跨系统如何保持Session存活和Token共享问题

WEB端

问题描述

WMS系统对监管仓进行访问（监管仓内嵌于WMS系统），但是需要登录监管仓系统才能看到引入WMS系统的界面，否则看不了监管仓。这里涉及到一个监管仓访问超时的问题：如果用户一直在WMS上操作，而对监管仓不闻不问，那么一般在30minutes 之后，再次点击监管仓页面就会发现打不开了；同理，如果用户一直停在监管仓操作，那么30minutes之后，回来再次访问WMS的页面的时候，WMS也会自动退出到登录界面。以上问题说明，两个系统使用的不是同一个session时，在同一个系统中操作时间越长，另一个系统session存活的几率就越小，不被用户操作的系统也最容易导致session死亡，大多数时候只能半开半闭式地访问，而不能灵活地游弋于多个系统。要解决session共享的问题才能实现多系统紧密协作。

处理方案

可以将session用一个公用的数据存储区块存储起来，如：memcache。利用memcache的数据超时来处理session。同时还可以实现单点登录，如果用户通过验证，但是memcache已经存在此session那么就不再允许用户登录系统。

移动端

问题描述

历史惊人的相似，在Android和IOS上分别访问WMS和监管仓的时候发现不能共享Token。因为此Token是WMS和监管仓都分别作了生成的，登录时也仅仅是对是否超时作了验证，所以在登录的过程中他们是没有问题的，但是访问其他系统页面后切换回来就是在用其他类系统的Token在访问自己的站点，所以导致Token通不过验证。我们并没有通知对方系统自己的Token已经变了，而是自以为是独立地工作。

处理方案

方法一：同上；

方法二：每个系统都提供交换Token的接口，改变了就通知对方系统，这样可以确保用户获取到的token永远都是最新的。

我觉得今天这个标题很有意思，值得大家深入去思考，上面的解决方案是余之鄙见，希冀更多处理方案！

Token实现代码

TOken实体

package com.wlyd.wms.service.api.data;import java.io.Serializable;public class UserToken implements Serializable
{private static final long serialVersionUID = -8766321739625153631L;private String signature;// 签名private String timestamp;// 时间戳private String random;// 随机数private String authorizationCode;//授权码public String getSignature(){return signature;}public void setSignature(String signature){this.signature = signature;}public String getTimestamp(){return timestamp;}public void setTimestamp(String timestamp){this.timestamp = timestamp;}public String getRandom(){return random;}public void setRandom(String random){this.random = random;}public String getAuthorizationCode(){return authorizationCode;}public void setAuthorizationCode(String authorizationCode){this.authorizationCode = authorizationCode;}@Overridepublic String toString(){return "signature=" + signature + "×tamp=" + timestamp + "&random=" + random+ "&authorizationCode=" + authorizationCode;}
}

C#与Java DES加密工具

package com.wlyd.wms.util.api;import java.security.Key;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Calendar;
import java.util.Date;
import java.util.Random;
import javax.crypto.Cipher;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESKeySpec;
import javax.crypto.spec.IvParameterSpec;
import com.wlyd.wms.service.api.data.UserToken;
import com.wlyd.wms.util.Log;
import Decoder.BASE64Decoder;
import Decoder.BASE64Encoder;public class JCSharpDESUtil
{// DES加密的私钥，必须是8位长的字符串private static final byte[] DESkey = "11111111".getBytes();// 设置密钥private static final byte[] DESIV = "12345678".getBytes();// 设置向量static AlgorithmParameterSpec iv = null;// 加密算法的参数接口，IvParameterSpec是它的一个实现private static Key key = null;static{DESKeySpec keySpec;try{keySpec = new DESKeySpec(DESkey);// 设置密钥参数iv = new IvParameterSpec(DESIV);// 设置向量SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DES");// 获得密钥工厂key = keyFactory.generateSecret(keySpec);// 得到密钥对象} catch (Exception e){Log.getLogger(JCSharpDESUtil.class).error("");}}public static String encrypt(String data){try{Cipher enCipher = Cipher.getInstance("DES/CBC/PKCS5Padding");// 得到加密对象CipherenCipher.init(Cipher.ENCRYPT_MODE, key, iv);// 设置工作模式为加密模式，给出密钥和向量byte[] pasByte = enCipher.doFinal(data.getBytes("utf-8"));BASE64Encoder base64Encoder = new BASE64Encoder();return base64Encoder.encode(pasByte).replace("\n", "").replace("\r", "");// 去掉换行回车符} catch (Exception e){Log.getLogger(JCSharpDESUtil.class).error("加密异常：" + e.getMessage());}return "";}public static String decrypt(String data){try{Cipher deCipher = Cipher.getInstance("DES/CBC/PKCS5Padding");deCipher.init(Cipher.DECRYPT_MODE, key, iv);BASE64Decoder base64Decoder = new BASE64Decoder();byte[] pasByte = deCipher.doFinal(base64Decoder.decodeBuffer(data));return new String(pasByte, "UTF-8");} catch (Exception e){Log.getLogger(JCSharpDESUtil.class).error("解密异常：" + e.getMessage());}return "";}public static void main(String[] args) throws Exception{String data = "/YG1K/6/mh86b5EbjYdZwrNm+MGzGw7DXXzj1mBM3ssuw2BS2Xan9Yk1mBijRLoujGtD9Wo692KvVUoIvZZY9NdpJvgv76Rn";System.out.println("加密：" + JCSharpDESUtil.encrypt("boonya"));System.out.println("解密：" + JCSharpDESUtil.decrypt(JCSharpDESUtil.encrypt("boonya")));System.out.println("CShap data Length " + (data.getBytes().length % 8));System.out.println("CShap解密：" + JCSharpDESUtil.decrypt(data));UserToken encryptedToken = new UserToken();encryptedToken.setSignature("wmsadmin");encryptedToken.setTimestamp(Calendar.getInstance().getTimeInMillis() + "");encryptedToken.setRandom(new Random().nextInt(999999999) + "");String text = encryptedToken.toString();System.out.println("明文：" + text);String encryptData = JCSharpDESUtil.encrypt(text);System.out.println("加密：" + encryptData);System.out.println("解密：" + JCSharpDESUtil.decrypt(JCSharpDESUtil.encrypt(text)));long time = new Date().getTime();System.out.println(Calendar.getInstance().getTimeInMillis());System.out.println(new Date(Calendar.getInstance().getTimeInMillis()));System.out.println(time);}}

TOKEN工具类

package com.wlyd.wms.util;import java.text.SimpleDateFormat;
import java.util.Calendar;
import java.util.Date;
import java.util.Random;
import java.util.concurrent.ConcurrentHashMap;import com.wlyd.wms.service.api.data.UserToken;
import com.wlyd.wms.util.api.JCSharpDESUtil;public class TokenUtil
{private static ConcurrentHashMap<String, UserToken> map = new ConcurrentHashMap<String, UserToken>();/*** 生成加密Token* * @param username* @return*/public static UserToken generateToken(String username){UserToken userToken = new UserToken();// 设置签名userToken.setSignature(username);// 设置时间戳userToken.setTimestamp(getTimeStamp());// 设置随机数userToken.setRandom(getRandom());// 设置授权码userToken.setAuthorizationCode(getAuthorizationCode(username));return userToken;}/*** 判定是否已经登录* * @param signature* @return*/public static boolean whetherUserHasSignedIn(String signature){if(map.containsKey(signature)){return true;}return false;}/*** 创建用户Token* * @param username* @return*/public static String createToken(String username){UserToken userToken = generateToken(username);// 保存用户TokenString token=encryptUserToken(userToken);map.put(encryptSignature(userToken.getSignature()), userToken);return token;}/*** 设置自定义的Token* * @param username* @param userToken*/public static void setSelfToken(String username,UserToken userToken){map.put(username, userToken);}/*** 【重新生成】更新Token* * @param token* @return*/public static String reCreateToken(String token){UserToken userToken=TokenUtil.analyseEncryptedUserToken(token);return createToken(userToken.getSignature());}/*** 加密签名* * @param username* @return*/public static String encryptSignature(String username){return JCSharpDESUtil.encrypt(username);}/*** 解密签名* * @param signature* @return*/public static String decryptSignature(String signature){return JCSharpDESUtil.decrypt(signature);}/*** 生成时间戳* @return*/public static String getTimeStamp(){return Calendar.getInstance().getTimeInMillis() + "";}/*** 生成随机数* * @return*/public static String getRandom(){return new Random().nextInt(999999999) + "";}/*** 加密用户Token* * @param userToken* @return*/public static String encryptUserToken(UserToken userToken){return JCSharpDESUtil.encrypt(userToken.toString());}/*** 解析加密用户Token* * @param token* @return*/public static UserToken decryptUserToken(String token){String decryptToken=JCSharpDESUtil.decrypt(token);String[] params = decryptToken.split("&");// 分析用户提交过来的TokenUserToken userToken = new UserToken();for (int i = 0, j = params.length; i < j; i++){String[] currentParams = params[i].split("=");String param = currentParams[0];switch (param){case "signature":userToken.setSignature(currentParams[1]);break;case "timestamp":userToken.setTimestamp(currentParams[1]);break;case "random":userToken.setRandom(currentParams[1]);break;case "authorizationCode":userToken.setAuthorizationCode(currentParams[1]);break;default:break;}}return userToken;}/*** 【解密用户Token】分析用户Token* * @param token* @return*/public static UserToken analyseEncryptedUserToken(String token){UserToken userToken=decryptUserToken( token);return userToken;}/*** 验证用户Token* * @param token* @param userToken* @return*/public static boolean verifyUserToken(String token){// 分析用户需要验证的TokenUserToken userToken=decryptUserToken(token);// 给用户加密签名String encryptSignature=encryptSignature(userToken.getSignature());// 判定是否包含此Tokenif(!map.containsKey(encryptSignature)){return false;}// 获取登录的用户TokenUserToken userTokenIner=(UserToken) map.get(encryptSignature);// 验证是否存在此用户登录的Tokenif (userTokenIner!=null&&(userToken.toString()).equals(userTokenIner.toString())){// 判定时间戳是否过期long currentTime = Calendar.getInstance().getTimeInMillis();long timestamp = Long.valueOf(userToken.getTimestamp());// Token有效时间为30分钟long verifyTime = 30 * 60 * 1000;if (currentTime - timestamp > verifyTime){// 移除过期的Tokenmap.remove(encryptSignature);return false;}return true;}return false;}/*** 获取已经签入的用户Token* * @return*/public static UserToken getUserSignedToken(String signature){if(map.containsKey(signature)){return map.get(signature);}return null;}/*** 根据用户名获取MD5Token* * @param username* @return*/public static String getAuthorizationCode(String username){SimpleDateFormat sdf = new SimpleDateFormat("yyyyMMdd");String date = sdf.format(new Date());String token = Md5.getPassSalt("username=" + username + "&date=" + date, Md5.getMD5Str(username));return token;}public static void main(String[] args) { String token=TokenUtil.createToken("boonya");System.out.println("token:"+token);System.out.println("Original token:"+TokenUtil.analyseEncryptedUserToken(token));boolean result=TokenUtil.verifyUserToken(token);System.out.println("verify reulst:"+result);}/*** 创建用户Token* * @param username* @return*/public static String createTokenIOS(String username){UserToken userToken = generateToken(username);map.put(encryptSignature(userToken.getSignature()), userToken);return userToken.toString();}public static UserToken decryptUserTokenIOS(String token){String[] params = token.split("&");// 分析用户提交过来的TokenUserToken userToken = new UserToken();for (int i = 0, j = params.length; i < j; i++){String[] currentParams = params[i].split("=");String param = currentParams[0];switch (param){case "signature":userToken.setSignature(currentParams[1]);break;case "timestamp":userToken.setTimestamp(currentParams[1]);break;case "random":userToken.setRandom(currentParams[1]);break;case "authorizationCode":userToken.setAuthorizationCode(currentParams[1]);break;default:break;}}return userToken;}/*** 解析token信息非加密* @MethodName: verifyUserTokenIOS * @Description: * @param token* @return* @throws*/public static boolean verifyUserTokenIOS(String token){// 分析用户需要验证的TokenUserToken userToken=decryptUserTokenIOS(token);// 给用户加密签名String encryptSignature=encryptSignature(userToken.getSignature());// 判定是否包含此Tokenif(!map.containsKey(encryptSignature)){return false;}// 获取登录的用户TokenUserToken userTokenIner=(UserToken) map.get(encryptSignature);// 验证是否存在此用户登录的Tokenif (userTokenIner!=null&&(userToken.toString()).equals(userTokenIner.toString())){// 判定时间戳是否过期long currentTime = Calendar.getInstance().getTimeInMillis();long timestamp = Long.valueOf(userToken.getTimestamp());// Token有效时间为30分钟long verifyTime = 30 * 60 * 1000;if (currentTime - timestamp > verifyTime){// 移除过期的Tokenmap.remove(encryptSignature);return false;}return true;}return false;}}

交换公钥工具类

package com.wlyd.wms.util.api;import java.util.Map.Entry;
import java.util.concurrent.ConcurrentHashMap;import com.wlyd.wms.service.api.data.UserToken;public class UserSecurityManager
{private static ConcurrentHashMap<String, UserToken> TOKEN = new ConcurrentHashMap<String, UserToken>();/*** <k,v>:<sessionId,clientPublicKey>*/private static ConcurrentHashMap<String, String> CLIENT_PUBLIC = new ConcurrentHashMap<String, String>();/*** <k,v>:<sessionId,serverPublicKey>*/private static ConcurrentHashMap<String, String> SERVER_PUBLIC = new ConcurrentHashMap<String, String>();/*** <k,v>:<serverPublicKey,serverPrivateKey>*/private static ConcurrentHashMap<String, String> SERVER_PUBLIC_PRIVATE = new ConcurrentHashMap<String, String>();public static String getSessionId(String clientPublicKey){if(CLIENT_PUBLIC.containsValue(clientPublicKey)){for (Entry<String, String > entry: CLIENT_PUBLIC.entrySet()){if(entry.getValue().equals(clientPublicKey)){return entry.getKey();}}}return null;}public static ConcurrentHashMap<String, UserToken> getTOKEN(){return TOKEN;}public static void rememberUserToken(String key,UserToken token){TOKEN.put(key, token);}public static void removeUserToken(String key){if(TOKEN.containsKey(key)){TOKEN.remove(key);}}public static void rememberClientPublicKey(String sessionId,String clientPublicKey){CLIENT_PUBLIC.put(sessionId, clientPublicKey);}public static String getClientPublicKey(String sessionId){if(CLIENT_PUBLIC.containsKey(sessionId)){return CLIENT_PUBLIC.get(sessionId);}return null;}public static void removeClientPublicKey(String sessionId){if(CLIENT_PUBLIC.containsKey(sessionId)){CLIENT_PUBLIC.remove(sessionId);}}public static void rememberServerPublicKey(String sessionId,String serverPublicKey){SERVER_PUBLIC.put(sessionId, serverPublicKey);}public static String getServerPublicKey(String sessionId){if(SERVER_PUBLIC.containsKey(sessionId)){return SERVER_PUBLIC.get(sessionId);}return null;}public static String getServerPrivateKey(String sessionId){if(SERVER_PUBLIC.containsKey(sessionId)){String serverPublicKey= SERVER_PUBLIC.get(sessionId);if(SERVER_PUBLIC_PRIVATE.containsKey(serverPublicKey)){SERVER_PUBLIC_PRIVATE.get(serverPublicKey);}}return null;}public static void removeServerPublicKey(String sessionId){if(SERVER_PUBLIC.containsKey(sessionId)){SERVER_PUBLIC.remove(sessionId);}}public static void rememberServerPublicAndPrivateKey(String serverPublicKey,String serverPrivateKey){SERVER_PUBLIC_PRIVATE.put(serverPublicKey, serverPrivateKey);}public static void removeServerPublicAndPrivateKey(String serverPublicKey){if(serverPublicKey==null||serverPublicKey.equals("")) return;if(SERVER_PUBLIC_PRIVATE.containsKey(serverPublicKey)){SERVER_PUBLIC_PRIVATE.remove(serverPublicKey);}}}