java--Implementation single Sign-on __java

Source: Internet
Author: User
Tags ticket
java--Implementation single sign-on

1 What is a single point of landing

Single sign-on (Sign on), referred to as SSO, is one of the more popular solutions for enterprise business integration. SSO is defined in multiple application systems where users can access all trusted applications with only one login.

Within the larger enterprise, there are generally a number of business support systems to provide the appropriate management and IT services. For example, the financial system provides financial management, calculation and Reporting Services for the financial personnel, and the personnel system provides the personnel department with the maintenance service of the whole company; the various business systems provide different services for different businesses within the company. The purpose of these systems is to allow computers to carry out complex and tedious computational work to replace manual labor and improve efficiency and quality. These different systems are often built at different times, run on different platforms, and may be developed by different vendors, using a variety of technologies and standards. If, for example, a well-known IT company in China (name hidden), there are more than 60 business systems internally, including two different versions of SAP ERP systems, 12 different types and versions of database systems, 8 different types and versions of operating systems, and 3 different firewall technologies. There are dozens of different protocols and standards that are incompatible with one another, do you believe it? Do not doubt that this is a very common situation. Each application system, after several years of operation, becomes part of an irreplaceable enterprise IT architecture, as shown in the following illustration.

With the development of enterprises, the number of business systems is constantly increasing, the old system can not be easily replaced, which will bring a lot of overhead. One is the overhead of management, and more and more systems need to be maintained. The data of many systems are redundant and repetitive, and the inconsistency of data will put great pressure on the management work. The correlation between business and business is also increasing, such as the company's billing system and financial system, financial systems and personnel systems are inevitably closely related.

In order to reduce management consumption and maximize the reuse of existing investment systems, many enterprises are undertaking enterprise application integration (EAI). Enterprise application integration can be done at different levels: for example, "Data centralization" at the data storage level, "Common data exchange Platform" at the transport level, "business process integration" at the application level, and "General Enterprise Portal" on the user interface, etc. In fact, a level of integration is becoming more and more important, that is, "Identity authentication" integration, that is, "single sign-on."

In general, each individual system has its own security system and identity authentication system. Integration before, into each system need to log in, such a situation not only brought great difficulties in management, in the security has also buried a major hidden dangers. The following are some of the most notable statistics displayed by the survey companies:

1. Users spend an average of 16 minutes per day on the authentication task-Source: IDS

2. The average number of IT users has 21 passwords-Source: NTA Monitor Password Survey

3.49% of people write their passwords, and 67% rarely change them.

4. An identity theft incident occurs every 79 seconds-Source: National Small Business Travel ASSOC

5. Global fraud losses are approximately 12B per year-source: Comm Fraud Control ASSOC

6. By 2007, the identity management market will grow exponentially to $4.5b-source: IDS

With single sign-on integration, you can access multiple systems only once, without having to log on again, which not only brings a better user experience, but also lowers the risk of security and the cost of management. Take a look at the following statistical data:

1. Improve IT efficiency: For every 1000 managed users, each user can save $70k

2. Helpdesk calls are reduced by at least 1/3, and for 10K employees the company can save per user $75 each year, or total $648k

3. Productivity improvement: Each new employee can save $1k, each old employee can save $350 data source: Giga

4.ROI returns: 7.5 to 13 months data source: Gartner

In addition, the use of "single sign-on" is one of the requirements of the SOA era. In a service-oriented architecture, where there is a large number of communication between programs and programs, and security authentication between services is one of the difficulties of SOA applications, the establishment of a "single sign-on" system can greatly simplify the security issues of SOA and improve the efficiency of service cooperation.

2 technology implementation mechanism of single point landing

With the popularity of SSO technology, SSO products are also flying in the sky. All the famous software vendors provide the corresponding solutions. Here I don't want to introduce my own company (Sun Microsystems) products, but to the SSO technology itself, and provide their own development of this type of product methods and a simple demonstration. The Summer Palace is a famous tourist attraction in Beijing and a place I often visit. There are many independent attractions inside the Summer Palace, such as "Suzhou Street", "Buddhist Incense" and "Germany and garden", can buy tickets separately at the entrance of each scenic spot. Many tourists need to play all the German attractions, this way of buying tickets is very inconvenient, need to queue at the gate of each scenic spot to buy tickets, wallet brought in to take out, easy to lose, very unsafe. So the vast majority of tourists choose to buy a pass (also called package) at the gate, you can play all the sights without the need to buy a new ticket. All they need to do is show up at the gate of each attraction and be allowed to enter each individual attraction.

Single sign-on mechanism is the same, as shown in the following figure, when the user first access to the application System 1, because there is no login, will be guided to the authentication system for login (1); According to the user's login information, authentication system for the identity of the effectiveness, if through the effectiveness, Should return to the user a certified credential--ticket (2), the user will visit another application (3,5) on the ticket, as the credentials of their own authentication, application system to accept the request will be ticket sent to the certification system for efficacy, Check the legality of the ticket (4,6). With effectiveness, users can access application 2 and application System 3 without having to log in again.

As you can see from the above view, to achieve SSO, you need the following main features:

1. All application systems share an identity authentication system.
The unified authentication system is one of the prerequisites of SSO. The main function of the authentication system is to compare the user's login information with the user database, to authenticate the user, and the authentication system should generate a unified authentication mark (ticket) and return it to the user. In addition, the authentication system should also perform the ticket to judge its validity.

2. All application systems can identify and extract ticket information
To enable SSO to function so that users can log on only once, the application system must be able to identify the users who have logged in. The application system should be able to identify and extract the ticket, through the communication with the authentication system, can automatically determine whether the current user has logged in, thus completing the function of single sign-on.

The above functionality is just a very simple SSO architecture, and in reality the SSO has a more complex structure. There are two points to be noted:

1. A single user information database is not required, and many systems do not store all of the user information centrally, and should allow user information to be placed in different storage, as shown in the following illustration. In fact, as long as the unified authentication system, unified ticket generation and effectiveness, no matter where the user information stored, can achieve a single sign-on.

2. The unified certification system does not say that only a single authentication server, as shown in the following figure, the entire system can exist more than two authentication servers, these servers can even be different products. Authentication server to pass the standard communication protocol, Exchange authentication information, can complete a higher level of single sign-on. The following figure, when the user accesses the application System 1 o'clock, by the first authentication server authentication, obtains the ticket which this server produces. When he accessed application 4, authentication server 2 recognized that the ticket was generated by the first server, exchanging authentication information through standard communication protocols (such as SAML) between authentication servers, and still being able to perform the SSO function.

3 Implementation of Web-sso

With the rapid development of the Internet, Web applications dominate most of the software applications, so Web-sso is the most popular SSO application. Web-sso has its own characteristics and advantages, to achieve a relatively simple and easy to use. Many commercial software and open source software have the realization of Web-sso. What is worth mentioning is Opensso (Https://, provides the architectural guide and the service guide for the Java Implementation Web-sso, provides the theory basis and the realization method for the user to realize the Web-sso.

Why is Web-sso easier to achieve? This is determined by the characteristics of the Web application itself.

As we all know, Web protocol (that is, HTTP) is a stateless protocol. A Web application consists of a number of web pages, each of which has a unique URL to define. The user enters the URL of the page in the browser's address bar, and the browser sends the request to the Web server. In the following illustration, the browser sends two requests to the Web server and requests two pages. The requests for these two pages are to use two separate HTTP connections respectively. The so-called stateless protocol is where the browser and Web server close the connection channel after the first request completes and re-establish the connection at the second request. The Web server does not differentiate between which requests are from which client, and all requests are treated in a separate connection. This way is greatly different from the traditional (Client/server) C/S structure, in which applications, the client and server side will establish a long time dedicated connection channel. Because of the stateless nature, each connection resource can be reused by other clients quickly, and a Web server can serve thousands of clients at the same time.

But our usual applications are stateful. Without having to mention SSO between different applications, the user's logon identity information needs to be saved in the same application. For example, users visit the page 1 when the login, but also mentioned that the client's each request is a separate connection, when the customer again visit the page 2, how to tell the Web server, the customer has just logged in. There is a convention between the browser and the server: the use of cookie technology to maintain the state of the application. A cookie is a string that can be set by a Web server and can be saved in a browser. As the following illustration shows, when the browser accesses page 1 o'clock, the Web server sets a cookie and returns the cookie and page 11 to the browser, which is saved after the browser receives the cookie, and takes the cookie when it accesses page 2. The Web server can also read the value of the cookie when requested, and can judge and restore the information status of some users according to the contents of the cookie value.

Web-sso can completely use the cookie end to save the user login information, combine the cookie in the browser and the ticket in the above to complete the functions of SSO.

In order to complete a simple SSO function, two parts of the collaboration are required:

A unified identity authentication service.

Modify Web applications so that each application is authenticated through this unified authentication service.

Web.xml deployed under/app/web-inf

Application section
1. In your login verification, call Sessionlistener.isalreadyenter (Session, "admin")
You can determine whether a user with the user name is logged in, and you can make the last logged-on user lose line
2. Other pages call Sessionlistener.isonline (session) to determine whether the user is online.

Turn from:

The SSH architecture is used to illustrate:
1. Establish a Login management class Loginmanager
2. Define a collection in Loginmanager to manage the logged-in user.
3. Configure Loginmanager as a single example in spring
4. If you are using a custom user management class, Name this class UserContext (a context that represents user authorization) for the sake of convenience
5. If you do not use a custom user management class, use the session directly.
6. In the Login authorization object, check whether the user is a legitimate user, and if it is a legitimate user, find out if the user is online in the Loginmanager collection, and if not, add the user to the collection.
7. Processing strategy One: If the user has been online, the new Logged-in user's session will be invalidated, it can prevent the new logged-on user login.
8. Processing Strategy Two: If the user is already online, then take out the online user's session, invalidate it, and then add the new logged-on user to the Loginmanager collection. The user who logs in first cannot perform a permission operation and can only log on again.

1. Applicationcontext.xml



4. If you customize the usercontext, you can change the collection to collection<usercontext> users;


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.