Discover Sa-Token: The Most Feature‑Rich Java Authentication Framework

Today we recommend a superb open‑source project that claims to be the most feature‑rich Java permission authentication framework.

Sa‑Token is a lightweight Java permission authentication framework that primarily solves login authentication, permission verification, session handling, single sign‑on, OAuth2.0 and a series of other permission‑related problems.

The framework provides extensive adaptations for common business scenarios such as kicking users offline, automatic token renewal, front‑back separation, and distributed sessions. Compared with other authentication frameworks, Sa‑Token offers the following advantages:

Simple – Zero‑configuration startup, truly plug‑and‑play, low learning cost.

Powerful – Integrates dozens of permission‑related features covering most business scenarios.

Easy to use – Smooth API calls; many advanced features can be achieved with a single line of code.

Highly extensible – Almost all components provide extension interfaces; over 90% of logic can be overridden as needed.

Key functional features of Sa‑Token include:

Login verification – Easy login authentication with five detailed scenario values.

Permission verification – Supports RBAC model for role‑based authorization.

Session management – Professional data cache center.

Kick‑out – Instantly log out violating users.

Persistence extension – Integrates Redis, Memcached, etc., preserving data across restarts.

Distributed sessions – Offers JWT integration and shared data center solutions.

Single sign‑on – One login, everywhere access.

Impersonation – Real‑time operation of any user’s state data.

Temporary identity switch – Temporarily switch session identity to another account.

No‑Cookie mode – Suitable for APP, mini‑programs, and other front‑back separation scenarios.

Mutual exclusive login on same device – Like QQ, mobile and PC can be online simultaneously but two mobiles cannot log in at the same time.

Multi‑account authentication – Separate authentication for user and admin tables in e‑commerce projects.

Custom token generation – Six built‑in token styles with customizable generation strategies.

Annotation‑based authorization – Elegantly separate authorization from business code.

Route‑intercept authorization – Route‑based permission checks, compatible with RESTful patterns.

Automatic renewal – Two token expiration strategies with optional auto‑renewal.

Session governance – Flexible session query interfaces.

Remember‑me mode – Supports “remember me” to bypass login after browser restart.

Password encryption – Provides MD5, SHA1, SHA256, AES, RSA encryption utilities.

Component auto‑injection – Zero‑configuration integration with Spring and other frameworks.

Code Example – Login Verification

// Write the current session's account ID during login
StpUtil.setLoginId(10001);

// Later, check login status; throws NotLoginException if not logged in
StpUtil.checkLogin();

Login authorization with Sa‑Token is that simple—no global filters or complex configurations, just a single API call.

Permission Check Example (requires "user:add" permission)

@SaCheckPermission("user:add")
@RequestMapping("/user/insert")
public String insert(SysUser user) {
    // ...
    return "User added";
}

Kick‑out Example

// Log out the session with account ID 10001
StpUtil.logoutByLoginId(10001);

Beyond these examples, Sa‑Token can accomplish many tasks with a single line of code, such as setting and retrieving login IDs, checking login status, logging out, role and permission checks, session retrieval, token value extraction, device‑specific login/logout, and temporary identity switching.