If the login verification is unsuccessful, return to the login page to log in again.
2. After the login is successful, the server randomly generates a string named token (equivalent to the jsessionid ) through the uuid as the key value, and converts the object encapsulating the current login user information into a json string as the values value. Stored in the Redis cache database in the form of key-value pairs .
3. Set the expiration time of the key , generally set to half an hour.
4. Write the token string into the cookie and return it to the browser. In this process, we generally respond to a redirection operation at the same time, so that the page jumps to the home page.
5. After the page jumps to the home page, we have a requirement: the user name of the currently logged-in user should be displayed on the home page. At this time, the method we take is to send an ajax request to the single sign-on system after the home page is loaded, and the parameter of the request is a cookie .
6. After the single sign-on system receives the request, it takes out the token string stored in the cookie , and goes to Redis to find the user information in response. If it cannot find it, it will redirect to the login page to log in again; The information is converted from a json string to a user object and returned to the browser. Also reset the expiration time of the key .
7. The browser gets the returned user object, extracts the user name from it, and embeds it in the designated position on the home page. Note: There will be a cross-domain access problem during this process.
What is a cross domain problem?
A: Different domain names or the same domain name and different port numbers can be called cross-domain. Home page location In the front-end system, the home page accesses the single sign-on system through ajax requests. The two systems are independent of each other and are deployed on different Tomcat servers with different port numbers, which are cross-domain requests. The cross-domain request can be sent, and the browser can get the user information returned by the server, but Ajax cannot get the response information, and the browser does not allow it to be used.
How to solve the problem of cross-domain access?
A: Use jsonp technology.
So far, the login is successful!