Sa Token Download - Sa Token Source code download

Sa Token

Other source code

v1.39.0 发布，大幅重构 OAuth2 模块

Download

Sa-Token v1.39.0

A lightweight Java permission authentication framework that makes authentication simple and elegant!

Online documentation: https://sa-token.cc

Sa-Token Introduction

Sa-Token is a lightweight Java permission authentication framework that currently has five core modules: login authentication, permission authentication, single sign-on, OAuth2.0, and microservice authentication.

Simple example display: (click to expand/collapse)

Sa-Token aims to complete the permission authentication part of the system in a simple and elegant way. Taking login authentication as an example, you only need:

 // 会话登录，参数填登录人的账号id 
StpUtil . login ( 10001 );

There is no need to implement any interface or create any configuration file. You only need to call this static code to complete the session login authentication.

If an interface requires login to access, we only need to call the following code:

 // 校验当前客户端是否已经登录，如果未登录则抛出 `NotLoginException` 异常
StpUtil . checkLogin ();

In Sa-Token, most functions can be solved with one line of code:

Kick people offline:

 // 将账号id为 10077 的会话踢下线 
StpUtil . kickout ( 10077 );

Permission authentication:

 // 注解鉴权：只有具备 `user:add` 权限的会话才可以进入方法
@ SaCheckPermission ( "user:add" )
public String insert ( SysUser user ) {
    // ... 
    return "用户增加" ;
}

Route interception authentication:

StpUtil.checkPermission("user")); SaRouter.match("/admin/**", r -> StpUtil.checkPermission("admin")); SaRouter.match("/goods/**", r -> StpUtil.checkPermission("goods")); SaRouter.match("/orders/**", r -> StpUtil.checkPermission("orders")); SaRouter.match("/notice/**", r -> StpUtil.checkPermission("notice")); // 更多模块... })).addPathPatterns("/**");">

 // 根据路由划分模块，不同模块不同鉴权 
registry . addInterceptor ( new SaInterceptor ( handler -> {
	SaRouter . match ( "/user/**" , r -> StpUtil . checkPermission ( "user" ));
	SaRouter . match ( "/admin/**" , r -> StpUtil . checkPermission ( "admin" ));
	SaRouter . match ( "/goods/**" , r -> StpUtil . checkPermission ( "goods" ));
	SaRouter . match ( "/orders/**" , r -> StpUtil . checkPermission ( "orders" ));
	SaRouter . match ( "/notice/**" , r -> StpUtil . checkPermission ( "notice" ));
	// 更多模块... 
})). addPathPatterns ( "/**" );

When you are fed up with Shiro, SpringSecurity and other frameworks, you will understand how simple and elegant Sa-Token's API design is compared to these traditional old frameworks!

List of core modules: (click to expand/collapse)

Login authentication - single-end login, multi-end login, same-end mutually exclusive login, no login required within seven days.
Permission authentication - authority authentication, role authentication, session secondary authentication.
Kicking people offline - Kicking people offline based on their account ID, and kicking people offline based on their Token value.
Annotation-based authentication - elegantly separates authentication from business code.
Route interception authentication - Based on route interception authentication, restful mode can be adapted.
Session - Shared session for all ends, exclusive session for one end, customized session, convenient access to values.
Persistence layer extension - Redis can be integrated, and data will not be lost after restarting.
Separation of front and backend - APPs, applets and other terminals that do not support cookies can also be easily authenticated.
Token style customization - six built-in Token styles, you can also customize the Token generation strategy.
Remember Me Mode - Adapt to [Remember Me] mode and restart the browser without verification.
Second level authentication - Authentication again based on logged in to ensure security.
Simulate other people's accounts - Manipulate any user status data in real time.
Temporary identity switch - Temporarily switch the session identity to another account.
Same-end mutually exclusive login - like QQ, the mobile phone and computer are online at the same time, but login is mutually exclusive on the two mobile phones.
Account banning - login banning, business classification banning, and punishment ladder banning.
Password encryption - Provides basic encryption algorithms, which can quickly encrypt MD5, SHA1, SHA256 and AES.
Session query - Provides a convenient and flexible session query interface.
Http Basic authentication - One line of code to access Http Basic and Digest authentication.
Global listener - performs some AOP operations during key operations such as user login, logout, and being kicked offline.
Global filter - Conveniently handles cross-domain and globally set security response first-class operations.
Multi-account system authentication - separate authentication of multiple accounts in one system (such as the User table and Admin table of the mall)
Single sign-on - There are three built-in single sign-on modes: same domain, cross-domain, same Redis, cross-Redis, front-end and back-end separation and other architectures can be handled.
Single point logout - Initiate a logout in any subsystem, and the entire system will be offline.
OAuth2.0 authentication - Easily build OAuth2.0 services, supporting openid mode.
Distributed session - Provides a distributed session solution in a shared data center.
Microservice gateway authentication - adapts to route interception authentication of common gateways such as Gateway, ShenYu, Zuul and so on.
RPC call authentication - gateway forwarding authentication, RPC call authentication, so that service calls no longer run naked
Temporary Token authentication - solves short-term Token authorization problems.
Independent Redis - separates permission cache and business cache.
Quick quick login authentication - Inject a login page into the project with zero code.
Tag dialect - Provides Thymeleaf tag dialect integration package and provides beetl integration examples.
jwt integration - Provides three modes of jwt integration solutions and provides token expansion parameter capabilities.
RPC call status transfer - Provides integration packages such as dubbo and grpc, so that the login status is not lost during RPC calls.
Parameter signature - Provides a cross-system API call signature verification module to prevent parameter tampering and request replay.
Automatic renewal - Two token expiration strategies are provided, which can be used flexibly and automatically renewed.
Ready to use out of the box - Provides common framework integration packages such as SpringMVC, WebFlux, Solon, etc., ready to use out of the box.
The latest technology stack - adapted to the latest technology stack: supports SpringBoot 3.x, jdk 17.

SSO single sign-on

Sa-Token SSO is divided into three modes to solve SSO access problems under different architectures such as same-domain, cross-domain, shared Redis, cross-Redis, front-end and back-end integration, front-end and back-end separation...etc.:

System architecture	Adoption pattern	Introduction	Documentation link
The front-end is in the same domain + the back-end is in the same domain as Redis	Mode one	Shared Cookie Sync Session	Documentation, examples
Different domains on the front end + Same as Redis on the back end	Mode 2	URL redirect propagates session	Documentation, examples
Different domains on the front end + different Redis on the back end	Mode three	Http request to get session	Documentation, examples

Front-end same domain: It means that multiple systems can be deployed under the same main domain name, such as: c1.domain.com , c2.domain.com , c3.domain.com
The backend is the same as Redis: it means that multiple systems can connect to the same Redis. (This does not require all project data to be placed in one Redis. Sa-Token provides a solution of [权限缓存与业务缓存分离] )
If neither the front end nor the back end can be in the same domain as Redis, you can use mode three, Http request verification ticket to obtain the session.
An example of NoSdk mode is provided, and systems that do not use Sa-Token can also be connected.
Provide sso-server interface documentation, and systems that do not use Java language can also be connected.
Provides front-end and back-end separation and integration solutions: Whether it is sso-server or sso-client, both front-end and back-end separation can be integrated.
Provides security verification: domain name verification, ticket verification, parameter signature verification, effectively preventing ticket hijacking, request replay and other attacks.
Parameter loss prevention: The author has tested multiple SSO frameworks, and all parameters have been lost. For example, before logging in, it was: http://a.com?id=1&name=2 , and after successful login, it became: http://a.com?id=1 , Sa-Token-SSO has a special algorithm to ensure that parameters are not lost, and the original path is accurately returned after successful login.
Provide suggestions for user data synchronization/migration solutions: unified migration before development, real-time data synchronization during runtime, matching based on associated fields, matching based on center_id fields, etc.
Provides directly runnable demo examples to help you quickly become familiar with the general SSO login process.

OAuth2 authorization authentication

The Sa-Token-OAuth2 module is divided into four authorization modes to solve the authorization needs in different scenarios.

Authorization mode	Introduction
Authorization Code	OAuth2.0 standard authorization step, the server transfers the code to the client, and the client exchanges the code for the authorization token.
Implicit	As a backup option when the authorization code mode cannot be used, the server uses URL redirection to directly transfer the token to the client page.
Password	The Client directly exchanges the user's account and password for the authorization token.
Client Credentials	Server-side token for client level, representing the application's own resource authorization

Detailed reference document: https://sa-token.cc/doc.html#/oauth2/readme

Open source integration case

[Snowy]: China's first rapid development platform that separates national secrets from before and after, using Vue3 + AntDesignVue3 + Vite + SpringBoot + Mp + HuTool + SaToken.
[ RuoYi-Vue-Plus ]: Rewrite all functions of RuoYi-Vue and integrate Sa-Token+Mybatis-Plus+Jackson+Xxl-Job+knife4j+Hutool+OSS for regular synchronization
[Smart-Admin]: SmartAdmin is China's first rapid development platform for the middle and backend with "high-quality code" as the core and "simple, efficient and safe";
[Dengdeng]: A microservice mid- and backend rapid development platform focusing on multi-tenant solutions. Tenant mode supports independent database (DATASOURCE mode), shared data architecture (COLUMN mode) and non-tenant mode (NONE mode)
[EasyAdmin]: A backend management system based on SpringBoot2 + Sa-Token + Mybatis-Plus + Snakerflow + Layui. It is flexible and can separate the front and back ends, or it can be a single entity. It has built-in code generator, permission management, workflow engine, etc.
[ sa-admin-server ]: Background management development scaffolding based on sa-admin-ui.

There are more excellent open source cases that cannot be displayed one by one, please refer to: Awesome-Sa-Token

Friendly links

[ OkHttps ]: lightweight http communication framework, extremely elegant API, supports WebSocket and Stomp protocols
[Bean Searcher]: A read-only ORM focusing on advanced queries, enabling complex list retrieval with one line of code!
[Jpom]: Simple and lightweight low-intrusive online construction, automatic deployment, daily operation and maintenance, and project monitoring software.
[TLog]: A lightweight distributed log tag tracking artifact.
[hippo4j]: A powerful dynamic thread pool framework with monitoring and alarm functions.
[ hertzbeat ]: An easy-to-use and friendly open source real-time monitoring and alarm system, no Agent required, high-performance cluster, and powerful custom monitoring capabilities.
[Solon]: A more modern application development framework: faster, smaller, and more free.
[Chat2DB]: An AI-driven database management and BI tool that supports the management of 22 databases such as Mysql, pg, Oracle, and Redis.