Why Sa-Token Is the Most Feature‑Rich Java Authentication Framework You Need
Sa-Token is a lightweight, open‑source Java authentication framework that offers zero‑configuration login, permission checks, session handling, single sign‑on, and extensive features, with simple one‑line APIs and high extensibility for backend and security development.
Sa-Token is a lightweight Java permission authentication framework that handles login authentication, permission checks, session management, single sign‑on, OAuth2.0 and more.
It offers zero‑configuration startup, extensive built‑in features, a smooth API, and high extensibility, making it easy to integrate into various business scenarios.
Key Advantages
Simple – zero‑config, ready‑to‑use.
Powerful – dozens of permission‑related features covering most use cases.
Easy to use – one‑line API calls for advanced capabilities.
Highly extensible – most components provide extension points.
Core Functionalities
Login verification – easy login authentication with five scenario values.
Permission verification – RBAC model support.
Session management – professional data cache.
Kick‑out – immediate logout of violating users.
Persistence layer extension – integration with Redis, Memcached, etc.
Distributed session – JWT integration and shared data center options.
Single sign‑on – one login, everywhere.
Impersonation – operate as any user.
Temporary identity switch – switch session identity.
No‑Cookie mode – suitable for apps, mini‑programs.
Mutual exclusive login – similar to QQ multi‑device login.
Multi‑account authentication – separate auth for user and admin tables.
Custom token generation – six built‑in styles, customizable.
Annotation‑based auth – clean separation of concerns.
Route‑intercept auth – RESTful route protection.
Auto‑renewal – two token expiration strategies with auto‑renew.
Session governance – flexible session query APIs.
Remember‑me mode – persistent login after browser restart.
Password encryption – MD5, SHA1, SHA256, AES, RSA.
Component auto‑injection – zero‑config integration with Spring.
Code Example: Login Verification
// Write the current session's account id during login
StpUtil.setLoginId(10001);
// Later, check login status; throws NotLoginException if not logged in
StpUtil.checkLogin();The above single‑line API handles session login without global filters or complex configuration.
Permission Check Example
@SaCheckPermission("user:add")
@RequestMapping("/user/insert")
public String insert(SysUser user) {
// ...
return "用户增加";
}Kick‑out Example
// Log out the session with account id 10001
StpUtil.logoutByLoginId(10001);Additional One‑Line Operations
StpUtil.setLoginId(10001); // Mark current session login id
StpUtil.getLoginId(); // Get current login id
StpUtil.isLogin(); // Check if logged in
StpUtil.logout(); // Log out current session
StpUtil.logoutByLoginId(10001); // Force logout of specific account
StpUtil.hasRole("super-admin"); // Role check
StpUtil.hasPermission("user:add"); // Permission check
StpUtil.getSession(); // Get session of current account
StpUtil.getSessionByLoginId(10001); // Get session of specific account
StpUtil.getTokenValueByLoginId(10001); // Get token value
StpUtil.setLoginId(10001, "PC"); // Login with device identifier
StpUtil.logoutByLoginId(10001, "PC"); // Device‑specific logout
StpUtil.switchTo(10044); // Temporarily switch identitySigned-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Architect's Guide
Dedicated to sharing programmer-architect skills—Java backend, system, microservice, and distributed architectures—to help you become a senior architect.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.