1. 單點登(deng)錄(lu)概念 單點登(deng)錄(lu)SSO,說的(de)(de)(de)是在(zai)(zai)一(yi)個多(duo)系統(tong)共存的(de)(de)(de)環境(jing)下,用(yong)戶(hu)(hu)在(zai)(zai)一(yi)處(chu)登(deng)錄(lu)后,就不用(yong)在(zai)(zai)其(qi)他系統(tong)中登(deng)錄(lu),也就是用(yong)戶(hu)(hu)的(de)(de)(de)一(yi)次登(deng)錄(lu)能得到其(qi)他所(suo)有(you)系統(tong)的(de)(de)(de)信任
2. 單點登錄(lu)的要(yao)點
①. 存儲信(xin)任; ②. 驗證信(xin)任;
3. 實現單點登錄的三種方式
①. 以cookie作為憑(ping)證(zheng) 最簡(jian)單(dan)(dan)的(de)單(dan)(dan)點登(deng)(deng)(deng)錄實(shi)現(xian)方式(shi),是使(shi)用(yong)(yong)cookie作為媒介,存放(fang)用(yong)(yong)戶(hu)(hu)憑(ping)證(zheng)。 用(yong)(yong)戶(hu)(hu)登(deng)(deng)(deng)錄父應(ying)用(yong)(yong)之(zhi)后,應(ying)用(yong)(yong)返回一個加密的(de)cookie,當用(yong)(yong)戶(hu)(hu)訪(fang)問子應(ying)用(yong)(yong)的(de)時候,攜(xie)帶上這個cookie,授(shou)權應(ying)用(yong)(yong)解密cookie進行校(xiao)驗,校(xiao)驗通過則登(deng)(deng)(deng)錄當前用(yong)(yong)戶(hu)(hu)。 缺點: - cookie不(bu)安全; - 通過加密可(ke)以保證(zheng)安全性,但如(ru)果對方掌握了(le)(le)解密算法就完蛋了(le)(le); - 不(bu)能跨域實(shi)現(xian)免(mian)登(deng)(deng)(deng)。
②. 通過JSONP實現(xian) 對于(yu)跨域問題,可(ke)以(yi)使用(yong)(yong)JSONP實現(xian)。用(yong)(yong)戶(hu)在父(fu)(fu)應(ying)用(yong)(yong)中登(deng)錄(lu)后,跟(gen)session匹配的(de)(de)(de)cookie會存到(dao)客戶(hu)端中,當用(yong)(yong)戶(hu)需要登(deng)錄(lu)子應(ying)用(yong)(yong)的(de)(de)(de)時(shi)候,授權應(ying)用(yong)(yong)訪問父(fu)(fu)應(ying)用(yong)(yong)提供的(de)(de)(de)JSONP接口,并在請求中帶上父(fu)(fu)應(ying)用(yong)(yong)域名下的(de)(de)(de)cookie,父(fu)(fu)應(ying)用(yong)(yong)接收到(dao)請求,驗(yan)證(zheng)用(yong)(yong)戶(hu)的(de)(de)(de)登(deng)錄(lu)狀態,返回(hui)(hui)加(jia)密的(de)(de)(de)信息(xi),子應(ying)用(yong)(yong)通過解析返回(hui)(hui)來的(de)(de)(de)加(jia)密信息(xi)來驗(yan)證(zheng)用(yong)(yong)戶(hu),如果通過驗(yan)證(zheng)則登(deng)錄(lu)用(yong)(yong)戶(hu)。
缺(que)點: - 這種方法(fa)雖然能(neng)解決(jue)跨域問題(ti)(ti),但是治(zhi)(zhi)標不治(zhi)(zhi)本,沒有解決(jue)cookie安全性的問題(ti)(ti)。
③. 通(tong)(tong)過(guo)頁面重(zhong)定向的方式 最(zui)后一(yi)(yi)種介紹的方式,是(shi)通(tong)(tong)過(guo)父(fu)應用(yong)(yong)(yong)和子(zi)應用(yong)(yong)(yong)來(lai)回重(zhong)定向進(jin)行通(tong)(tong)信,實(shi)現信息的安全傳(chuan)遞。 父(fu)應用(yong)(yong)(yong)提供(gong)一(yi)(yi)個(ge)GET方式的登(deng)錄(lu)(lu)接口(kou)(kou)A(此時的父(fu)應用(yong)(yong)(yong)接口(kou)(kou)固(gu)定,攻擊(ji)者無法去偽造),用(yong)(yong)(yong)戶(hu)(hu)通(tong)(tong)過(guo)子(zi)應用(yong)(yong)(yong)重(zhong)定向連接的方式訪問這個(ge)接口(kou)(kou),如果用(yong)(yong)(yong)戶(hu)(hu)還沒有(you)登(deng)錄(lu)(lu),則(ze)(ze)返回一(yi)(yi)個(ge)登(deng)錄(lu)(lu)頁面,用(yong)(yong)(yong)戶(hu)(hu)輸入賬號密碼進(jin)行登(deng)錄(lu)(lu),如果用(yong)(yong)(yong)戶(hu)(hu)已(yi)經登(deng)錄(lu)(lu)了(le),則(ze)(ze)生成加密的token,并且(qie)重(zhong)定向到子(zi)應用(yong)(yong)(yong)提供(gong)的驗證(zheng)token的接口(kou)(kou)B(此時的子(zi)應用(yong)(yong)(yong)接口(kou)(kou)固(gu)定,攻擊(ji)者無法去偽造),通(tong)(tong)過(guo)解密和校驗之后,子(zi)應用(yong)(yong)(yong)登(deng)錄(lu)(lu)當前用(yong)(yong)(yong)戶(hu)(hu)。
缺點: - 這種方(fang)式(shi)較前面的兩(liang)種方(fang)式(shi),是解決了(le)安全(quan)性和跨域的問題,但(dan)是并沒(mei)有(you)前面兩(liang)種方(fang)式(shi)簡單(dan),安全(quan)與方(fang)便,本來就(jiu)是矛(mao)盾的。
4. 使用(yong)(yong)(yong)獨(du)立登錄(lu)系(xi)統 一般來說(shuo),大(da)型應(ying)(ying)用(yong)(yong)(yong)會把授(shou)權的(de)邏(luo)輯(ji)和用(yong)(yong)(yong)戶(hu)(hu)信(xin)息的(de)相關邏(luo)輯(ji)獨(du)立成一個應(ying)(ying)用(yong)(yong)(yong),稱(cheng)為(wei)用(yong)(yong)(yong)戶(hu)(hu)中(zhong)心(xin)。用(yong)(yong)(yong)戶(hu)(hu)中(zhong)心(xin)不處理業務邏(luo)輯(ji),只是(shi)處理用(yong)(yong)(yong)戶(hu)(hu)信(xin)息的(de)管理以(yi)及授(shou)權給(gei)第三方應(ying)(ying)用(yong)(yong)(yong)。第三方應(ying)(ying)用(yong)(yong)(yong)需要登錄(lu)的(de)時候,則把用(yong)(yong)(yong)戶(hu)(hu)的(de)登錄(lu)請求轉發(fa)給(gei)用(yong)(yong)(yong)戶(hu)(hu)中(zhong)心(xin)進行(xing)處理,用(yong)(yong)(yong)戶(hu)(hu)處理完畢后返(fan)回憑證(zheng),第三方應(ying)(ying)用(yong)(yong)(yong)驗證(zheng)憑證(zheng),通過后就登錄(lu)用(yong)(yong)(yong)戶(hu)(hu)。
5. sso(單(dan)點登錄)與(yu)OAuth2.0(授權)的(de)區(qu)別(bie)?
①. sso(單點登(deng)錄(lu)) 通常處理的是一個(ge)公司(si)的不(bu)同應(ying)用間(jian)的訪問(wen)登(deng)錄(lu)問(wen)題,如企業(ye)應(ying)用有很(hen)多子系(xi)統(tong)(tong)(tong),只需登(deng)錄(lu)一個(ge)系(xi)統(tong)(tong)(tong),就可以實(shi)現不(bu)同子系(xi)統(tong)(tong)(tong)間(jian)的跳轉(zhuan),而(er)避免了(le)登(deng)錄(lu)操作; 通過(guo)cookie、jsonp、重定向(xiang)來實(shi)現;
②. OAuth2.0(授(shou)(shou)權(quan)(quan)) 解決的(de)(de)(de)(de)是服務提(ti)供(gong)方(如(ru)微(wei)信(xin))給第三方應(ying)用(yong)授(shou)(shou)權(quan)(quan)的(de)(de)(de)(de)問題,簡稱微(wei)信(xin)登錄(lu); 是一種(zhong)具體的(de)(de)(de)(de)協議,只是為(wei)用(yong)戶(hu)資源的(de)(de)(de)(de)授(shou)(shou)權(quan)(quan)提(ti)供(gong)了一個安全(quan)的(de)(de)(de)(de)、開放的(de)(de)(de)(de)而又簡易的(de)(de)(de)(de)標準,OAuth2.0(授(shou)(shou)權(quan)(quan))為(wei)客(ke)戶(hu)開發(fa)者(zhe)開發(fa)web應(ying)用(yong),桌面(mian)應(ying)用(yong)程(cheng)序,移動(dong)應(ying)用(yong)及客(ke)廳設備提(ti)供(gong)特定的(de)(de)(de)(de)授(shou)(shou)權(quan)(quan)流(liu)程(cheng)。