You can achieve this by having all your log-ins happen on the auth server. The other applications can communicate to the auth server through a back channel. The general principle is like this:

您可以通过在身份验证服务器上进行所有登录来实现这一点。其他应用程序可以通过反向通道与身份验证服务器通信。一般原则是这样的：

1. User accesses application 1.
2. Application 1 needs the user to sign on, so it sends a token to the auth server through the back channel. Application 1 then redirects the user to the log in page on the auth server with the token as a parameter on the request.
3. User logs in to auth server. Auth server sets a cookie, flags the token as authenticated and associates the user details with it. Auth server then redirects user back to application 1.
4. Application 1 gets request from user and calls auth server over back channel to check if the token is OK. Auth server response with user details.
5. Application 1 now knows that the user is authorised and has some basic user details.

1. 用户访问应用程序 1。
2. 应用程序 1 需要用户登录，因此它通过反向通道向身份验证服务器发送令牌。然后，应用程序 1 将用户重定向到身份验证服务器上的登录页面，并将令牌作为请求中的参数。
3. 用户登录到身份验证服务器。身份验证服务器设置一个 cookie，将令牌标记为已通过身份验证并将用户详细信息与其相关联。身份验证服务器然后将用户重定向回应用程序 1。
4. 应用程序 1 从用户获取请求并通过反向通道调用身份验证服务器以检查令牌是否正常。带有用户详细信息的身份验证服务器响应。
5. 应用程序 1 现在知道用户已获得授权并拥有一些基本的用户详细信息。

Now this is where the SSO bit comes in:

现在这是 SSO 位的用武之地：

1. User accesses application 2.
2. Application 2 needs the user to sign on, so it sends a token to the auth server through the back channel. Application 2 then redirects the user to the login page on the auth server with the token as a parameter on the request.
3. Auth server sees that there is a valid log in cookie, so it can tell that the user is already authenticated, and knows who they are. Auth server flags the token as authenticated and associates the user details with it. Auth server then redirects user back to application 2.
4. Application 2 gets request from user and calls auth server over back channel to check if the token is OK. Auth server response with user details.
5. Application 2 now knows that the user is authorised and has some basic user details.

6. 用户访问应用程序 2。
7. 应用程序 2 需要用户登录，因此它通过反向通道向身份验证服务器发送令牌。然后，应用程序 2 将用户重定向到身份验证服务器上的登录页面，并将令牌作为请求中的参数。
8. 身份验证服务器看到 cookie 中有一个有效的登录，因此它可以告诉用户已经通过身份验证，并且知道他们是谁。身份验证服务器将令牌标记为已通过身份验证并将用户详细信息与其相关联。身份验证服务器然后将用户重定向回应用程序 2。
9. 应用程序 2 从用户获取请求并通过反向通道调用身份验证服务器以检查令牌是否正常。带有用户详细信息的身份验证服务器响应。
10. 应用程序 2 现在知道用户已获得授权并拥有一些基本的用户详细信息。

There are some existing implementations of this method, for example CAS(Central Authentication Service). Note that CAS is supported out of the box in Spring Security. I would advise you look at using an existing implementation, as writing your own will be hard. I have simplified things in my answer and there is a lot of potential for introducing security holes if you're new to this.

这种方法有一些现有的实现，例如CAS（中央身份验证服务）。请注意，Spring Security支持开箱即用的 CAS 。我建议您考虑使用现有的实现，因为编写自己的实现会很困难。我在我的回答中简化了一些事情，如果你不熟悉这个，那么引入安全漏洞的可能性很大。

You cannot use Rest Service .

您不能使用 Rest Service 。

You could use what i call a Refferer Url AuthenticationSay you have a Authentication application running on www.AAAA.com In the applications , where you want to authenticate , you could have a filter which looks for a authenticated cookie in its domain else redirect to www.AAAA.com for authentication

您可以使用我所说的Refferer Url 身份验证假设您在 www.AAAA.com 上运行了一个身份验证应用程序 在要进行身份验证的应用程序中，you could have a filter which looks for a authenticated cookie in its domain else redirect to www.AAAA.com for authentication

On Successfull authentication, you could pass the user profile information as encrypted GET / POST data back to the application

上Successfull authentication，你可以pass the user profile information as encrypted GET / POST data back to the application

The bigger question is how you are implementing single sign on. Many open source and even proprietary (IBM Tivoli) offerings worth their salt offer cross domain single sign on capability. This would be the easiest and best way to implement cross domain sso. You can configure the LDAP server you use in the sso server you choose.

更大的问题是您如何实现单点登录。许多开源甚至专有（IBM Tivoli）产品都值得他们的盐分提供跨域单点登录功能。这将是实现跨域 sso 的最简单和最好的方法。您可以在您选择的 sso 服务器中配置您使用的 LDAP 服务器。

Taking for instance open sso, here is an article to configure cross domain single sign on http://docs.oracle.com/cd/E19681-01/820-5816/aeabl/index.html

以开放sso为例，这里有一篇配置跨域单点登录的文章 http://docs.oracle.com/cd/E19681-01/820-5816/aeabl/index.html

To configure LDAP in open sso, http://docs.oracle.com/cd/E19316-01/820-3886/ghtmw/index.html

要在开放 sso 中配置 LDAP，http://docs.oracle.com/cd/E19316-01/820-3886/ghtmw/index.html

Reference on the issue is presented in a neat diagram here http://docs.oracle.com/cd/E19575-01/820-3746/gipjl/index.html

此处以简洁的图表形式提供了有关该问题的参考 http://docs.oracle.com/cd/E19575-01/820-3746/gipjl/index.html

Depending on which offering you use, you can configure cross domain single sign on.

根据您使用的产品，您可以配置跨域单点登录。

With this, your diagram will look like this, with the auth server being your utility to interact with sso server of your choice.

有了这个，您的图表将如下所示，身份验证服务器是您与您选择的 sso 服务器交互的实用程序。

Having an auth server that communicates with sso is a sound architecture principle. I would suggest making calls to authenticate as REst end points which could be called via http from different applications.

拥有一个与 sso 通信的身份验证服务器是一个合理的架构原则。我建议调用可以通过 http 从不同应用程序调用的 REst 端点进行身份验证。

I will recommend you check out OAuth. It is a good Authenticaiton and Authorization protocol used by several large organizations including facebook, google, windows live and others. It may have an initial learning curve, but it is a production grade solution.

我会建议您查看 OAuth。这是一个很好的身份验证和授权协议，被包括 facebook、google、windows live 等在内的几个大型组织使用。它可能有一个初始学习曲线，但它是一个生产级解决方案。

It also has libraries for Java, Ruby, PHP and a range of other programming languages.

它还拥有适用于 Java、Ruby、PHP 和一系列其他编程语言的库。

For example, the following server side implementations are available for Java.

例如，以下服务器端实现可用于 Java。

• Apache Amber (draft 22)
• Spring Security for OAuth
• Apis Authorization Server (v2-31)
• Restlet Framework (draft 30)
• Apache CXF

• Apache Amber（草案 22）
• OAuth 的 Spring 安全性
• API 授权服务器 (v2-31)
• Restlet 框架（草案 30）
• 阿帕奇CXF

Following client side Java libraries are also available:

还可以使用以下客户端 Java 库：

• Apache Amber (draft 22)
• Spring Social
• Spring Security for OAuth
• Restlet Framework (draft 30)

• Apache Amber（草案 22）
• 春季社交
• OAuth 的 Spring 安全性
• Restlet 框架（草案 30）

Please refer here for more details:

请参阅此处了解更多详情：

• http://oauth.net/2/
• http://oauth.net/documentation/

• http://oauth.net/2/
• http://oauth.net/documentation/

Since I have built a Java application, I have been looking for an SSO solution for it. I found a free Java SAML Connector using which you can achieve SSO in java based applications built using any java framework.

自从我构建了一个 Java 应用程序以来，我一直在为它寻找 SSO 解决方案。我找到了一个免费的 Java SAML 连接器，您可以使用它在使用任何 Java 框架构建的基于 Java 的应用程序中实现 SSO。

Here's the link to it - https://plugins.miniorange.com/java-single-sign-on-sso-connector

这是它的链接 - https://plugins.miniorange.com/java-single-sign-on-sso-connector