1. Start and enter the http://localhost:8080/login user kisso password 123
2. Log in successfully, check the browser and find the kisso cookie, you have successfully integrated kisso!!
3. Log out of the http://localhost:8080/logout to see the kisso cookie disappears

Permissions

1. Login Access http://localhost:8080/test/permission/index.html has the permission to display the logged-in user
2. Test without permission to access http://localhost:8080/test/permission/userinfo.html Enter the no permission interface
Kisso Spring Boot demo

1. Start the execution of Application
2. Access
http://localhost:8080/token prompted to log in
3. Log in to access
http://localhost:8080/login Successfully go to the 2 steps to view

warehouse

https://search.maven.org/search?q=g:com.baomidou

<dependency>
<groupId>com.baomidou</groupId>
<artifactId>kisso</artifactId>
<version>3.8.1</version>
</dependency>
Use documentation
To generate a jwt ticket, the access request header is set to ‘accessToken=ticket content’, which is suitable for single sign-on in the front and back separation mode
String jwtToken = SSOToken.create().setId(1).setIssuer(“admin”).setOrigin(TokenOrigin.HTML5).getToken();

Parse the ticket
SSOToken ssoToken = SSOToken.parser(jwtToken);

Cookie Pattern Settings
SSOHelper.setCookie(request, response, new SSOToken().setId(String.valueOf(1)).setIssuer(“admin”));

Login Privilege Interceptor class SSOSpringInterceptor
Annotations do not intercept @LoginIgnore
yml config kisso.config….

Spring Boot

@ControllerAdvice
@Configuration
public class WebConfig implements WebMvcConfigurer {

@Override
public void addInterceptors(InterceptorRegistry registry) {
SSO Authorized Interceptor
SSOSpringInterceptor ssoInterceptor = new SSOSpringInterceptor();
ssoInterceptor.setHandlerInterceptor(new LoginHandlerInterceptor());
registry.addInterceptor(ssoInterceptor).addPathPatterns(“/**”).excludePathPatterns(“/v1/sso/**”);
}
}
Default HS512 algorithm
HS512 key, the configuration parameter kisso.config.sign-key
SSOHelper.getHS512SecretKey()
Toggle the RS512 algorithm

1. Configure the algorithm
kisso.config.sign-algorithm = RS512

2. Configure the private key public key certificate, and place the resources directory by default

RSA key, configuration parameter kisso.config.rsa-jks-store
Other parameters: CN=Server, OU=Unit, O=Organization, L=City, S=State, and C=US
RSA generates a jks key
$ keytool -genkeypair -alias jwtkey -keyalg RSA -dname “CN=llt” -keypass keypassword -keystore key.jks -storepass jkspassword

RSA generates certificates
RSA public key, configuration parameter kisso.config.rsa-cert-store
$ keytool -export -alias jwtkey -file public.cert -keystore key.jks -storepass jkspassword
Common security policies

1. Cookies marked as Secure should only be sent to the server via requests encrypted by the HTTPS protocol. With the HTTPS security protocol, cookies are protected from theft and tampering during transmission between the browser and the web server

2. HTTPOnly Setting the HTTPOnly attribute can prevent client scripts from accessing cookies through documents such as document.cookie, which can help avoid XSS attacks

3. SameSite The SameSite attribute prevents cookies from being sent when requested across sites, thus preventing CSRF attacks

SameSite can have the following three values:
1. Strict only allows one party to request to carry cookies, that is, the browser will only send cookies requested by the same site, that is, the URL of the current web page is exactly the same as the URL of the request.
2. Lax allows some third parties to request the porting of cookies
3. None will send cookies regardless of whether it is cross-site or not
The reason why cookies cannot be obtained now is because it was None by default, and Lax is defaulted to Chrome 80

The security configuration is as follows:

kisso:
config:
# Enabling HTTPS is effective and the transmission is more secure
cookie-secure: true
# Prevent XSS from scripting attacks
cookie-http-only: true
# Prevent CSRF cross-site attacks
cookie-same-site: Lax
# Encryption algorithm RSA
sign-algorithm: RS512

资源下载此资源为免费资源立即下载

Telegram:@John_Software

collect(0) Like (0)

Disclaimer: This article is published by a third party and represents the views of the author only and has nothing to do with this website. This site does not make any guarantee or commitment to the authenticity, completeness and timeliness of this article and all or part of its content, please readers for reference only, and please verify the relevant content. The publication or republication of articles by this website for the purpose of conveying more information does not mean that it endorses its views or confirms its description, nor does it mean that this website is responsible for its authenticity.

Ictcoder Free Source Code Java cookie-based SSO middleware https://ictcoder.com/java-cookie-based-sso-middleware/

lllll

Share free open-source source code

Previous article： A Vue3 component library for developers, designers, and product managers

Next article： Metaverse project: face expression recognition system, supporting pictures and videos

Q&A

Ordering Process

1. Automatic: After making an online payment, click the (Download) link to download the source code; 2. Manual: Contact the seller or the official to check if the template is consistent. Then, place an order and make payment online. The seller ships the goods, and both parties inspect and confirm that there are no issues. ICTcoder will then settle the payment for the seller. Note: Please ensure to place your order and make payment through ICTcoder. If you do not place your order and make payment through ICTcoder, and the seller sends fake source code or encounters any issues, ICTcoder will not assist in resolving them, nor can we guarantee your funds!

View details

Transactions and Disputes

1. Default transaction cycle for source code: The seller manually ships the goods within 1-3 days. The amount paid by the user will be held in escrow by ICTcoder until 7 days after the transaction is completed and both parties confirm that there are no issues. ICTcoder will then settle with the seller. In case of any disputes, ICTcoder will have staff to assist in handling until the dispute is resolved or a refund is made! If the buyer places an order and makes payment not through ICTcoder, any issues and disputes have nothing to do with ICTcoder, and ICTcoder will not be responsible for any liabilities!

View details

Matters needing attention

1. ICTcoder will permanently archive the transaction process between both parties and snapshots of the traded goods to ensure the authenticity, validity, and security of the transaction! 2. ICTcoder cannot guarantee services such as "permanent package updates" and "permanent technical support" after the merchant's commitment. Buyers are advised to identify these services on their own. If necessary, they can contact ICTcoder for assistance; 3. When both website demonstration and image demonstration exist in the source code, and the text descriptions of the website and images are inconsistent, the text description of the image shall prevail as the basis for dispute resolution (excluding special statements or agreements); 4. If there is no statement such as "no legal basis for refund" or similar content, any indication on the product that "once sold, no refunds will be supported" or other similar declarations shall be deemed invalid; 5. Before the buyer places an order and makes payment, the transaction details agreed upon by both parties via WhatsApp or email can also serve as the basis for dispute resolution (in case of any inconsistency between the agreement and the description of the conflict, the agreement shall prevail); 6. Since chat records and email records can serve as the basis for dispute resolution, both parties should only communicate with each other through the contact information left on the system when contacting each other, in order to prevent the other party from denying their own commitments. 7. Although the probability of disputes is low, it is essential to retain important information such as chat records, text messages, and email records, in case a dispute arises, so that ICTcoder can intervene quickly.

View details

ICTcoder reminds and declares

1. As a third-party intermediary platform, ICTcoder solely protects transaction security and the rights and interests of both buyers and sellers based on the transaction contract (product description, agreed content before the transaction); 2. For online trading projects not on the ICTcoder platform, any consequences are unrelated to this platform; regardless of the reason why the seller requests an offline transaction, please contact the administrator to report.

View details