单点登录(Single Sign-On, SSO)是一种身份验证机制,允许用户使用一组凭证(如用户名和密码)登录多个相关但独立的系统。
一、单点登录的核心原理
SSO的核心原理使集中认证、分散授权,主要流程如下:
1.用户访问应用A
2.应用A检查本地会话,发现未登录
3.重定向到SSO认证中心
4.用户在认证中心登录
5.认证中心创建全局会话,并颁发令牌
6.用户携带令牌返回应用A
7.应用A向认证中心验证令牌
8.认证中心返回用户信息,应用A创建本地会话
9.用户访问应用B时重复2-8流程(但无需重复登录)
二、Spring Boot实现SSO的三种主流方案
方案1:基于OAuth2的实现(推荐)
1.添加依赖
xml
<!-- Spring Security OAuth2 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>2.认证中心配置
java
@Configuration
@EnableAuthorizationServer
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("client1")
.secret(passwordEncoder().encode("secret1"))
.authorizedGrantTypes("authorization_code", "refresh_token")
.scopes("read", "write")
.redirectUris("http://localhost:8081/login/oauth2/code/client1")
.autoApprove(true);
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}3.资源服务配置
java
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/api/**").authenticated()
.anyRequest().permitAll();
}
}4.客户端应用配置
yaml
# application.yml
spring:
security:
oauth2:
client:
registration:
sso:
client-id: client1
client-secret: secret1
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
scope: read,write
provider:
sso:
issuer-uri: http://localhost:8080方案2:基于JWT实现
1.添加依赖
xml
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.1</version>
</dependency>2.JWT工具类
java
public class JwtTokenUtil {
private static final String SECRET = "your-secret-key";
private static final long EXPIRATION = 86400000; // 24小时
public static String generateToken(UserDetails userDetails) {
return Jwts.builder()
.setSubject(userDetails.getUsername())
.setIssuedAt(new Date())
.setExpiration(new Date(System.currentTimeMillis() + EXPIRATION))
.signWith(SignatureAlgorithm.HS512, SECRET)
.compact();
}
public static String getUsernameFromToken(String token) {
return Jwts.parser()
.setSigningKey(SECRET)
.parseClaimsJws(token)
.getBody()
.getSubject();
}
}3.认证过滤器
java
public class JwtAuthenticationFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response,
FilterChain chain) throws IOException, ServletException {
String token = resolveToken(request);
if (token != null && validateToken(token)) {
String username = JwtTokenUtil.getUsernameFromToken(token);
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
UsernamePasswordAuthenticationToken authentication =
new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authentication);
}
chain.doFilter(request, response);
}
private String resolveToken(HttpServletRequest request) {
String bearerToken = request.getHeader("Authorization");
if (StringUtils.hasText(bearerToken) && bearerToken.startsWith("Bearer ")) {
return bearerToken.substring(7);
}
return null;
}
}方案3:基于CAS实现
1.添加CAS客户端依赖
xml
<dependency>
<groupId>org.jasig.cas.client</groupId>
<artifactId>cas-client-support-springboot</artifactId>
<version>3.6.4</version>
</dependency>2.CAS配置
java
@Configuration
public class CasConfig {
@Value("${cas.server.url}")
private String casServerUrl;
@Value("${cas.service.url}")
private String serviceUrl;
@Bean
public FilterRegistrationBean<AuthenticationFilter> casAuthenticationFilter() {
FilterRegistrationBean<AuthenticationFilter> registration = new FilterRegistrationBean<>();
registration.setFilter(new AuthenticationFilter());
registration.addInitParameter("casServerLoginUrl", casServerUrl + "/login");
registration.addInitParameter("serverName", serviceUrl);
registration.addUrlPatterns("/*");
return registration;
}
@Bean
public ServletListenerRegistrationBean<SingleSignOutHttpSessionListener> casSingleSignOutListener() {
return new ServletListenerRegistrationBean<>(new SingleSignOutHttpSessionListener());
}
}三、SSO实现的关键技术点
1.会话管理
-
分布式会话:使用Redis存储会话信息
java@Bean public RedisIndexedSessionRepository sessionRepository(RedisOperations<String, Object> redisOperations) { return new RedisIndexedSessionRepository(redisOperations); } -
Session共享配置
yamlspring: session: store-type: redis redis: flush-mode: on_save namespace: spring:session
2.跨域问题解决
java
@Configuration
public class CorsConfig implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("*")
.allowedMethods("GET", "POST", "PUT", "DELETE")
.allowedHeaders("*")
.allowCredentials(true)
.maxAge(3600);
}
}3.安全配置
java
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/login", "/oauth/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/")
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID");
}
}四、SSO实现的最佳实践
1.安全性考虑:
- 使用HTTPS加密所有通信
- 实现令牌的短期有效性(设置合理的过期时间)
- 防范CSRF攻击
2.性能优化:
- 使用缓存减少令牌验证的数据库查询
- 实现令牌的自动续期机制
3.用户体验:
- 实现无缝跳转,避免多次重定向
- 提供清晰的登录状态提示
4.监控与日志
- 记录所有认证事件
- 实现异常登录的告警机制
五、三种SSO方案对比
| 方案 | 优点 | 缺点 | 适用场景 |
|---|---|---|---|
| OAuth2 | 标准协议,安全性高,扩展性强 | 实现复杂度较高 | 企业级应用,多平台集成 |
| JWT | 无状态,性能好,适合分布式系统 | 令牌无法主动失效 | 微服务架构,前后端分离 |
| CAS | 专为SSO设计,功能完善 | 需要额外部署CAS服务器 | 传统企业应用,教育系统 |
六、常见问题解决方案
1.令牌失效问题
- 实现令牌刷新机制
- 使用Redis黑名单管理已注销令牌
2.跨域会话问题
-
设置正确的Cookie域和路径
java@Bean public CookieSerializer cookieSerializer() { DefaultCookieSerializer serializer = new DefaultCookieSerializer(); serializer.setCookieName("JSESSIONID"); serializer.setCookiePath("/"); serializer.setDomainNamePattern("^.+?\\.(\\w+\\.[a-z]+)$"); return serializer; }
3.多因素认证集成
java
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/login").permitAll()
.antMatchers("/mfa-verify").hasRole("PRE_AUTH")
.anyRequest().fullyAuthenticated()
.and()
.formLogin()
.loginPage("/login")
.successHandler((request, response, authentication) -> {
if (needsMfa(authentication)) {
response.sendRedirect("/mfa-verify");
} else {
response.sendRedirect("/home");
}
});
}