Spring Boot项目中实现单点登录(SSO)完整指南

单点登录(Single Sign-On, SSO)是一种身份验证机制，允许用户使用一组凭证(如用户名和密码)登录多个相关但独立的系统。

一、单点登录的核心原理

SSO的核心原理使集中认证、分散授权，主要流程如下：

1.用户访问应用A

2.应用A检查本地会话，发现未登录

3.重定向到SSO认证中心

4.用户在认证中心登录

5.认证中心创建全局会话，并颁发令牌

6.用户携带令牌返回应用A

7.应用A向认证中心验证令牌

8.认证中心返回用户信息，应用A创建本地会话

9.用户访问应用B时重复2-8流程(但无需重复登录)

二、Spring Boot实现SSO的三种主流方案

方案1：基于OAuth2的实现(推荐)

1.添加依赖

<!-- Spring Security OAuth2 -->
<dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>

2.认证中心配置

@Configuration
@EnableAuthorizationServer
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {@Overridepublic void configure(ClientDetailsServiceConfigurer clients) throws Exception {clients.inMemory().withClient("client1").secret(passwordEncoder().encode("secret1")).authorizedGrantTypes("authorization_code", "refresh_token").scopes("read", "write").redirectUris("http://localhost:8081/login/oauth2/code/client1").autoApprove(true);}@Beanpublic PasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();}
}

3.资源服务配置

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {@Overridepublic void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/api/**").authenticated().anyRequest().permitAll();}
}

4.客户端应用配置

# application.yml
spring:security:oauth2:client:registration:sso:client-id: client1client-secret: secret1authorization-grant-type: authorization_coderedirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"scope: read,writeprovider:sso:issuer-uri: http://localhost:8080

方案2：基于JWT实现

1.添加依赖

<dependency><groupId>io.jsonwebtoken</groupId><artifactId>jjwt</artifactId><version>0.9.1</version>
</dependency>

2.JWT工具类

public class JwtTokenUtil {private static final String SECRET = "your-secret-key";private static final long EXPIRATION = 86400000; // 24小时public static String generateToken(UserDetails userDetails) {return Jwts.builder().setSubject(userDetails.getUsername()).setIssuedAt(new Date()).setExpiration(new Date(System.currentTimeMillis() + EXPIRATION)).signWith(SignatureAlgorithm.HS512, SECRET).compact();}public static String getUsernameFromToken(String token) {return Jwts.parser().setSigningKey(SECRET).parseClaimsJws(token).getBody().getSubject();}
}

3.认证过滤器

public class JwtAuthenticationFilter extends OncePerRequestFilter {@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {String token = resolveToken(request);if (token != null && validateToken(token)) {String username = JwtTokenUtil.getUsernameFromToken(token);UserDetails userDetails = userDetailsService.loadUserByUsername(username);UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));SecurityContextHolder.getContext().setAuthentication(authentication);}chain.doFilter(request, response);}private String resolveToken(HttpServletRequest request) {String bearerToken = request.getHeader("Authorization");if (StringUtils.hasText(bearerToken) && bearerToken.startsWith("Bearer ")) {return bearerToken.substring(7);}return null;}
}

方案3：基于CAS实现

1.添加CAS客户端依赖

<dependency><groupId>org.jasig.cas.client</groupId><artifactId>cas-client-support-springboot</artifactId><version>3.6.4</version>
</dependency>

2.CAS配置

@Configuration
public class CasConfig {@Value("${cas.server.url}")private String casServerUrl;@Value("${cas.service.url}")private String serviceUrl;@Beanpublic FilterRegistrationBean<AuthenticationFilter> casAuthenticationFilter() {FilterRegistrationBean<AuthenticationFilter> registration = new FilterRegistrationBean<>();registration.setFilter(new AuthenticationFilter());registration.addInitParameter("casServerLoginUrl", casServerUrl + "/login");registration.addInitParameter("serverName", serviceUrl);registration.addUrlPatterns("/*");return registration;}@Beanpublic ServletListenerRegistrationBean<SingleSignOutHttpSessionListener> casSingleSignOutListener() {return new ServletListenerRegistrationBean<>(new SingleSignOutHttpSessionListener());}
}

三、SSO实现的关键技术点

1.会话管理

• 分布式会话：使用Redis存储会话信息

  @Bean
  public RedisIndexedSessionRepository sessionRepository(RedisOperations<String, Object> redisOperations) {return new RedisIndexedSessionRepository(redisOperations);
  }
  

• Session共享配置

  spring:session:store-type: redisredis:flush-mode: on_savenamespace: spring:session
  

2.跨域问题解决

@Configuration
public class CorsConfig implements WebMvcConfigurer {@Overridepublic void addCorsMappings(CorsRegistry registry) {registry.addMapping("/**").allowedOrigins("*").allowedMethods("GET", "POST", "PUT", "DELETE").allowedHeaders("*").allowCredentials(true).maxAge(3600);}
}

3.安全配置

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {@Overrideprotected void configure(HttpSecurity http) throws Exception {http.csrf().disable().authorizeRequests().antMatchers("/login", "/oauth/**").permitAll().anyRequest().authenticated().and().formLogin().loginPage("/login").and().logout().logoutUrl("/logout").logoutSuccessUrl("/").invalidateHttpSession(true).deleteCookies("JSESSIONID");}
}

四、SSO实现的最佳实践

1.安全性考虑：

• 使用HTTPS加密所有通信
• 实现令牌的短期有效性(设置合理的过期时间)
• 防范CSRF攻击

2.性能优化：

• 使用缓存减少令牌验证的数据库查询
• 实现令牌的自动续期机制

3.用户体验：

• 实现无缝跳转，避免多次重定向
• 提供清晰的登录状态提示

4.监控与日志

• 记录所有认证事件
• 实现异常登录的告警机制

五、三种SSO方案对比

方案	优点	缺点	适用场景
OAuth2	标准协议，安全性高，扩展性强	实现复杂度较高	企业级应用，多平台集成
JWT	无状态，性能好，适合分布式系统	令牌无法主动失效	微服务架构，前后端分离
CAS	专为SSO设计，功能完善	需要额外部署CAS服务器	传统企业应用，教育系统

六、常见问题解决方案

1.令牌失效问题

• 实现令牌刷新机制
• 使用Redis黑名单管理已注销令牌

2.跨域会话问题

• 设置正确的Cookie域和路径

  @Bean
  public CookieSerializer cookieSerializer() {DefaultCookieSerializer serializer = new DefaultCookieSerializer();serializer.setCookieName("JSESSIONID");serializer.setCookiePath("/");serializer.setDomainNamePattern("^.+?\\.(\\w+\\.[a-z]+)$");return serializer;
  }
  

3.多因素认证集成

@Override
protected void configure(HttpSecurity http) throws Exception {http.authorizeRequests().antMatchers("/login").permitAll().antMatchers("/mfa-verify").hasRole("PRE_AUTH").anyRequest().fullyAuthenticated().and().formLogin().loginPage("/login").successHandler((request, response, authentication) -> {if (needsMfa(authentication)) {response.sendRedirect("/mfa-verify");} else {response.sendRedirect("/home");}});
}