Some time ago to XX Tourism Committee to do a comprehensive business management platform project, the project was divided into n multiple independent modules. Requiring each module to provide separate logins, exits, and individual databases and pages, the integration of these applications is a PHP version of the desktop system called DZZ, similar to WEBQQ. Each module is displayed as an icon in the desktop system. Therefore generally we call these modules for the application. The point is, our development team has PHP, the JAVA2 Group of 4 people (not counted on the mobile side), PHP and Java developers each assigned 5-10 application tasks, and some of the system comes with the application. At the end of the integration, you need to consider the issue of single sign-on, it is not possible to let users log on every point of the icon once.
In fact, originally wanted to use CAs to complete single sign-on, but PM said that the PHP side of the CAs do not understand, it takes time to understand, and can not guarantee the whole out. Also need to run a service for CAs, too troublesome. The results can only be achieved by themselves.
My idea is that when a user logs in, sends a login request to all apps that need to sign in, and then logs the feedback for each app's login results, jumps to the desktop system desktop, which loads only the apps that need to be signed in. This is the way to send multiple requests when logging in, Csdn, Taobao and Tmall have been used. At that time CSDN's original login page was a form nested on the page with an IFRAME, and the submitted URL was the current login page. After clicking Login, use the browser developer tool and you will find that CSDN automatically sends login requests to blog.csdn.net, write.blog.csdn.net, etc. Taobao and Tmall are also sending multiple login requests when logging in. It was the same way at least half a year ago, but it seems to have changed (or now it's hidden, not what I found).
The basic idea is set, after a few detailed discussions, finalized the following solution:
The diagram above is a logical diagram of the single sign-on we designed. Almost all of our applications are "managed applications". The so-called "managed application" is that it has no user information table, and the user information is obtained from the UC (User Center) application. So the single sign-on is primarily for these managed applications to serve. The detailed steps are as follows:
①. Log in from the unified login portal, the user enters the user name, password, click the "Login" button, then the program will send name+pwd to UC in Ajax+jsonp way.
②. UC receives the request, first authenticates the user, and for authenticated users, UC judges the user's permissions and returns the list of apps with authorization in JSONP format. The information for each list item is App_id+login_url.
③. Login Portal In the Ajax callback function, get the application list information for UC feedback, and send the AJAX+JSONP login request to these apps:
name+pwd+app_id.
④. After each app receives a login request, it needs to get data from UC because it is a managed application. Use Java code to send user rights validation to UC using the Java.net.URL emulation browser: name+pwd+app_id.
⑤. UC authenticates the user again and verifies the user's rights and verifies that the user details are returned in the JSONP format.
⑥. Each app saves user information to the respective session, and gives the login entry feedback login results.
⑦. Login Portal After you get login feedback for each app, download the subsystem record that is not logged on successfully, and then jump to the desktop.
This is the way to achieve this, mainly in the login page for each app login. Of course, this will certainly arouse the criticism of some Bo friends. Objectively evaluate it:
Advantages: The biggest advantage is simple, green. Let a person see you can understand. Because they are written by their own code, which has a problem, can be quickly positioned. Do not like the existing framework, if only will use but do not understand, out of the problem on the hundred, Valley, can not find the two eyes a smear.
Disadvantages: The biggest drawback is that it is unsafe to present the actual login address for each application. And when the application is particularly high, performance is very much affected.
Well, the idea of single sign-on is introduced here, and you are welcome to criticize and correct yourself.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
