anchor.java

网上找的很稀有的单点登陆资料,基于对称加密算法的.

package com.yayisoft.sso.client;

import java.io.IOException;
import java.io.PrintWriter;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import com.yayisoft.sso.util.CommonUtil;
import com.yayisoft.sso.util.SSOException;

public class Anchor extends HttpServlet {

	/**
	 * 
	 */
	private static final long serialVersionUID = 1L;

	/**
	 * Constructor of the object.
	 */
	public Anchor() {
		super();
	}

	/**
	 * Destruction of the servlet. <br>
	 */
	public void destroy() {
		super.destroy(); // Just puts "destroy" string in log
		// Put your code here
	}

	/**
	 * The doGet method of the servlet. <br>
	 *
	 * This method is called when a form has its tag value method equals to get.
	 * 
	 * @param request the request send by the client to the server
	 * @param response the response send by the server to the client
	 * @throws ServletException if an error occurred
	 * @throws IOException if an error occurred
	 */
	public void doGet(HttpServletRequest request, HttpServletResponse response)
			throws ServletException, IOException {

		try {
			PrintWriter out = response.getWriter();
			HttpSession session = request.getSession(true);
			
			String url= (String) session.getAttribute("url");	
			String apply = (String) session.getAttribute("apply");
			String strips = (String) session.getAttribute("strips");		
			if (url == null ||apply == null || strips == null) {//如果targetURL是空的,那么会话不是连续的
				out.println("invalid request, U R bad Guy!!!");
				out.println("reason: target == null ");
				out.flush();
				out.close();
				session.invalidate();		
//			response.sendRedirect(Config.PAGE_LOGIN);				
				return;
			}
			
			// "?tokon=" + tokon + "&intro="+intro+"&strips="+ strips);
			String tokon = request.getParameter("tokon");// 
			String intro = request.getParameter("intro");
			strips = request.getParameter("strips");
			String tips = request.getParameter("tips");
			if (tokon == null || intro == null || strips == null || tips == null) {// put targetURL
				out.println("invalid request, U R bad Guy!!!");
				out.println("reason: tokon == null ");				
				out.flush();
				out.close();
				session.invalidate();//
//				response.sendRedirect(Config.PAGE_LOGIN);	
				return;
			} else {
				if ((!CommonUtil.checkTips(tokon, tips))||(!CommonUtil.checkIntro(intro, strips))) {//检查tips是否合法,tips是中心服务器返回的验证码
					out.println("invalid request, U R bad Guy!!!");
					out.println("reason: checkTips Failed ");
					out.flush();
					out.close();
					session.invalidate();//
//					response.sendRedirect(Config.PAGE_LOGIN);	
					return;
				} else{
					String user = CommonUtil.DecryptUser(tokon, apply, intro);//对用户名解密
					session.setAttribute("user", user);
					session.setAttribute("sessionid", session.getId());
					session.removeAttribute("target");//移除本次凭证,防止重放
					session.removeAttribute("apply");
					session.removeAttribute("strips");
					System.out.println("一个用户经过认证中心了,呵呵" + user);
					System.out.println("信息成功了\ntokon = " + tokon+"\nuser"+user+"\napply"+apply+"\nintro"+intro);
					System.out.println();
					System.out.println("他到" + url);
					response.sendRedirect(url);//转向目的地
					System.out.println("完毕");
					System.out.println();
					System.out.println();
					return;
					// 认证通过,这个tokon是我(认证中心)颁发的!
					// 我将给客户端一个通知,你是合法的公民

					// 可是这个通知如何安全给客户呢?
					// client客户用socket请求吗?socket是无法获取session信息的!可以返回一个值,确定
					//所以,必须在session的会话级别操作,不然就像CAS一样用统一SESSION_STORE保持
					

					// iframe,可以伪造

					// cookie,同一个domain域名是可以操作的!

					// 将tokon用特定算法加密,结果result发送给clinet(加key)
					// client用用特定算法解密,如果两个结果相同,那么认证成功!
				}
			}			
		} catch (SSOException e) {		
			e.printStackTrace();
		}
		// TODO 要清空 String字符串,防止窃听!!!
	}
	
	/**
	 * The doPost method of the servlet. <br>
	 *
	 * This method is called when a form has its tag value method equals to post.
	 * 
	 * @param request the request send by the client to the server
	 * @param response the response send by the server to the client
	 * @throws ServletException if an error occurred
	 * @throws IOException if an error occurred
	 */
	public void doPost(HttpServletRequest request, HttpServletResponse response)
			throws ServletException, IOException {
		this.doGet(request, response);
	}

	/**
	 * Initialization of the servlet. <br>
	 *
	 * @throws ServletException if an error occurs
	 */
	public void init() throws ServletException {
		// Put your code here
	}

}