SpringCloud single sign-on

SpringCloud2021.0.0.5

Single sign-on

Single Sign On, or SSO for short, is one of the more popular solutions for enterprise business integration.The definition of SSO is that in multiple application systems, users only need to log in once to access all mutually trusted application systems.

Operation mechanism

Use a real-life example for comparison.There are many independent attractions in a park, and tourists can buy tickets separately at the entrance of each attraction.For tourists who need to visit all the attractions, this method of buying tickets is very inconvenient, and they need to queue up at the entrance of each attraction to buy tickets.Therefore, most tourists choose to buy a pass (also called a package) at the gate, and they can visit all the attractions without having to buy a new ticket.They only need to show the package they just bought at the entrance of each attraction to be allowed to enter each independent attraction.The same is true for single sign-on.

User Authentication

User authentication: This link is mainly that the user initiates an authentication request to the authentication server, and the authentication server returns a successful token to the user, which is mainly completed in the authentication server, that is, the authentication system in the figure. Note that the authentication system can onlyThere is one.

Identity verification

Identity verification: This part is when the user carries the token to access other servers, the authenticity of the token must be checked in other servers, mainly in the resource server

JWT

JWT (JSON Web Token) is an excellent distributed authentication scheme.
From the distributed authentication process, it is not difficult to find that the most critical role is the token. The security of the token is directly related to the robustness of the system. JWT is used to generate and verify the token.The token can be generated, and the token can also be parsed and verified.

The token generated by JWT consists of three parts:
Header: mainly set some specification information, and the encoding format of the signature part is declared in the header.
Payload: The part of the token that stores valid information, such as username, user role, expiration time, etc., but don't put the password, it will leak!
Signature: After encoding the header and payload in base64, connect them with ".", then add salt, and finally encode with the encoding type declared in the header to get the signature.

Introduction to Asymmetric Encryption RSA Brief

SpringSecurity integrates JWT

1. Analysis of certification ideas

SpringSecurity mainly implements functions through filters!We have to find the filters that SpringSecurity implements authentication and identity verification!

Review of the centralized authentication process

User authentication: Use the attemptAuthentication method in the UsernamePasswordAuthenticationFilter filter to implement the authentication function, and the successfulAuthentication method in the parent class of the filter implements the operation after successful authentication.
Identity verification: Use the doFilterInternal method in the BasicAuthenticationFilter filter to verify whether to log in to determine whether to enter the subsequent filter.

2. Analyze the distributed authentication process

User authentication:
Due to the separation of front and back ends, the project architecture design is distributed. To meet the authentication request parameters that can accept asynchronous post, we need to modify the attemptAuthentication method in the UsernamePasswordAuthenticationFilter filter., so that it can receive the request body.In addition, the default successfulAuthentication method is to put the user information directly into the session after the authentication is passed. Now we need to modify this method to generate a token and return it to the user after the authentication is passed.

Identity verification
Use the doFilterInternal method in the BasicAuthenticationFilter filter to verify whether the user is logged in, just to see if there is user information in the session, we need to modify it to,Verify whether the token carried by the user is legal, parse out the user information, and hand it over to Spring Security, so that the subsequent authorization function can be used normally.

Create Authentication Service

Reference Address

https://blog.csdn.net/xiyang_1990/article/details/124487755
https://blog.csdn.net/CSDN_KONGlX/article/details/125486825
Spring Security + JWT implements a single pointLogin

https://blog.csdn.net/qq_18671415/article/details/118518450
http://t.zoukankan.com/7788IT-p-10693154.html
https://blog.csdn.net/pxg943055021/article/details/124752669

https://blog.csdn.net/wang121213145/article/details/124850518
https://blog.csdn.net/asd747571569/article/details/122511434