Single Sign-on (SSO) for logical sharing

Transferred from: http://www.iteye.com/topic/1137510

In the enterprise application system is more, in order to be employees to achieve a user information can be logged into other systems, so use single login (a sign on, abbreviated SSO) for implementation, the current use of the SSO framework is CAX (Central authentication Service) is a good single sign-on framework for WEB applications.

To the CAS official website, download CAs Server and Client, respectively:

Http://www.ja-sig.org/downloads/cas/cas-server-3.1.1-release.zip

Http://www.ja-sig.org/downloads/cas-clients/cas-client-java-2.1.1.zip

For the specific CAs learning can be on the official website and the network Platform for Learning research, in this do not say, the following main introduction of enterprise Application System SSO implementation logic, you can realize the SSO system to provide a solution to the idea.

Logic Implementation Timing Diagram:

1) Assume that there are now two applications App1 and APP2, the user has logged into the APP1, need to jump or directly access the function page in APP2.

APP1 's access address is: HTTP://192.168.1.100/APP1/;APP2 's access address is: http://192.168.1.101/app2/, the page that needs to visit App2 is http://192.168.101/ App2/action2.action

2) Assuming that the user has logged in to the APP1, the user needs to visit APP2 's page, first to send a jump (external access) request to App1 Ssourlrequestservlet, as shown in the above link ①.
The requested URL is: http://192.168.1.100/app1/ssoURLRequest?app=app2&url=action2.action

3) App1 to get the URL information according to Ssourlrequest to get the target of the jump is APP2, the address is action2.action (relative address), and according to APP2 find other information of the application, such as: Application home path, IP address, context Path, which constitutes an absolute path to access the APP2 feature page and an absolute path for SSO login verification.

4) App1 Ssourlrequest get the current login user ID (such as work number, keep and APP2 related information consistent), will: the user id+app2+sessionid+uuid data is encrypted generated Token1 credentials, and the credential information is saved to the cache (memory , centralized cache or database), sent to APP2, request APP2 Generate login APP2 credentials, request address: Http://192.168.1.101/app2/tokenGenerat, as shown in the above link ②.

5) APP2 receive generated verification information request, get APP1 sent over Token1 credentials, request App1 http://192.168.1.100/app1/tokenValidate, check Token1 is valid, such as above the link ③. If valid, the login APP2 credential letter (TOKEN2) is generated and the credential information is saved to the cache (memory, centralized cache, or database), and the credential information is encrypted and returned to the ssourlrequestservlet of APP1.

6) APP1 's Ssourlrequestservlet accepts the login credential information returned by APP1, returns the credential information to the browser sending a jump (access App2) request, and returns the script that the browser jumps to, and the browser carries the login credential information (ciphertext) to APP2, As shown above, the link ④.

7) App2 received a request with login credentials, the credential information is decrypted, and verify that the credential information is valid, if valid, according to the decrypted credential information converted to the user login information and saved to the session (or other places), to achieve the login App2, In the whole process, the user does not need to enter APP2 login information to implement the login App2, such as the above image of the link ⑤. Web. XML is primarily configured with single-sign-on related servlets, such as CAX integration; Sso-common.xml Configure the corresponding information for each application, including the application ID, token voucher information storage method, etc.; sso-current.properties Configure token Expiration time, data source definition when token database is saved, Redis definition when token cache is saved, and so on.