validate.java

网上找的很稀有的单点登陆资料,基于对称加密算法的.

package com.yayisoft.sso.center;

import java.io.IOException;
import java.io.PrintWriter;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import com.yayisoft.sso.util.Config;
import com.yayisoft.sso.util.SSOException;
import com.yayisoft.sso.util.CommonUtil;

public class Validate extends HttpServlet {

	/**
	 * 
	 */
	private static final long serialVersionUID = 1L;

	/**
	 * Constructor of the object.
	 */
	public Validate() {
		super();
	}

	/**
	 * Destruction of the servlet. <br>
	 */
	public void destroy() {
		super.destroy(); // Just puts "destroy" string in log
		// Put your code here
	}

	/**
	 * The doGet method of the servlet. <br>
	 * 
	 * This method is called when a form has its tag value method equals to get.
	 * 
	 * @param request
	 *            the request send by the client to the server
	 * @param response
	 *            the response send by the server to the client
	 * @throws ServletException
	 *             if an error occurred
	 * @throws IOException
	 *             if an error occurred
	 */
	public void doGet(HttpServletRequest request, HttpServletResponse response)
			throws ServletException, IOException {

		try {
			response.setContentType("text/html");
			PrintWriter out = response.getWriter();
			HttpSession session = request.getSession(true);
			String user = (String) session.getAttribute("user");
			String sessionid = (String) session.getAttribute("sessionid");
			if (user == null || sessionid == null) {// 如果user和session
													// id是空的,那么会话不是连续的
				// not a validate user, send 2 loginPage
				// out.println("invalid request, U R bad Guy!!!");
				// out.println("reason: not login,null user ");
				// out.flush();
				// out.close();

				session.invalidate();
				String url = request.getParameter("url");//
				if (url != null) {
					System.out.println("Validate:未认证用户转到认证页面:"+ Config.PAGE_LOGIN + "&url=" + url);
					response.sendRedirect(Config.PAGE_LOGIN + "?url=" + url);
					return;
				} else {
					response.sendRedirect(Config.PAGE_LOGIN);
					return;
				}
			}

			// "?target=" + target + "&apply=" + apply + "&strips=" + strips);
			String target = request.getParameter("target");// TODO 检测是否是我们的子域内的,或者放入checkApply中验证生成strips
			String apply = request.getParameter("apply");
			String strips = request.getParameter("strips");

			if (target == null || apply == null || strips == null) {// put
				out.println("invalid request, U R bad Guy!!!");
				out.println("reason: apply == null ");
				out.flush();
				out.close();
				// loginPage
				return;
			} else {
				if (!CommonUtil.checkApply(apply, strips)) {
					out.println("invalid request, U R bad Guy!!!");
					out.println("reason: checkApply Failed ");
					out.flush();
					out.close();
					return;
				} else {

					String domain = "http://" + target + "/Anchor";//
					String intro = CommonUtil.getGuid();// put them into
														// session.
					strips = CommonUtil.getStripsByIntro(intro);// 重新产生一个strips脚本

					// /TODO 用户名通过client提供的apply与intro为密钥,进行加密
					String tokon = CommonUtil.EncryptUser(user, apply, intro);

					String tips = CommonUtil.getTipsByTokon(tokon);// 用tokon生产tips

					System.out.println("Validate:一个用户验证成功了\ntokon = " + tokon + "\nuser"
							+ user + "\napply" + apply + "\nintro" + intro);
					response.sendRedirect(domain + "?tokon=" + tokon
							+ "&intro=" + intro + "&strips=" + strips
							+ "&tips=" + tips);

					// 认证通过,这个tokon是我(认证中心)颁发的!
					// 我将给客户端一个通知,你是合法的公民

					// 可是这个通知如何安全给客户呢?
					// client客户用socket请求吗?socket是无法获取session信息的!可以返回一个值,确定

					// iframe,可以伪造

					// cookie,同一个domain域名是可以操作的!

					// 将tokon用特定算法加密,结果result发送给clinet(加key)
					// client用用特定算法解密,如果两个结果相同,那么认证成功!
				}
			}
			out.flush();
			out.close();

			// TODO 要清空 String字符串,防止窃听!!!
		} catch (SSOException e) {
			e.printStackTrace();
		}
	}

	/**
	 * The doPost method of the servlet. <br>
	 * 
	 * This method is called when a form has its tag value method equals to
	 * post.
	 * 
	 * @param request
	 *            the request send by the client to the server
	 * @param response
	 *            the response send by the server to the client
	 * @throws ServletException
	 *             if an error occurred
	 * @throws IOException
	 *             if an error occurred
	 */
	public void doPost(HttpServletRequest request, HttpServletResponse response)
			throws ServletException, IOException {
		this.doGet(request, response);
	}

	/**
	 * Initialization of the servlet. <br>
	 * 
	 * @throws ServletException
	 *             if an error occurs
	 */
	public void init() throws ServletException {
		// Put your code here
	}

}