[Web_cookie] Single sign-on under common parent domain

Single Sign-on, called Sso,sso, is not only used in enterprise-level development, but is also a big line in the Internet. Just to give a few examples, such as when we login Sina Weibo, and then visit Sina home page, we found that has been automatically logged in, such as we log in csdn, can write blog, visit the forum, download resources and so on. The former is a fully cross-domain single sign-on, which is described below, which is the single sign-on of the common parent domain (www.csdn.net, blog.csdn.net, Bbs.csdn.net, passport.csdn.net), which is the main content of this article.
Single Sign-on is actually the "identity authentication" of the integration, when we have multiple applications, we want to log in one of the applications, and then access other applications, will automatically log in, to avoid repetitive manual labor. Single Sign-on implementation principle is relatively simple, as shown, when the user first access to the application system through the browser 1 o'clock, because not yet logged in, will be directed to the authentication system to log in. The following start the single sign-on process: The authentication system according to the user entered in the browser login information, authentication, if the authentication passed, return to the browser a Proof ticket (ticket); When the user accesses other application system, it will take ticket; The application system receives ticket, It will be sent to the authentication system for legitimacy check, after the verification, the user does not need to enter the user name password again to log in, thus realizing the single sign-on function.

The process described above is actually web-sso. To achieve SSO, the first must have a unified authentication system, and then each application system through the authentication system to verify the user, so this requires two aspects of cooperation. Web-sso is a good implementation, especially in the case of a common parent domain, we can save ticket through a browser cookie. Today I use servlet technology to realize the main functions of SSO, where I can download the project.

Domain Preparation

Modify the Hosts file to map 3 domain names:

[HTML]View Plaincopy

1. 127.0.0.1 web1.ghsau.com
2. 127.0.0.1 web2.ghsau.com
3. 127.0.0.1 passport.ghsau.com

3 domain names must have a common parent domain (. ghsau.com), Web1 and WEB2 are used to access the application system, and passport is used to access the authentication system.

Project deployment

The project contains two Eclipse project, which you may need to set up under the Java EE Class library after importing to Eclipse/myeclipse. Webssoauth for the authentication system, Webssodemo for the application system, if the mapped domain name and I set the same, do not need to set up, direct deployment can be. If not, you need to modify the Web. xml file for the next two items. The key configuration information is as follows:
Webssoauth/web-inf/web.xml:

[HTML]View Plaincopy

2. <servlet>
4. <servlet-name>ssoauth</servlet-name>
6. <servlet-class>com.ghsau.servlet.ssoauth</servlet-class>
8. <init-param>
10. <!--ticket name --
12. <param-name>cookiename</param-name>
14. <param-value>ssoid</param-value>
16. </init-param>
18. <init-param>
20. <!--ticket scope --
22. <param-name>domainname</param-name>
24. <param-value>.ghsau.com</param-value>
26. </init-param>
28. <init-param>
30. <param-name>secure</param-name>
32. <param-value>false</param-value>
34. </init-param>
36. <init-param>
38. <!--ticket content encryption key, must be 24 characters, Chinese count 2 characters- -
40. <param-name>secretkey</param-name>
42. <param-value>111111112222222233333333</param-value>
44. </init-param>
46. <init-param>
48. <!--the expiration date of the ticket in the server, in minutes and
50. <param-name>tickettimeout</param-name>
52. <param-value>10080</param-value>
54. </init-param>
56. </servlet>
58. <servlet-mapping>
60. <servlet-name>ssoauth</servlet-name>
62. <url-pattern>/ssoauth</url-pattern>
64. </servlet-mapping>

Webssodemo/web-inf/web.xml:

[HTML]View Plaincopy

2. <filter>
4. <filter-name>ssoauth</filter-name>
6. <filter-class>com.ghsau.filter.ssoauth</filter-class>
8. <init-param>
10. <!--certification System Services --
12. <param-name>ssoservice</param-name>
14. <param-value>http://passport.ghsau.com:8080/webssoauth/ssoauth</param-value >
16. </init-param>
18. <init-param>
20. <!--authentication System login Page --
22. <param-name>ssologin</param-name>
24. <param-value>http://passport.ghsau.com:8080/webssoauth/login.jsp</param-value >
26. </init-param>
28. <init-param>
30. <!--certification System ticket name --
32. <param-name>cookiename</param-name>
34. <param-value>ssoid</param-value>
36. </init-param>
38. </Filter>
40. <filter-mapping>
42. <filter-name>ssoauth</filter-name>
44. <url-pattern>*.jsp</url-pattern>
46. </filter-mapping>
48. <filter-mapping>
50. <filter-name>ssoauth</filter-name>
52. <url-pattern>/logout</url-pattern>
54. </filter-mapping>

If the domain name or port number is inconsistent with my, the corresponding configuration item can be modified. Finally, deploy to the application server and start the server.

SSO uses

First enter the access address of the first application system, http://web1.ghsau.com:8080/WebSSODemo/index.jsp, if it is the first visit, will automatically jump to the login page, such as:

System built in 3 users, Zhang San, John Doe, Harry, the user name and password are all pinyin spelling, input Zhangsan/zhangsan login, will automatically jump to the page we just visited, the page shows the login user name and welcome information, such as:

At this point, we enter the second application system access address, http://web2.ghsau.com:8080/WebSSODemo/index.jsp, we found that no second login, the same page shows the login user name and welcome information, such as:

        We then click Logout Logout User, the page jumps to the login page, then we go back to the first application of the page, found also jump to the login page. This gives the user the effect is that an application login, other applications will be automatically logged in, and an application is written off, other applications will automatically logout, good magic look.
        Project provides the source code, the implementation of the idea is the above diagram, ticket saved in the cookie, using the characteristics of the cookie domain, to achieve the ticket in different applications can be obtained, Ticket verification process is the use of httpclient to send the authentication request, ticket encryption using 3DES, specifically can see Desutils.java, OK, here it is, if there is any problem, welcome to discuss.