CN112511491B - Single point login method combining message queue under front-end and back-end separation mode - Google Patents
Single point login method combining message queue under front-end and back-end separation mode Download PDFInfo
- Publication number
- CN112511491B CN112511491B CN202011187169.4A CN202011187169A CN112511491B CN 112511491 B CN112511491 B CN 112511491B CN 202011187169 A CN202011187169 A CN 202011187169A CN 112511491 B CN112511491 B CN 112511491B
- Authority
- CN
- China
- Prior art keywords
- user
- information
- cookie
- biz1
- sdk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/955—Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
- G06F16/9566—URL specific, e.g. using aliases, detecting broken or misspelled links
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a single point login method combining a message queue under a front-end and back-end separation mode. The system can well realize single-point login and single-point exit among the systems under the cross-domain condition, can reduce the use complexity of each system, improves the access efficiency of the system, and can customize a personalized login page.
Description
Technical Field
The invention relates to the field of user authentication, in particular to a single-point login method combining a message queue under a front-end and back-end separation mode.
Background
With the continuous development of enterprises, more and more business systems of enterprises are provided, users need to access a plurality of business systems in the process of inquiring information or handling business, and although the business systems are in a mutual trust system, the users are required to input user names and passwords for verification when accessing one system every time for the information security of the system, so that the cost of using the system by the users is increased invisibly, the use efficiency is reduced, and the switching of the users among different systems is not facilitated.
To solve the above problems, the industry mainly adopts a single sign-on mode, and the current single sign-on scheme mainly includes:
1. all systems are deployed in the same domain name and distinguished on the path by different URLs, for example: com/site1 and www.xxxx.com/site2 so that both systems can share cookies under www.xxxx.com.
2. All systems are deployed under a top-level domain name, and the domain to which the cookie belongs is set as a top-level domain; example (c): com and site2.Xxxx.com and set the home domain of cookies to. Xxxx.com so that two systems can share cookies under. Xxxx.com.
3. For systems deployed under different domain names, there are two solutions:
1) The request forwarding is carried out through a reverse proxy server Nginx or a unified gateway, and the principle is that a user can access the service under the same domain name and the cookie under the domain name is shared;
2) And establishing an SSO server, such as a CAS server, providing a uniform login address through the CAS server and redirecting back and forth to deliver authentication information when different systems are accessed for the first time.
The above-mentioned several ways of implementing single sign-on have certain drawbacks more or less. Cookie is a client mechanism, and the Cookie is used for realizing single sign-on, which ensures that all systems are deployed in the same network domain action range, thus having certain limitation on the deployment of the systems; other components need to be additionally deployed in an Nginx or unified gateway mode, so that the operation, maintenance and maintenance cost is increased; the single sign-on is realized by means of CAS, which seems to solve the problem of single sign-on well, but CAS is a heavy component, and firstly CAS needs to be in butt joint with a user center to realize the authentication function of a user, secondly, each system needs to be in butt joint with CAS service independently to realize single sign-on and single sign-off, and finally, a client can only realize single sign-on through a sign-on page provided by CAS, and cannot define a personalized sign-on page in each system, and the way of redirecting and transmitting authentication information back and forth is not elegant and efficient.
Disclosure of Invention
The invention aims to provide a single-point login method combining a message queue under a front-end and back-end separation mode, which can well realize single-point login and single-point logout among systems under a cross-domain condition, can reduce the use complexity of each system, improves the access efficiency of the system, and can customize a personalized login page.
In order to realize the purpose, the technical scheme of the invention is as follows: a single point login method combining a message queue under a front-end and back-end separation mode comprises the following steps:
s1, building a user center service by using a Spring boot frame to realize the functions of uniform account registration, authentication and authorization;
s2, developing a server sdk, namely security-sdk, and realizing the functions of authentication interception, message acquisition and authentication information caching of the request;
s3, developing a web side sdk, namely js-sdk, and realizing the functions of requesting an Authorization structure, acquiring, pushing and deleting Cookie and storing user authentication information;
s4, building a RabbitMq server, and creating an Exchange name on the RabbitMq server: uc _ exchange, type: topic; then creating two Queue respectively as biz1_ Queue and biz2_ Queue, and binding with uc _ exchange;
s5, creating two Spring boot project simulation service systems, namely biz1 and biz2, respectively introducing js-sdk and security-sdk to the front end and the rear end, and realizing single-point login between the service systems through the two sdks;
s6, a user logs in the biz1 in a single-point mode;
s7, when the user accesses the biz2, because the biz1 single-point login is performed, the authentication information of the user is stored in the related cookie under the user center domain name, the biz2 accesses the authentication information under the user center cookie through js-sdk and sets the authentication information into the cookie under the biz2 domain, and then the access of the system can be realized through establishing Authorization without logging in again;
s8, the user exits biz1 in a single point;
and S9, when the user accesses the biz2 again, because the biz1 single point exits before, and when the user initiates the interface request of the biz2 again, because the local cache of the biz2 and the user center do not have the related user authentication information, the server side returns the error information of the user authentication failure request for re-login, and redirects to the login page.
In an embodiment of the present invention, in step S4, the Exchange and the creation of two Queue can also be created and bound when the relevant service is started.
In an embodiment of the present invention, step S6 is specifically implemented as follows:
s61, the user accesses the biz1 and judges whether the cookie under the biz1 domain name has relevant authentication information or not, if yes, the step S63 is executed, and if not, the step S62 is executed;
s62, pulling cookie information under the user center domain name by jsolp mode, setting the cookie information into a cookie of biz1, judging whether the cookie information under the user center domain name has related authentication information, and if yes, executing step S63; otherwise, redirecting to a login page, inputting a user name and a password by the user and returning relevant authentication information after the user name and the password are correct, storing the information into a cookie of the biz1, pushing the cookie into the cookie under the user center domain name in a jsonnp mode, and executing the step S63;
s63, js-sdk acquires information in the cookie and realizes biz1 access by constructing Authorization.
In an embodiment of the present invention, step S8 is implemented as follows:
s81, the user exits from biz1, a logout interface of the user center is called, whether logout succeeds or not is judged, and if yes, the step S82 is executed; otherwise, go to step S84;
s82, writing the log-out information of the corresponding user into uc _ exchange in the message queue, and returning the log-out information to the message subscription;
s83, js-sdk deletes the related user authentication information in the cookie under the biz1 domain, deletes the related user authentication information in the coolie under the user center domain in a jsonp mode, and the process is finished;
and S84, returning error information and ending.
Compared with the prior art, the invention has the following beneficial effects:
1. the single-point login and single-point logout among the systems can be well realized under the cross-domain condition;
2. the mode of using sdk can simply enable each system to realize butt joint work, and the use complexity of each system is reduced.
3. The functions of introducing the message queue and local cache are good, so that when the user authentication information is changed, each system can receive a change notification in time and update the user authentication information. The access efficiency of the system is better improved by a local cache mode.
4. Each system can self-define the personalized login page without being limited to the login page with uniform style.
Drawings
FIG. 1 is a flow chart of single sign-on according to the present invention.
FIG. 2 is a single exit flow diagram of the present invention.
Detailed Description
The technical scheme of the invention is specifically explained below with reference to the accompanying drawings.
The invention relates to a single-point login method for combining a message queue under a front-end and back-end separation mode, which comprises the following steps:
1. and a Spring boot framework is used for building a user center service (a front end uc-web service end uc-server) to realize functions of unified account registration, authentication, authorization and the like.
2. Developing a server sdk (security-sdk) to realize functions of authentication interception, message acquisition, authentication information caching and the like of a request;
3. developing a web end sdk (js-sdk) to realize the functions of requesting an Authorization structure, acquiring, pushing and deleting Cookie, saving user authentication information and the like;
4. building a RabbitMq server and creating an Exchange name on the RabbitMq server: uc _ exchange, type: creating two Queue as biz1_ Queue and biz2_ Queue, and binding with uc _ Exchange (creation of Exchange and two Queue can be created and bound when the relevant service is started);
5. two Spring boot projects (biz 1 and biz 2) are created to simulate service systems, js-sdk and security-sdk are respectively introduced into the front end and the back end, and single-point login between the service systems is realized through the two sdks.
6. The single sign-on process is shown in fig. 1:
7. when a user accesses the biz2 system, because the biz1 realizes single-point login according to the flow, at this time, a relevant cookie is necessarily existed under the user central domain name to store the authentication information of the user, at this time, the biz2 accesses the authentication information under the user central cookie through js-sdk and sets the authentication information into the cookie under the biz2 domain, and then the access of the system can be realized through constructing Authorization without logging in again.
8. The single point exit flow is shown in fig. 2:
9. when the user accesses the biz2 system again, because the biz1 realizes single-point exit according to the process, and the user initiates the interface request of the biz2 again, because the local cache of the biz2 and the user center have no relevant user authentication information, the server side returns error information of the user authentication failure request for re-login, and redirects to a login page.
The above are preferred embodiments of the present invention, and all changes made according to the technical scheme of the present invention that produce functional effects do not exceed the scope of the technical scheme of the present invention belong to the protection scope of the present invention.
Claims (3)
1. A single sign-on method for combining message queues in a front-end and back-end separation mode is characterized by comprising the following steps:
s1, building a user center service by using a Spring boot frame to realize the functions of uniform account registration, authentication and authorization;
s2, developing a server sdk (security-sdk) to realize the functions of request authentication interception, message acquisition and authentication information caching;
s3, developing a web side sdk, namely js-sdk, and realizing the functions of requesting an Authorization structure, acquiring, pushing and deleting Cookie and storing user authentication information;
s4, building a RabbitMq server, and creating an Exchange name on the RabbitMq server: uc _ exchange, type: topic; then creating two Queue which are biz1_ Queue and biz2_ Queue respectively and binding with uc _ exchange;
s5, creating two Spring boot project simulation service systems, namely biz1 and biz2, respectively introducing js-sdk and security-sdk to the front end and the rear end, and realizing single-point login between the service systems through the two sdks;
s6, a user logs in the biz1 in a single-point mode; the concrete implementation is as follows:
s61, the user accesses the biz1 and judges whether the cookie under the biz1 domain name has relevant authentication information or not, if yes, the step S63 is executed, and if not, the step S62 is executed;
s62, pulling cookie information under the user center domain name by jsolp mode, setting the cookie information into a cookie of biz1, judging whether the cookie information under the user center domain name has related authentication information, and if yes, executing step S63; otherwise, redirecting to a login page, inputting a user name and a password by the user and returning relevant authentication information after the user name and the password are correct, storing the information into a cookie of the biz1, pushing the cookie into the cookie under the user center domain name in a jsonnp mode, and executing the step S63;
s63, js-sdk acquires information in the cookie and realizes biz1 access by constructing Authorization; the method specifically comprises the following steps:
s631, js-sdk acquires information construction Authorization request header information in the cookie and requests a Http interface of the server;
s632, the server receives Authorization information intercepted by the security-sdk to the request header;
s633, judging whether the cache has the relevant user authentication information, if so, executing step S634, otherwise, intercepting the relevant information in Authorization to initiate an authentication request to a user center by security-sdk, caching the relevant information and returning the authentication information, and then executing step S634;
s634, according to the relevant authentication information in the cache, using the organization information;
s635, comparing the request with Authorization of the client, if the request is consistent with the Authorization of the client, returning a request result, and ending; if not, returning error information and ending;
s7, when the user accesses the biz2, because the biz1 single-point login exists, the authentication information of the user is stored in the related cookie under the user center domain name, the biz2 accesses the authentication information under the user center cookie through js-sdk and sets the authentication information into the cookie under the biz2 domain, and then the access of the system can be realized through establishing Authorization without logging in again;
s8, the user exits biz1 in a single point;
s9, when the user accesses the biz2 again, because the biz1 single point exits before, when the user initiates the interface request of the biz2 again, because the local cache of the biz2 and the user center do not have the relevant user authentication information, the server side returns the error information of the user authentication failure request for re-login, and redirects to a login page;
the single-point login and single-point exit among the systems are realized under the cross-domain condition through the steps.
2. The single sign-on method for combining message queues in the front-end and back-end separation mode as claimed in claim 1, wherein in step S4, exchange and two Queue creation can also be created and bound when the related service starts.
3. The method for single point login with combined message queue in split front and back mode as claimed in claim 1, wherein step S8 is implemented as follows:
s81, the user exits from biz1, a logout interface of the user center is called, whether logout succeeds or not is judged, and if yes, the step S82 is executed; otherwise, go to step S84;
s82, writing the logout information of the corresponding user into uc _ exchange in the message queue, and returning the logout information to the message subscription;
s83, js-sdk deletes relevant user authentication information in cookie under the biz1 domain, deletes relevant user authentication information in coolie under the user center domain in a jsonp mode, and the process is finished;
and S84, returning error information and ending.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011187169.4A CN112511491B (en) | 2020-10-30 | 2020-10-30 | Single point login method combining message queue under front-end and back-end separation mode |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011187169.4A CN112511491B (en) | 2020-10-30 | 2020-10-30 | Single point login method combining message queue under front-end and back-end separation mode |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112511491A CN112511491A (en) | 2021-03-16 |
| CN112511491B true CN112511491B (en) | 2022-12-06 |
Family
ID=74954709
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011187169.4A Active CN112511491B (en) | 2020-10-30 | 2020-10-30 | Single point login method combining message queue under front-end and back-end separation mode |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112511491B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103546432A (en) * | 2012-07-12 | 2014-01-29 | 腾讯科技(深圳)有限公司 | Method and system for realizing cross-domain jumping, browser and domain name servers |
| CN107707570A (en) * | 2017-11-13 | 2018-02-16 | 山东省农村信用社联合社 | Cross-domain single logs in integrated approach and system |
| CN107948167A (en) * | 2017-11-29 | 2018-04-20 | 浙江数链科技有限公司 | A kind of method and apparatus of single-sign-on |
| CN108600203A (en) * | 2018-04-11 | 2018-09-28 | 四川长虹电器股份有限公司 | Secure Single Sign-on method based on Cookie and its unified certification service system |
| CN109587133A (en) * | 2018-11-30 | 2019-04-05 | 武汉烽火众智智慧之星科技有限公司 | A kind of single-node login system and method |
| CN111294354A (en) * | 2020-02-04 | 2020-06-16 | 北京嗨学网教育科技股份有限公司 | Signature verification method, apparatus, device and storage medium for distributed environment |
-
2020
- 2020-10-30 CN CN202011187169.4A patent/CN112511491B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103546432A (en) * | 2012-07-12 | 2014-01-29 | 腾讯科技(深圳)有限公司 | Method and system for realizing cross-domain jumping, browser and domain name servers |
| CN107707570A (en) * | 2017-11-13 | 2018-02-16 | 山东省农村信用社联合社 | Cross-domain single logs in integrated approach and system |
| CN107948167A (en) * | 2017-11-29 | 2018-04-20 | 浙江数链科技有限公司 | A kind of method and apparatus of single-sign-on |
| CN108600203A (en) * | 2018-04-11 | 2018-09-28 | 四川长虹电器股份有限公司 | Secure Single Sign-on method based on Cookie and its unified certification service system |
| CN109587133A (en) * | 2018-11-30 | 2019-04-05 | 武汉烽火众智智慧之星科技有限公司 | A kind of single-node login system and method |
| CN111294354A (en) * | 2020-02-04 | 2020-06-16 | 北京嗨学网教育科技股份有限公司 | Signature verification method, apparatus, device and storage medium for distributed environment |
Non-Patent Citations (2)
| Title |
|---|
| jsonp、cookies实现单点登录(完全跨域);qq_38089964;《CSDN》;20190625;全文 * |
| 基于Web服务的数字化校园统一身份认证系统研究;唐绍华等;《计算机与数字工程》;20090820(第08期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112511491A (en) | 2021-03-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109587133B (en) | Single sign-on system and method | |
| US10356153B2 (en) | Transferring session data between network applications accessible via different DNS domains | |
| US9473419B2 (en) | Multi-tenant cloud storage system | |
| EP3228069B1 (en) | Stack fusion architecture including distributed software clusters to enable software communication services | |
| CA2473793C (en) | System, method and apparatus for federated single sign-on services | |
| US11394703B2 (en) | Methods for facilitating federated single sign-on (SSO) for internal web applications and devices thereof | |
| US7221935B2 (en) | System, method and apparatus for federated single sign-on services | |
| US7860882B2 (en) | Method and system for distributed retrieval of data objects using tagged artifacts within federated protocol operations | |
| US20070157304A1 (en) | Method, apparatus and computer program product for automatic cookie synchronization between distinct web browsers | |
| US9554276B2 (en) | System and method for on the fly protocol conversion in obtaining policy enforcement information | |
| KR20130135953A (en) | System and method using a web proxy-server to access a device having an assigned network address | |
| MX2011003223A (en) | Service provider access. | |
| CN101741817A (en) | System, device and method for multi-network integration | |
| CN105592035A (en) | Single sign on method used for multiple application systems | |
| CN109359446B (en) | A kind of cross-domain login validation method in internet | |
| CN102523220A (en) | Web authentication method, and client and access layer device used for web authentication | |
| CN107786502B (en) | Authentication proxy method, device and equipment | |
| CN111245791B (en) | Single sign-on method for realizing management and IT service through reverse proxy | |
| CN112511491B (en) | Single point login method combining message queue under front-end and back-end separation mode | |
| US20050228848A1 (en) | Method and system for operating a peer network | |
| US8219622B2 (en) | Systems and methods for providing extended peering | |
| JP6840505B2 (en) | Systems, service providers, system control methods and programs | |
| Cisco | Configuring the CSS Domain Name Service | |
| KR100468566B1 (en) | Integrated Authentication Method of TCP/IP Service via HTTP Proxy | |
| CN116232616A (en) | Equipment communication method and device based on MQTT protocol |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |