On the basis of a summary of the use of OAuth2.0 in the framework, the OAuth2.0 logout process of SSO single sign-on was drawn, today we take a look at the process of obtaining yoghurt information based on user token: /*** Get user information based on token *@paramAcce
On the basis of a summary of the use of OAuth2.0 in the framework, the OAuth2.0 logout process of SSO single sign-on was drawn, today we take a look at the process of obtaining yoghurt information based on user token: /*** Get user information based on token *@paramAcces
On the basis of a summary of the use of OAuth2.0 in the framework, the OAuth2.0 logout process of SSO single sign-on was drawn, today we take a look at the process of obtaining yoghurt information based on user token:Java code
/**
* Get user information based on token
Single Sign-On SSO principles and implementation methods, Single Sign-On sso principlesCore Ideology
Centralized storage of user information (Global Cooike, centralized Session, Json Web Token, Redis Cache Server, and custom
for issuing and canceling all digital certificates. Ra accepts and reviews users' certificate applications, such as certificate cancellation and restoration applications; KMC is responsible for the generation, storage, management, backup, and recovery of encryption keys. The certificate publishing and query system generally uses the OCSP (Online Certificate Status Protocol, Online Certificate Status Protocol) Protocol to query User Certificates, the backup and recovery system is responsible for
can only use onceThe CAS protocol stipulates that, regardless of the success of service Ticket validation, CAS Server clears the Ticket in the server-side cache, ensuring that a service Ticket is not used two times.2, ST in a period of time failureCAS stipulates that ST can only survive for a certain amount of time, and then CAs Server will invalidate it. The default validity time is 5 minutes.3, ST is based on the random number generationSt must be
protocol stipulates that, regardless of the success of service Ticket validation, CAS Server clears the Ticket in the server-side cache, ensuring that a service Ticket is not used two times.2, ST in a period of time failureCAS stipulates that ST can only survive for a certain amount of time, and then CAs Server will invalidate it. The default validity time is 5 minutes.3, ST is based on the random number generationSt must be random enough, if the St
over HTTP, so other people on the network can sniffer to other people's Ticket. CAS makes St more secure (in fact, configurable) in the following ways:
1, St can only use once
The CAS protocol stipulates that, regardless of the success of service ticket validation, CAS server clears the ticket in the server-side cache, ensuring that a service ticket is not used two times.
2, St in a period of time failure
CAS stipulates that St can only survive for a certain amount of time, and then CAS server
intercept TGC to ensure the security of CAs.The TGT's survival period defaults to 120 minutes.4.2. ST/PT SecurityST (Service Ticket) is transmitted over Http, so other people on the network can Sniffer to other people's Ticket. CAS makes ST more secure (in fact, configurable) in the following ways:1, ST can only use onceThe CAS protocol stipulates that, regardless of the success of service Ticket validation, CAS Server clears the Ticket in the server-side cache, ensuring that a service Ticket i
intercept TGC to ensure the security of CAs.The TGT's survival period defaults to 120 minutes.4.2. ST/PT SecurityST (Service Ticket) is transmitted over Http, so other people on the network can Sniffer to other people's Ticket. CAS makes ST more secure (in fact, configurable) in the following ways:1, ST can only use onceThe CAS protocol stipulates that, regardless of the success of service Ticket validation, CAS Server clears the Ticket in the server-side cache, ensuring that a service Ticket i
that require single sign-on are placed within a secure network segment that is isolated from the gateway. The client obtains the service authorization after authentication.
Security Assertion Markup Language (SAML)-based implementation
The advent of SAML (Security assertion
different machines, different operating systems, and different J2EE products, they are completely standard and platform-independent applications. However, there is a limitation that the domain names of the two demo1 and demo2 servers must be the same, this explains the relationship between cookies and domains and how to create a cross-domain WEB-SSO later.
Decompress the ssoauth.zip file, in the/WEB-INF/web. modify the "domainname" attribute in XML
accesses the application server, he/she performs active identity authentication from the broker and then carries the ticket license to the authorization server to obtain the service ticket. The user carries the service ticket to request the application server, the Application Server verifies the service bill and then provides the response service.
Agent-based (Agent-based)
An Identity Authentication Proxy
figure, the entire system can exist more than two authentication servers, these servers can even be different products. Authentication server to pass the standard communication protocol, Exchange authentication information, can complete a higher level of single sign-on. The following figure, when the user accesses the application System 1 o'clock, by the first authentication server authentication, obtains
Identity Certificate ticketST : Service Ticket, Service License Voucher ticketTGC : Ticket granting cookies, Store the user authentication voucher ticket CookiesSSOsystem, there are three types of roles:1 , multiple User2 , multiple Web Application3 , a SSO Certification Center All logins are performed at the SSO Certification Center. SSO Certification Center th
Assertionthreadlocalfilter
It means that the filter chain should not be wrong. In my previous tutorial, the CAS client configured web. xml without using these filters, and now we can use them again.
3. This is what a buddy explained before: I posted it.
Single-point logout, client configuration. I tried to use SAML for authentication and ticket verification. However, during debugging, I found that the
SSO stands for single sign on. SSO is used in multiple application systems. Users only need to log on once to access all mutually trusted application systems. It includes a mechanism for ing the main logon to other applications for the login of the same user. It is one of the most popular solutions for enterprise busin
logstores. JSP and. Loginvalidapi. php. 4.4. Token exchange 4.5. User Name ing
5. CAS open-source Single Sign-On SSO component (unified authentication center) 5.1. CAS principle: all application systems share an Identity Authentication System.
CAS open-source Single Sign
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.