Understanding Single Sign-On (SSO): Concepts, Implementation, and Multi‑System Integration

Single Sign‑On (SSO) enables a user to log in once and be automatically recognized across multiple independent systems without repeated authentication.

The article first defines SSO, contrasts it with the early monolithic login approach where all functionality resides in a single system, and describes the classic single‑system login using cookies and HTTP sessions.

It then presents typical Java Spring MVC code for login, logout, and an interceptor, showing how user credentials are validated, a token is generated, stored in Redis, written to a cookie, and how user data is kept in the session.

/**
 * 用户登陆
 */
@PostMapping(value = "/user/session", produces = {"application/json;charset=UTF-8"})
public Result login(String mobileNo, String password, String inputCaptcha, HttpSession session, HttpServletResponse response) {
    //判断验证码是否正确
    if (WebUtils.validateCaptcha(inputCaptcha, "captcha", session)) {
        //判断有没有该用户
        User user = userService.userLogin(mobileNo, password);
        if (user != null) {
            /*设置自动登陆，一个星期.  将token保存在数据库中*/
            String loginToken = WebUtils.md5(new Date().toString() + session.getId());
            user.setLoginToken(loginToken);
            User user1 = userService.userUpload(user);
            session.setAttribute("user", user1);
            CookieUtil.addCookie(response,"loginToken",loginToken,604800);
            return ResultUtil.success(user1);
        } else {
            return ResultUtil.error(ResultEnum.LOGIN_ERROR);
        }
    } else {
        return ResultUtil.error(ResultEnum.CAPTCHA_ERROR);
    }
}

/**
 * 用户退出
 */
@DeleteMapping(value = "/session", produces = {"application/json;charset=UTF-8"})
public Result logout(HttpSession session,HttpServletRequest request,HttpServletResponse response ) {
    //删除session和cookie
    session.removeAttribute("user");
    CookieUtil.clearCookie(request, response, "loginToken");
    return ResultUtil.success();
}

After the code, the article discusses the problems of multi‑system login, notably that sessions are not shared across different Tomcat instances and that cookies cannot be shared across domains.

Solutions presented include Tomcat cluster session replication, storing sessions in Redis (the recommended approach), and extracting the authentication logic into a dedicated SSO subsystem.

// 登录功能(SSO单独的服务)
@Override
public TaotaoResult login(String username, String password) throws Exception {
    //根据用户名查询用户信息
    TbUserExample example = new TbUserExample();
    Criteria criteria = example.createCriteria();
    criteria.andUsernameEqualTo(username);
    List<TbUser> list = userMapper.selectByExample(example);
    if (null == list || list.isEmpty()) {
        return TaotaoResult.build(400, "用户不存在");
    }
    //核对密码
    TbUser user = list.get(0);
    if (!DigestUtils.md5DigestAsHex(password.getBytes()).equals(user.getPassword())) {
        return TaotaoResult.build(400, "密码错误");
    }
    //登录成功，把用户信息写入redis
    String token = UUID.randomUUID().toString();
    jedisCluster.set(USER_TOKEN_KEY + ":" + token, JsonUtils.objectToJson(user));
    jedisCluster.expire(USER_TOKEN_KEY + ":" + token, SESSION_EXPIRE_TIME);
    return TaotaoResult.ok(token);
}

The article then outlines how other subsystems request the SSO service for login, receive the token, store it in a cookie, and use an interceptor to validate the token on each request.

Finally, the CAS (Central Authentication Service) flow is described: unauthenticated requests are redirected to the SSO center, the user creates a global session (token stored in a cookie), and the SSO center redirects back to the original application with the token, which the application validates and establishes a local session.