Why Sa-Token Is the Ultimate Java Permission Framework for Secure Backend Development

Today we recommend an open‑source project that may be the most feature‑complete Java permission authentication framework.

What is Sa-Token?

Sa-Token is a lightweight Java permission authentication framework that primarily solves login authentication, permission verification, session handling, single sign‑on (SSO), OAuth2.0 and many other related problems.

Advantages of Sa-Token

Simple : Zero‑configuration startup, truly plug‑and‑play with low learning cost.

Powerful : Integrates dozens of permission‑related features covering most business scenarios.

Easy to use : Fluent API calls; most advanced features require only a single line of code.

Highly extensible : Almost all components provide extension interfaces, allowing over 90% of logic to be overridden as needed.

What Sa-Token Can Do

Login verification – simple login authentication with five detailed scenario values.

Permission verification – supports RBAC model for role‑based authorization.

Session management – provides a professional data cache center.

Kick offline – instantly log out violating users.

Persistent layer extension – integrates Redis, Memcached, etc., preserving data after restart.

Distributed session – offers JWT integration and shared data center solutions.

Single sign‑on – one login, everywhere access.

Impersonation – real‑time operation of any user’s state data.

Temporary identity switch – temporarily switch session identity to another account.

No‑Cookie mode – suitable for APP, mini‑programs and other front‑back separation scenarios.

Same‑device mutual exclusion login – similar to QQ, allowing simultaneous online on different devices but exclusive login on the same device.

Multi‑account authentication system – e.g., separate authentication for user and admin tables.

Custom token generation – built‑in six token styles with customizable strategies.

Annotation‑based auth – elegantly separates authorization from business code.

Route‑interception auth – supports RESTful route‑based permission checks.

Automatic renewal – provides two token expiration strategies with auto‑renewal.

Session governance – convenient flexible session query interfaces.

Component auto‑injection – zero‑configuration integration with Spring and other frameworks.

More features are being integrated .

Code Example: Login Verification

// Set the current session's login ID
StpUtil.setLoginId(10001);
// Check login status; throws NotLoginException if not logged in
StpUtil.checkLogin();

After this call, the session is considered logged in.

Permission Annotation Example

@SaCheckPermission("user:add")
@RequestMapping("/user/insert")
public String insert(SysUser user) {
    return "User added";
}

Only sessions with the user:add permission can access this endpoint.

Additional API Examples

// Logout a specific account ID (kick offline)
StpUtil.logoutByLoginId(10001);
// Check role
boolean hasRole = StpUtil.hasRole("super-admin");
// Check permission
boolean hasPerm = StpUtil.hasPermission("user:add");
// Get session
SaSession session = StpUtil.getSession();
// Get token value for a specific account ID
String token = StpUtil.getTokenValueByLoginId(10001);
// Device‑specific login
StpUtil.setLoginId(10001, "PC");
// Device‑specific forced logout
StpUtil.logoutByLoginId(10001, "PC");
// Temporary identity switch
StpUtil.switchTo(10044);

Open‑Source Repository

https://github.com/click33/sa-token