Selection and comparison of Java single sign on technology kisso, SA token

Posted by Aleks on Sat, 19 Feb 2022 11:34:16 +0100

  1. Background introduction

Single sign on (SSO) means that in a multi system environment, users do not have to log in to other systems after logging in to one system.

In the early days, our web systems were all single applications, and all functions were written into a war package. The user login authentication function is relatively simple to handle. After the user logs in successfully, the server writes the user information into the session. The session id will be generated to mark that this memory interval belongs to you, and this session id (jssessionid) will be written into your browser cookie. As long as your browser is not closed, every time you send a request to the server, the server will get this session id from the cookie you sent, Then, according to the session id, go to the corresponding memory to retrieve the data you previously stored. However, if you exit the login. The server will clear the memory area belonging to you and regenerate a new session when logging in again.

However, with the continuous expansion of application visits, single applications can not meet the application requirements, so distributed applications came into being. In the distributed application environment, when the access volume of a subsystem increases, we will deploy multiple copies of the system at the same time. When the same user logs in successfully, because the Nignx reverse proxy policy cannot be saved, the user can access the same subsystem, that is, the session with successful user login cannot be shared in multiple subsystems, which will lead to its login failure. Therefore, in distributed applications, we should solve the problem of session synchronization, which is the origin of single sign on.


    2. Solution: kisso based identity authentication scheme

kisso = cookie sso Cookie based SSO middleware, which is a Swiss Army knife for rapid development of java Web login system (SSO). In addition, kisso is a single sign on Middleware Based on JWT specification.

Open source address:

### Code example ###

SSOToken ssoToken = SSOToken.create();
int cookieMaxage = SSOConfig.getInstance().getCookieMaxage();
ssoToken.setTime(new Date().getTime()+cookieMaxage*1000);//Set expiration time
// Log in in cookie mode and write the encrypted token value
SSOHelper.setCookie(request, response, ssoToken, true);

// Generate jwt bill and set 'accessToken = bill content' in the access request header
String jwtToken = ssoToken.getToken();

// Analytical bill
SSOToken ssoToken = SSOToken.parser(jwtToken);

// Obtain login user id and login account
ssoToken = SSOHelper.getSSOToken(request);
String userId = ssoToken.getId();
String loginName = ssoToken.getIssuer();

// Log out (clear the token information corresponding to the cookie)
SSOHelper.logout(request, response);

// For multi terminal login and calling kick off, the SSOCache interface needs to be implemented

// Permission interceptor class SSOSpringInterceptor
// Annotation does not intercept @ Login(action = Action.Skip)

// yml configure kisso config....
        signkey: xxxx   #Symmetric signature key (not required)
        cookieName: accessToken  #COOKIE key name
        cookieDomain: # COOKIE domain name


    3. Solution: SA token based single sign on + authority authentication framework

If your project belongs to the background management system or has permission authentication related requirements, recommend another open source project: SA token, which is a lightweight Java permission authentication framework;

Main solutions: login authentication, authority authentication, Session session, single sign on, oauth2 0 and a series of permission related problems.

Compared with the traditional old framework: Shiro and Spring Security need to customize the Realm, write global filters and write various configuration files during integration; The API design of SA token is super simple!

Open source address: Examples of core functions are as follows:

  • Login authentication - easy login authentication, and provides five breakdown scenario values
  • Permission verification - adapt to RBAC permission model, and different roles have different authorization
  • Session - a professional data caching Center
  • Kick people off the line - immediately remove the illegal users from the line
  • Distributed session - provides two distributed session schemes: jwt integration and shared data center
  • Microservice Gateway authentication - Request interception authentication adapted to common Gateway components such as Gateway, Soul and Zuul
  • Single sign on - one sign on, everywhere
  • Same end mutually exclusive login - like QQ, mobile phones and computers are online at the same time, but the two mobile phones are mutually exclusive login
### Code example ###
// Write the account id of the current session when logging in

// Then call the following API at any login that needs to be verified
// If the current session is not logged in, this code will throw an 'NotLoginException' exception

// Permission authentication example (only sessions with user:add permission can enter the request)
public String insert(SysUser user) {
	// ... 
	return "User increase";

// Log off the session with account id 10001

StpUtil.setLoginId(10001);                // Mark the account id of the current session login
StpUtil.getLoginId();                     // Get the login account id of the current session
StpUtil.isLogin();                        // Gets whether the current session has been logged in, and returns true or false
StpUtil.logout();                         // Current session logout login
StpUtil.logoutByLoginId(10001);           // Log out the session with account number 10001 (kick people off the line)
StpUtil.hasRole("super-admin");           // Query whether the current account contains the specified role ID
StpUtil.hasPermission("user:add");        // Query whether the current account contains the specified permission, and return true or false
StpUtil.getSession();                     // Get the current Session id
StpUtil.getSessionByLoginId(10001);       // Get the Session with account id 10001
StpUtil.getTokenValueByLoginId(10001);    // Get the token token value with account id 10001
StpUtil.setLoginId(10001, "PC");          // Specify device ID login
StpUtil.logoutByLoginId(10001, "PC");     // Specify the device ID for forced logoff (different ends are not affected)
StpUtil.switchTo(10044);                  // Temporarily switch the current session identity to another account


Topics: Spring Spring Boot