This section describes single sign-on (SSO) services
Early single-server, user authentication
Cons: Single point of performance pressure, no scaling
WEB application cluster in session sharing mode
Solve the single point of performance bottleneck.
Question:
- Distributed data of multiple services is managed independently. Therefore, it is not suitable to maintain one session data in a unified manner.
- Distributed Services are divided based on service functions, and users and authentication are decoupled from each other for unified management.
- JsessionId used in cookies is easy to tamper with and steal.
- The cross-top-level domain cannot be accessed.
NQ
Distributed, single sign-on (SSO) mode
Solution:
Independent management of user identity information, better distributed management.
You can extend the security policy yourself
Cross-domain is not a problem
Disadvantages:
The authentication server is under heavy access pressure.
Business flow chart
Certification Center Module (request certification)
Database table: user_info and add a piece of data! Passwords should be encrypted!
Generally, MD5+ salt is used to encrypt and decrypt the password.
The login function
Business:
- Verify the background database with the accepted username and password
- The user information is written into redis. If the user exists in Redis, it is regarded as the login status.
- Generate a token using the userId+ login IP address of the current user + key
- Redirect the user to the previous source address with the token attached as a parameter.
To generate the token
JWT tools
JWT (Json Web Token) is an open jSON-based standard implemented to pass declarations between network application environments.
JWT declarations are typically used to pass authenticated user identity information between the identity provider and the service provider to facilitate resource retrieval from the resource server. For example, for user login
The most important role of JWT is the anti-counterfeiting function of token information.
The principle of JWT,
A JWT consists of three parts: the public part, the private part, and the signed part. Finally, JWT is obtained by base64 encoding based on the combination of these three elements.
Public sector
The main configuration parameters of the JWT, such as the encryption algorithm of the signature, the format type, the expiration time, and so on.
Private parts
User – defined content, information to be encapsulated according to actual needs.
The signature block
Signature generated based on user information + salt value + key. If you want to know if the JWT is real you just pull out the JWT information, add the salt value and the key in the server and you can verify it. So no matter who holds the JWT, you can’t forge it without a key.
For example, usrInfo+ IP = key
Base64 encoding, which is not encryption, just turns clear text into invisible strings. But there are tools that can unpack base64 encoding into plain text, so don’t put private information in JWT because JWT is not actually encrypted information.
Validation functions
Run the following command to check whether the current user has logged in to a page of the service module: Submit the page to the authentication center for verification and return the login status, user Id, and user name.
Business:
- Verify that the token is correct using the key and IP and get the userId inside
- Check if Redis has user information with userId, and if so, extend its expiration time.
- The login status is returned.
- Check the login status of the service module
Question:
1. How to keep the token issued by the certification center?
2. Does every module have to do a token saving function?
3, how to distinguish whether the request must be logged in? Interceptors are used
After the login is successful, write the token to the cookie
Add interceptor
First of all, this validation is required by every module, and is required by all Web modules. Each controller method needs to be checked before it enters. You can take advantage of the interceptor functionality in SpringMVC.
Because we are distributed deployment of multiple Web modules, we can not write in a single Web module, but in a public web module, that is, gmall-web-util.
Check whether the user login status needs to be verified
To make it easier for programmers to tag controller methods, you can use custom annotations.
For example, if a Controller method needs to verify user login, add a custom @loginRequie to the method.
CAS
Central Authentication Service (CAS) is a single sign-on (SSO) system developed by Yale University. It is widely used, platform-independent, easy to understand, and supports proxy functions. CAS system has been applied in many universities such as Yale University, University of California, University of Cambridge, Hong Kong University of Science and Technology, etc
CAS design objectives
(1) Provide single sign-on infrastructure for multiple Web applications, and provide single sign-on function for non-Web applications with Web front-end function services;
(2) Simplify the process of user identity authentication;
(3) Centralizing user authentication in a single Web application allows users to simplify their password management, thereby improving security; Also, when applying business logic that needs to change authentication, you don’t need to change the code everywhere.