concept

Single sign-on (SSO) is a one-time authentication login by the user. When the user logs in the authentication server once, he/she can get access to other related systems and application software in the single sign-on system. This method reduces the time consumption generated by the login and assists the user management. It is a popular login method at present

The business scenario

Requiring users to log in only once allows access to other authentication systems without requiring the user to log in again. If the login information is kept on the respective servers, it is inevitable that users will log in frequently.

Single sign-on implementation policy

Steps:

1. When the user enters the user name and password, the data should be passed to the JT-Web server for login operation.

2. The JT-Web server needs to transmit the data to the JT-SSO server for data verification.

3. JT-SSO checks whether the data is valid or not according to username/password.

4. If the user name and password are correct, save the data to Redis after process. Key =UUID(VALUE= “userJSON”)

5. If the user succeeds in writing Redis, the user’s login credentials shall be returned to the client.

6. The JT-Web server saves the TICKET information to the Cookie of the client for the convenience of next use. And requiredCookies are Shared.

cookie

Because information cannot be stored in the server session, the cookie is the key to the single sign-on implementation.

concept

  1. Cookie is the data generated in the session is saved in the client side, is the client side technology.
  2. Cookies work based on two headers: the Set-Cookie response header and the Cookie request header
  3. The Cookie is sent to the browser from the server through the Set-Cookie response header, so that the browser can save it internally; Once the browser has saved the cookie, every time the browser visits the server, it will pass the cookie request header and bring the cookie information back to the server. When needed, the data in the cookie in the request can be obtained on the server side to achieve some functions.

cookie API

1. Create a Cookie object

Cookie c = new Cookie(String name, String value); // If you want to create a cookie, you need to specify the name of the cookie and the value of the cookie.

2. Add the Cookie to the response

response.addCookie( Cookie c ); // To add a cookie to the response, the server is responsible for sending the cookie information to the browser, and the browser saves it internally (this method can be called several times to add more than one cookie).

3. Get an array of all Cookie objects in the request

Cookie[] cs = request.getCookies(); // Returns an array of Cookie objects containing all the cookies in the request. If there are no cookies in the request, calling this method returns null.

Cookie API does not provide a method to directly delete a Cookie, you can indirectly delete a Cookie by other ways to delete a Cookie named “cart” : You can send a cookie with the same name to the browser (that is, the name is also called cart), and set the maximum lifetime of the cookie to zero, because the browser is based on the name of the cookie to distinguish cookies, if the cookie with the same name is sent to the browser before and after two times, The cookie sent later overwrites the cookie sent before. The cookie is then sent with a lifetime of zero, so the browser will delete it immediately after receiving it!

Cookie c = new Cookie("cart", ""); // Set the maximum lifetime of cookie to zero c.setMaxAge(0); // Add the cookie to the response and send it to the browser response.addCookie(c); Out.write (" Cookie named cart was successfully deleted..." );

5. Common methods of cookies

cookie.getName(); Cookie.getValue (); // getValue(); Cookie.setValue (); // Set/modify the value stored in the cookie (no setName method because the name of the cookie cannot be changed) cookie.setMaxAge(); // Set the maximum lifetime of cookies (if not, cookies are destroyed at the end of a session by default!).

6. SetMaxAge method: set the maximum lifetime of cookie. If this method is not set, the cookie is a session level cookie by default, that is, the lifetime is a session. Cookies are also destroyed when the browser closes and the session ends. (Cookies are stored in the browser’s memory by default. When the browser closes and memory is freed, cookies are also destroyed when memory is freed.) If set up the method, the cookie will not be saved to the browser’s memory, but to save file to the browser’s temporary folder (that is, the hard disk), so to close the browser, memory release, cookie files saved to the hard disk will not destroy, once again, open a browser, you can also get cookie information on the hard disk.

The instance

The front controller layer

/ * * * complete user login operate * url: http://www.jt.com/user/doLogin?r=0.8989367429030823 * parameters: the username/password * return values: * * Cookie. SetMaxAge (-1); * * Cookie. SetMaxAge (-1); Delete * cookie.setMaxAge(0) when closing the browser session; Delete cookie immediately * cookie.setMaxAge(100); Cookies can be stored is seconds * * http://www.jt.com/saveUser/xxx * cookies in setPath ("/"); * cookie.setPath("/add"); */ @RequestMapping("/doLogin") @ResponseBody public SysResult doLogin(User user, HttpServletResponse response){ //1. Realize the user's login operation!! String ticket = dubboUserService.doLogin(user); If (String Utils.IsEmpty (Ticket)){return sysResult.fail (); return sysResult.fail (); return sysResult.fail (); } //3. If the user's ticket is not NULL, it indicates that the login is correct and the data needs to be saved to the cookie. Cookie = new Cookie("JT_TICKET",ticket); cookie.setMaxAge(7*24*3600); cookie.setDomain("jt.com"); // implement page sharing in jt.com. Cookie.setPath ("/"); // valid response.addCookie(Cookie); Return sysResult.success (); return sysResult.success (); return sysResult.success (); }

Backend Service implementation class

/** ** 1 select * from user * 2 select * from user * 3 select * from user * 3 * @param user * @return */ @override public String doLogin(user) public String doLogin(user) public String doLogin(user) public String doLogin(user) public String doLogin(user) public String doLogin(user) public String doLogin(user) public String doLogin(user) public String doLogin(user) public String doLogin(user) public String doLogin(user) public String doLogin(user  user) { //1. Will be treated as the password is encrypted String password = DigestUtils. Md5DigestAsHex (user, getPassword () getBytes ()); user.setPassword(password); QueryWrapper<User queryWrapper = new queryWrapper <>(User); queryWrapper = new queryWrapper <>(User); User userDB = userMapper.selectOne(queryWrapper); If (userDB == null){return null; } //userDB data is not null, user input information is correct. UUID String ticket = UUID.RandomUUID ().ToString ().replace("-", ""); SetPassword ("123456 Do you believe it??") ); String userJSON = ObjectMapperUtil.toJSON(userDB); Setex (ticket, 7*24*60*60, userJSON); return ticket; }

The front and back ends are called through Dubbo and the public interface.