A single sign-on introduction
Single sign-on ( Single Sign the On ), referred to as SSO , is one of the more popular enterprise business integration solutions. SSO is defined in multiple applications, users need only log in once to access all applications of mutual trust.
Under the same domain : Single sign-on is a clever use of the characteristics of the Cookie top domain.
Under different domains : If it is a different domain? Between different domains Cookie is not shared, how do? This is to use the CAS process, single standard login process.
Details about: https://yq.aliyun.com/articles/636281
https://blog.csdn.net/qq_34246546/article/details/79493208
Second, under the same single sign-on domain: use sessionID + cookie + redis
1. cookie Tools
package com.mmall.util; import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang3.StringUtils; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** * cookie工具类 */ @Slf4j public class CookieUtil { private static final String COOKIE_DOMAIN = "wangjun.com"; //顶级域名 private static final String COOKIE_NAME = "mmall_login_token";//cookieName /** * 从请求中读取cookie * @param request * @return */ public static String readLoginToken(HttpServletRequest request){ Cookie[] cks = request.getCookies(); if (cks != null){ for (Cookie cookie : cks){ log.info("read cookieName:{}, cookieValue:{}",cookie.getName(),cookie.getValue()); if (StringUtils.equals(cookie.getName(),COOKIE_NAME)){ log.info("return cookieName:{}, cookieValue:{}",cookie.getName(),cookie.getValue()); return cookie.getValue(); } } } return null; } /** * 写入cookie * @param response * @param token */ public static void writeLoginToken(HttpServletResponse response, String token){ Cookie cookie = new Cookie(COOKIE_NAME, token); cookie.setDomain(COOKIE_DOMAIN); cookie.setPath("/"); //On behalf of the root, the root of the following code pages and can get to the cookie // in seconds, if not set maxage, cookie will not be written to disk, but written to memory, only the current page valid cookie.setMaxAge (60 * 365 * 24 * 60 ); log.info ( "Write the cookieName: {}, cookieValue: {}" , the Cookie.getName (), cookie.getValue ()); response.addCookie (Cookie); } / ** * delete Cookie * @param Request * @param Response * / public static void delLoginToken (the HttpServletRequest Request, the HttpServletResponse Response) { cookies [] CKS = request.getCookies (); IF (CKS =!null ) { for (cookies Cookie: CKS) { IF (StringUtils.equals (the Cookie.getName (), cookie_name)) { cookie.setDomain (COOKIE_DOMAIN); cookie.setPath ( "/" ); cookie.setHttpOnly ( to true ); // can not access the cookie script. Of course, it can not fully prevent, but can improve the security of cookie.setMaxAge (0); // set to 0, which means remove the the cookie log.info ( "del cookieName: {}, cookieValue: {}" , the Cookie.getName (), cookie.getValue ()); response.addCookie (Cookie); return ; } } } } }
2. redis related content
(1) Use cluster: https: //www.cnblogs.com/FondWang/p/11690791.html
(2) 单机 redis: https: //www.cnblogs.com/FondWang/p/11681222.html
3. json object conversion
Role: The login information into Chen json, stored in redis.
https://www.cnblogs.com/FondWang/p/11703197.html
4. The login code
@Controller @RequestMapping("/user/") public class UserController { @Autowired private IUserService iUserService; /** * 用户登录 * @param username * @param password * @param session * @return */ @RequestMapping(value = "login.do",method = RequestMethod.POST) @ResponseBody public ServiceResponse<User> login(String username, String password, HttpSession session, HttpServletResponse httpServletResponse){ ServiceResponse<User> response = iUserService.login(username, password); if (response.isSuccess()){ CookieUtil.writeLoginToken(httpServletResponse,session.getId()); //将内容写入cookie中 RedisShardedPoolUtil.setEx(session.getId(), JsonUtil.obj2String(response.getData()), Const.RedisCacheExtime.REDIS_SESSION_EXTIME); } return response; } /** * 登出 删除session * @param httpServletRequest * @return */ @RequestMapping(value = "logout.do",method = RequestMethod.POST) @ResponseBody public ServiceResponse<String>Zimbabwe Logout (the HttpServletRequest HttpServletRequest, HttpServletResponse the HttpServletResponse) { String loginToken = CookieUtil.readLoginToken (HttpServletRequest); // Get the sessionID the cookie, if present, delete the logout CookieUtil.delLoginToken (httpServletRequest, httpServletResponse); // delete the token corresponding to the user's cookie information RedisShardedPoolUtil.del (loginToken); // delete the corresponding user information redis return ServiceResponse.createBySuccess ( "signed out" ); } }
Third, the single point at different domain logon
pending upgrade