概述
下载地址:https://gitee.com/xuxueli0323/xxl-sso
文档地址:https://www.xuxueli.com/xxl-sso/
概述
XXL-SSO 是一个分布式单点登录框架。只需要登录一次就可以访问所有相互信任的应用系统。
拥有"轻量级、分布式、跨域、Cookie+Token均支持、Web+APP均支持"等特性。现已开放源代码,开箱即用。
特性
- 1、简洁:API直观简洁,可快速上手
- 2、轻量级:环境依赖小,部署与接入成本较低
- 3、单点登录:只需要登录一次就可以访问所有相互信任的应用系统
- 4、分布式:接入SSO认证中心的应用,支持分布式部署
- 5、HA:Server端与Client端,均支持集群部署,提高系统可用性
- 6、跨域:支持跨域应用接入SSO认证中心
- 7、Cookie+Token均支持:支持基于Cookie和基于Token两种接入方式,并均提供Sample项目
- 8、Web+APP均支持:支持Web和APP接入
- 9、实时性:系统登陆、注销状态,全部Server与Client端实时共享
- 10、CS结构:基于CS结构,包括Server"认证中心"与Client"受保护应用"
- 11、记住密码:未记住密码时,关闭浏览器则登录态失效;记住密码时,支持登录态自动延期,在自定义延期时间的基础上,原则上可以无限延期
- 12、路径排除:支持自定义多个排除路径,支持Ant表达式,用于排除SSO客户端不需要过滤的路径
基本流程
项目结构
XXl-SSO 的实现原理
项目配置
- 在需要信任的认证的项目中引入项目中引入jar包
<dependence>
<groupId>com.xuxueli</groupId>
<artifactId>xxl-sso</artifactId>
<version>1.1.1-SNAPSHOT</version>
</dependence>
- 单独部署xxl-sso-sever 服务,xxl-sso 中的登录/登录调用xxl-sso-sever服务。 在xxl-sso-sever 中做登录/登出的业务操作,一般会调用业务系统的人员组件实现用户的登录/退出的业务操作。
目前开源的这个xxl-sso中存在的问题
- 项目的包名一般不符合一般公司的应用要求
- 项目中用户的sessionid的存储,登录/退出都是基于缓存的测试案例,没有做真正的登录业务操作
基于以上问题,一般公司拿到项目源码后会进行本地化改造,符合本公司的项目工程应用
sso-core start 组件化的实现单点登录自动配置原理
- spring.factories
org.springframework.boot.autoconfigure.EnableAutoConfiguration=\ com.xxl.sso.core.filter.XxlSsoConfig,\ com.xxl.sso.core.conf.FeignAutoConfiguration
需要被认证服务中的xxl.sso.的属性初始化,以及sso-core 包中的fegin接口
``
/**
* @author fan.tianpeng
* @date 2021/5/12 17:01
*/
@Configuration
@EnableFeignClients(basePackages = "com.xxl.sso.core.api")
@ComponentScan("com.xxl.sso.core.store")
public class FeignAutoConfiguration {
}
package com.xxl.sso.core.filter;
import com.xxl.sso.core.conf.Conf;
import com.xxl.sso.core.web.SsoReceiveController;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.Ordered;
/**
* @author xuxueli 2018-11-15
*/
@Configuration
@ConditionalOnProperty(prefix = "xxl.sso", name = "enable", havingValue = "true")
@EnableConfigurationProperties(XxlSsoProperties.class)
public class XxlSsoConfig {
@Bean
public FilterRegistrationBean<XxlSsoWebFilter> xxlSsoFilterRegistration(XxlSsoProperties xxlSsoProperties) {
//filter init
FilterRegistrationBean<XxlSsoWebFilter> registration = new FilterRegistrationBean<XxlSsoWebFilter>();
registration.setName("XxlSsoWebFilter");
registration.setOrder(Ordered.HIGHEST_PRECEDENCE);
registration.addUrlPatterns(xxlSsoProperties.getUrlPatterns());
registration.setFilter(new XxlSsoWebFilter(xxlSsoProperties));
registration.addInitParameter(Conf.SSO_SERVER, xxlSsoProperties.getServer());
registration.addInitParameter(Conf.SSO_LOGOUT_PATH, xxlSsoProperties.getLogoutPath());
registration.addInitParameter(Conf.SSO_EXCLUDED_PATHS, xxlSsoProperties.getExcludedPaths());
registration.setEnabled(xxlSsoProperties.getEnable());
return registration;
}
@Bean
public SsoReceiveController receiveController(){
return new SsoReceiveController();
}
}
单点登录属性配置
@Component
@ConfigurationProperties(prefix = "xxl.sso")
@Data
public class XxlSsoProperties {
/**
* sso后端服务地址
*/
private String server;
/**
* 登出地址
*/
private String logoutPath;
/**
* 不需要拦截的url
*/
private String excludedPaths;
/**
* 需要拦截的路径
*/
private String urlPatterns;
/**
* 接入业务系统前端地址
*/
private String clientWebUrl;
/**
* 接收session
*/
private String receiveSession;
/**
* 业务系统是否是前后端分离
*/
private Boolean redirect = false;
/**
* 登录校验开关
*/
private Boolean enable = false;
/**
* 是否仅允许单个客户端登录
*/
private Boolean singleClientEnable = false;
/**登录地址*/
private String loginPage;
/**用户管理页*/
private String userMgrPage;
private String redirectUrl;
private String toUrl;
}
xxl.sso需要单点登录应用的配置
提供是否开启、后端服务认证服务地址、后端跳转地址、退出/未登录等跳转前端页面地址、不需要请求拦截的地址等配置、门户首页地址、退出登录请求接口、用户认证方式
xxl:
sso:
# 是否开启登录校验
enable: false
# 是否仅允许单个客户端登录
singleClientEnable: ${singleClientEnable:false}
# sso后端服务地址
server: ${xxlSsoServer:http:///前端ip:5011}
# 默认跳转后端
redirectUrl: ${xxlSsoRedirectUrl:http:///前端ip:5011/sso-server/sso/receive}
# 默认跳转前端页面
toUrl: ${xxlSsoToUrl:http:///前端ip:5011}
# 登录页
loginPage: ${loginPage:http:///前端ip:5011/sso-server/static/login.html}
# 用户管理页
userMgrPage: ${userMgrPage:http:///前端ip:5011/usercenter-admin-web/}
# 登出接口
logoutPath: ${xxlLogoutPath:/logout}
# 不需要拦截的url
excludedPaths: /*.html,/*.ico,/**/*.html,/**/*.css,/**/*.js,/**/*.png,/**/*.jpg,/**/*.docx,/sso/login,/potral/**,/restapi/**,/swagger-ui.html,/v2/api-docs,/swagger-resources/**,/webjars/**,/doc.html,/sso-server/doLogin2,/doGetLoginType/**,/usercenter-admin-app/admin/sysCarousel/**,/usercenter/sysCache/**
# sso需要的redis地址
redisAddress: redis://xxl-sso:Avicit_2024@/前端ip:6379/0
# 需要拦截的url,默认所有请求都拦截,这里配置/*不要/**
urlPatterns: ${xxlUrlPatterns:/admin/*}
redis:
expire:
minute: ${xxlRedisExpireMinute:1440}
#mysql替换redis开关(true:使用mysql替换redis)
mysqlSubstitute: ${xxlSsoMysqlSubstitute:false}
#cache过期时间(mysql过期时间读取此配置)
cache:
expireMinute: ${xxlCacheExpireMinute:1440}
#登出是否跳转商飞门户首页
logout2ComacPortal:
#匹配的地址清单,多个逗号分割
matchedUrls:
#商飞门户首页地址
comacPortalUrl:
单点登录过滤
XxlSsoWebFilter (sso-core)
-
需要单点登录用户的认证的服务引用,拦截用户的所有后台请求
-
判断请求路径是否在excludedPaths检验的路径中,如果是则拦截请求返回,跳过单点登录校验
-
检查用户是否是退出/loginout ,如果是退出操作,则
2.1 清除用户的登录缓存
2.2 判断是否是前后端分离项目,如果不是则直接跳转至退出登录页res.sendRedirect(logoutPageUrl);
2.3 如果是前后端分离项目,则返回前端状态返回501,设置登录跳转的redirect_url为前端系统页面地址
-
判断用户是否登录,根据用户请求的xxl_sso_sessionid 获取登录用户,如果获取不到怎,则返会状态501,提示sso not login
-
如果能获取到登录用户,则在request中设置登录用户,xxl_sso_user,保存登录的用户
-
public class XxlSsoWebFilter extends HttpServlet implements Filter {
private static Logger logger = LoggerFactory.getLogger(XxlSsoWebFilter.class);
private static final AntPathMatcher antPathMatcher = new AntPathMatcher();
private String ssoServer;
private String logoutPath;
private String excludedPaths;
private XxlSsoProperties xxlSsoProperties;
public XxlSsoWebFilter (XxlSsoProperties xxlSsoProperties){
this.xxlSsoProperties = xxlSsoProperties;
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
ssoServer = filterConfig.getInitParameter(Conf.SSO_SERVER);
logoutPath = filterConfig.getInitParameter(Conf.SSO_LOGOUT_PATH);
excludedPaths = filterConfig.getInitParameter(Conf.SSO_EXCLUDED_PATHS);
logger.info("XxlSsoWebFilter init,xxlSsoProperties:{}",JSON.toJSONString(xxlSsoProperties));
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
logger.info("-过滤请求--->{}", request.toString());
logger.info("--过滤参数--->{}", request.getParameterMap().toString());
logger.info("-过滤响应--->{}", response.toString());
// make url
String servletPath = req.getServletPath();
logger.info("servlet path={}",servletPath);
// excluded path check
if (excludedPaths!=null && excludedPaths.trim().length()>0) {
for (String excludedPath:excludedPaths.split(",")) {
String uriPattern = excludedPath.trim();
// 支持ANT表达式
if (antPathMatcher.match(uriPattern, servletPath)) {
// excluded path, allow
chain.doFilter(request, response);
return;
}
}
}
// logout path check
if (logoutPath!=null
&& logoutPath.trim().length()>0
&& logoutPath.equals(servletPath)) {
logger.info("######################XxlSsoWebFilter logoutPath:{}",logoutPath);
// remove cookie
SsoWebLoginHelper.logout(req, res);
// redirect logout
String logoutPageUrl = ssoServer.concat(Conf.SSO_LOGOUT);
//判断业务系统是否是前后端分离
if (xxlSsoProperties.getRedirect()){
Map<String,String> dataMap = new HashMap<>();
dataMap.put("loginPageUrl",logoutPageUrl+"?redirect_url=");
ResponseUtils.writeResponse(res,BaseResult.buildError(Conf.SSO_LOGIN_FAIL_RESULT.getCode(),Conf.SSO_LOGIN_FAIL_RESULT.getMsg(),dataMap));
return;
}
res.sendRedirect(logoutPageUrl);
return;
}
// valid login user, cookie + redirect
XxlSsoUser xxlUser = SsoWebLoginHelper.loginCheck(req, res);
// valid login fail
if (xxlUser == null) {
String header = req.getHeader("content-type");
boolean isJson= header!=null && header.contains("json");
if (isJson) {
// json msg
res.setContentType("application/json;charset=utf-8");
Map<String,String> dataMap = new HashMap<>();
dataMap.put("loginPageUrl", ssoServer
.concat(Conf.SSO_LOGIN) + "?" + Conf.REDIRECT_URL + "=" + xxlSsoProperties.getClientWebUrl() + xxlSsoProperties.getReceiveSession() + "&"
+ Conf.TO_URL + "=");
ResponseUtils.writeResponse(res, BaseResult.buildError(Conf.SSO_LOGIN_FAIL_RESULT.getCode(), Conf.SSO_LOGIN_FAIL_RESULT.getMsg(),dataMap));
return;
} else {
// total link
String link = req.getRequestURL().toString();
// redirect logout
String loginPageUrl = ssoServer.concat(Conf.SSO_LOGIN)
+ "?" + Conf.REDIRECT_URL + "=" + link;
//判断业务系统是否是前后端分离
if (xxlSsoProperties.getRedirect()){
res.getWriter().println(
"{\"code\":" + Conf.SSO_LOGIN_FAIL_RESULT.getCode() + ", \"msg\":\"" + Conf.SSO_LOGIN_FAIL_RESULT.getMsg() + "\", \"loginPageUrl\":\"" + ssoServer
.concat(Conf.SSO_LOGIN) + "?" + Conf.REDIRECT_URL + "="+xxlSsoProperties.getClientWebUrl()+xxlSsoProperties.getReceiveSession()+"&"+Conf.TO_URL+"=" + "\"}");
return;
}
res.sendRedirect(loginPageUrl);
return;
}
}
// ser sso user
request.setAttribute(Conf.SSO_USER, xxlUser);
// already login, allow
chain.doFilter(request, response);
return;
}
}
XxlSsoTokenFilter(sso-core)
需要单点登录用户的认证的服务引用,拦截用户的所有后台请求
- 判断请求路径是否在excludedPaths检验的路径中,如果是则拦截请求返回,跳过单点登录校验
- 检查用户是否是退出/loginout ,如果是退出操作,则清除用户的登录缓存,返回状态200,退出登录成功!
- 判断用户是否登录,根据用户请求的xxl_sso_sessionid 获取登录用户,如果获取不到怎,则返会状态501,提示sso not login
- 如果能获取到登录用户,则在request中设置登录用户,xxl_sso_user,保存登录的用户
public class XxlSsoTokenFilter extends HttpServlet implements Filter {
private static Logger logger = LoggerFactory.getLogger(XxlSsoTokenFilter.class);
private static final AntPathMatcher antPathMatcher = new AntPathMatcher();
private String ssoServer;
private String logoutPath;
private String excludedPaths;
@Override
public void init(FilterConfig filterConfig) throws ServletException {
ssoServer = filterConfig.getInitParameter(Conf.SSO_SERVER);
logoutPath = filterConfig.getInitParameter(Conf.SSO_LOGOUT_PATH);
excludedPaths = filterConfig.getInitParameter(Conf.SSO_EXCLUDED_PATHS);
logger.info("XxlSsoTokenFilter init.");
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
// make url
String servletPath = req.getServletPath();
// excluded path check
if (excludedPaths!=null && excludedPaths.trim().length()>0) {
for (String excludedPath:excludedPaths.split(",")) {
String uriPattern = excludedPath.trim();
// 支持ANT表达式
if (antPathMatcher.match(uriPattern, servletPath)) {
// excluded path, allow
chain.doFilter(request, response);
return;
}
}
}
// logout filter
if (logoutPath!=null
&& logoutPath.trim().length()>0
&& logoutPath.equals(servletPath)) {
// logout
SsoTokenLoginHelper.logout(req);
// response
res.setStatus(HttpServletResponse.SC_OK);
res.setContentType("application/json;charset=UTF-8");
res.getWriter().println("{\"code\":"+ReturnT.SUCCESS_CODE+", \"msg\":\"\"}");
return;
}
// login filter
XxlSsoUser xxlUser = SsoTokenLoginHelper.loginCheck(req);
if (xxlUser == null) {
// response
res.setStatus(HttpServletResponse.SC_OK);
res.setContentType("application/json;charset=UTF-8");
res.getWriter().println("{\"code\":"+Conf.SSO_LOGIN_FAIL_RESULT.getCode()+", \"msg\":\""+ Conf.SSO_LOGIN_FAIL_RESULT.getMsg() +"\"}");
return;
}
// ser sso user
request.setAttribute(Conf.SSO_USER, xxlUser);
// already login, allow
chain.doFilter(request, response);
return;
}
}
用户未登录跳转至用户认证页面
1.请求关接口
包括
-
-
js css等前端静态页面
-
GET /flow-platform/message/msgtype? 获取消息类型
GET /flow-platform/message/msgtype? HTTP/1.1
Host: /前端ip:5011
Connection: keep-alive
Access-Control-Allow-Origin: *
Accept: application/json
x-requested-with: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Content-Type: application/json
Referer: http://前端ip:5011/xxxxx-web/home
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
HTTP/1.1 200
Server: nginx/1.26.1
Date: Sat, 14 Sep 2024 09:36:56 GMT
Content-Type: application/json;charset=UTF-8
Content-Length: 197
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,POST
Access-Control-Allow-Headers: DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,__gsuite_user_id,__gsuite_user_name
{“code”:501,“message”:“sso not login.”,“data”:{“loginPageUrl”:“http:/10.216.40.123:8089/sso-server/login?redirect_url=http:///前端ip:5011/flowplatform-web/flow-platform/sso/receive&to_url=”}}
-
用户退出
POST /usercenter-admin-app/logout HTTP/1.1
Host: /前端ip:5011
Connection: keep-alive
Content-Length: 0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: http:///前端ip:5011
Referer: http:/前端ip:5011/usercenter-admin-web/authoritymanage/usermanage
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: xxl_sso_sessionid=99779001_d9b3bd189e2540b78523e707ab6fcefb; JSESSIONID=node01rkxul7artxv61t4oxv8fffog05184.node0
HTTP/1.1 200 OK
Server: nginx/1.26.1
Date: Wed, 18 Sep 2024 03:37:49 GMT
Content-Type: application/json;charset=UTF-8
Content-Length: 135
Connection: keep-alive
Set-Cookie: xxl_sso_sessionid=""; Version=1; Path=/; Domain="http://cmos-base-usercenter/"; HttpOnly; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,POST
Access-Control-Allow-Headers: DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,__gsuite_user_id,__gsuite_user_name
{"code":501,"message":"sso not login.","data":{"loginPageUrl":"http:///前端ip:5011/sso-server/sso/receive/logout?redirect_url="}}
GET /sso-server/sso/receive/logout?redirect_url=http%3A%2F%2F前端ip%3A5011%2Fusercenter-admin-web%2F HTTP/1.1
Host: 前端ip
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://前端ip:5011/usercenter-admin-web/authoritymanage/usermanage
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: xxl_sso_sessionid=99779001_d9b3bd189e2540b78523e707ab6fcefb; JSESSIONID=node01rkxul7artxv61t4oxv8fffog05184.node0
HTTP/1.1 404
Server: nginx/1.26.1
Date: Wed, 18 Sep 2024 03:37:50 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 341
Connection: keep-alive
Content-Language: zh-CN
<html><body><h1>Whitelabel Error Page</h1><p>This application has no explicit mapping for /error, so you are seeing this as a fallback.</p><div id='created'>Wed Sep 18 11:41:48 CST 2024</div><div>There was an unexpected error (type=Not Found, status=404).</div><div>No handler found for GET /sso-server/sso/receive/logout</div></body></html>
GET /favicon.ico HTTP/1.1
Host: 前端ip:5011
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://前端ip:5011/sso-server/sso/receive/logout?redirect_url=http%3A%2F%2F前端ip%3A5011%2Fusercenter-admin-web%2F
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: xxl_sso_sessionid=99779001_d9b3bd189e2540b78523e707ab6fcefb; JSESSIONID=node01rkxul7artxv61t4oxv8fffog05184.node0