allen
专注于java ee技术,包括struts,jsf,webwork,spring,hibernate,ibatis
posts - 7,  comments - 9,  trackbacks - 0
 CAS SSO为耶鲁大学开发的一个开源的SSO(单点登录系统),下载地址为:
http://www.ja-sig.org/products/cas/
目前SSO应用较为广泛,IBM,BEA都有自己商业方案,一般如有Portal,都会应用SSO.
Sun成立了OpenSSO.,在进行SSO的开发。
.net主要有passport方案
另有一个java开源的JOSSO,不过网上评价不高,
CAS目前讨论得比较多的地方是BEA广州UserGroup,地址为:
http://dev2dev.bea.com.cn/bbs/forum.jspa?forumID=29304&start=0
版主为David,java安全信息的专家,对cas有很深的研究,他的blog为
www.blogjava.net/security
http://www.blogjava.net/openssl
http://security.javaeye.com/
当然SSO也可以自己编写,关键是多个应用如何共享用户信息及数据安全,以及如何跨语言,跨域等.
可以参考fins的一篇文章(http://fins.javaeye.com/blog/31947)和
王昱的一文(http://biaoming.spaces.live.com/blog/cns!905abeb7a7abc122!118.entry)
以上都是基于java的实现.
.net中的自己编写实现有http://www.asp121.com/wlbc/23/430.shtml
 
CAS只提供一个简单的身分认证,认证方式很简单,只要用户名和密码相同,即通过,如果应用数据库验证,还需要自己编写。授权和权限没有提供,留给子系统去做。
CAS demo中的asp例子,可能不大完善,主要原因可以是,在tomcat中建立了和casserver的信任,但在IIS还没有。需要在IIS中建立证书,加入SSL.如需要更好的应用需要多了解SSL和PKI,及SSL在CasServer和CasClient之间ticket的交换.
如果应用CAS,还需要做的是,如何将yale的登录模块,定制成自己应用的Login模块.
 
在tomcat中配置CAS过程如下:
 1:建立证书
keytool -genkey -alias tomcat -keyalg RSA  -keystore tomcat.keystore
在输入用户名时,如果是本机请输入localhost,否则输入域名
 
2:导入证书
     keytool -export -file myserver.cert -alias tomcat ?keystore tomcat.keystore
 
3:导入到JVM中
     keytool -import -keystore d:\jdk\jre\lib\security\cacerts(根据jdk的安装位置输入) -file myserver.cert -alias tomcat
以上操作最好放在tomcat的home目录下建立,需要熟悉jdk的命令 keytool
 
开放SSL 8443端口
编辑tomcat的配置文件server.xml,去掉下面SSL Connector的注释,修改为如下:
<Connector port="8443"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" debug="0" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" >
                        <Factory className="org.apache.coyote.tomcat5.CoyoteServerSocketFactory"
                keystoreFile="jama.keystore"
               keystorePass="xx" clientAuth="false" protocol="TLS" />
</Connector>
keystorePass为建立证书的密码
keystoreFile为建立证书的文件
 
5.将CAS server3.0.2中target目录中的CAS.war复制到%tomcat_home%\webapps目录下.
(或者\cas-server-2.0.12\lib目录中的CAS.war也可以)
 
6.将cas-client-java-2.1.1\dist\casclient.jar文件复制到%tomcat_home%\webapps\servlets-examples\WEB-INF\lib中(没有lib文件夹,自己建一个)
 
修改tomcat自带的servlet-examples的web.xml, 加入cas的过滤器:
 
<filter>
 
    <filter-name>CASFilter</filter-name>
 
    <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
 
    <init-param>
 
        <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
 
        <param-value>https://localhost:8443/cas/login</param-value>
 
    </init-param>
 
    <init-param>
 
        <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
 
        <param-value>https://localhost:8443/cas/proxyValidate</param-value>
 
    </init-param>
 
    <init-param>
 
        <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
 
        <param-value>localhost:8080</param-value>
<!―localhost:8080为自己的服务器名
    </init-param>
 
</filter>
 
<filter-mapping>
 
    <filter-name>CASFilter</filter-name>
 
    <url-pattern>/*</url-pattern>
 
</filter-mapping>
 
6.启动tomcat !,CAS.war文件被自动在webapps下释放出CAS目录
 
进入http://localhost:8080/servlets-examples, 被自动转发到CAS的登陆页面.
 
输入相同的用户名和密码,之后跳转回原来页面
注意:
 
在制作一个自签名的credential了, 在生成keystore文件的时候密码是:changeit(这是tomcat默认的),你的名字一定要是:localhost,当然这是你需要把CAS client和CAS server放在同一台机器上进行测试用的
 
 
在浏览器-工具-internet选项里导入myserver.cert后就不会出现安全警报
IIS中配置
将asp demo的cas.asp copy到某一虚拟目录下.本例中建立了一个虚拟目录test
修改cas.asp内容,见红色内容
<%@ Language=JScript %>
<%
// Sample ASP code that uses CAS
// By Howard Gilbert
 
// If you logon, it says "Hello " followed by your userid
// For the Web server to talk to the CAS server, this code depends on the
// Microsoft ServerXMLHTTP control provided with MSXML. If the MS XML
// parser is not already installed on the IIS host machine,
// download version 3.0 SP1 or better from http://www.microsoft.com/xml
 
// Insert name of CAS Server at your location
//var CAS_Server = "https://secure.its.yale.edu/cas/servlet/";
var CAS_Server = "https://localhost:8443/cas/";  --cas验证服务器地址
 
// Insert public name of IIS Server hosting this script
// Note: Request.ServerVariables("SERVER_NAME") or anything based on
// the HTTP "Host" header should NOT be used; this header is supplied by
// the client and isn't trusted. (--SB)
var MyServer = "http://192.168.0.11/test/";  //此处为虚拟目录路径
 
              var http = Server.CreateObject("MSXML2.ServerXMLHTTP.4.0");
              var url =CAS_Server+"validate?ticket="+ticket+"&"+
                     "service="+MyServer+"HelloCas/default.asp";  //认证通过后转向的页面
//这里转向HelloCas/default.asp 所以需要在test目录中建立HelloCas目录和default.asp
              http.open("GET",url,false); // HTTP transaction to CAS server
              http.send();
             
              var resp=http.responseText.split('\n'); // Lines become array members
              if (resp[0]=="yes")   // Logon successful
                     greeting=resp[1]; // get userid for message
              Session.Contents("Netid")=resp[1];      // Save for subsequent calls
       }
}
%>
<HTML>
<HEAD><title>CAS ASP Example application</title></HEAD>
<BODY>
<P>Hello <%=greeting%></P>
</BODY>
</HTML>
 
Asp.net中调用,
建立CASP.cs文件,内容如下.
在其它处调用这个文件.
/**
  CASP.cs
CAS over ASP.NET!
  * Created by John Tantalo, john.tantalo@case.edu
 * Case Western Reserve University
  * 
  * Modification History:
 * 
  * 12/09/05 jnt5, created class
* 12/12/05 jnt5, removed cookie check
  * stores CASNetworkID in session instead of cache
 * clears Page session variable after ticket verification
  * 12/13/05 jnt5, removed Page session variable
  *  fixed bug which would cause loop due to incorrect service parameter
  * 04/04/06 jnt5, adapted serviceURL code courtesy Ali Cakmak
 * 04/10/06 jnt5, added new comments
 * 
  * References:
  * 
 * http://wiki.case.edu/Central_Authentication_Service
  * https://clearinghouse.ja-sig.org/wiki/display/CAS/CAS+2.0+Protocol+Specification
  */
//以上为正式文件
 
 using System ;
 using System.Web.UI ;
 using System.Net ;
using System.IO ;
 using System.Web.SessionState;
 
 /**    调用方式
  * CASP general usage: 使用方法 
  * 
  *      private void Page_Load(object sender, System.EventArgs e)
  *      {
  *            String NetworkID = CASP.Authenticate( "https://login.case.edu/cas/login", "https://login.case.edu/cas/validate", this ) ;
 *      }
 */
        
public class CASP
 {
     /**
      * Authenticates a user with the given login and validation pages. After authentication
         * the user's browser is redirected to the original page.
     */
        
        public static String Authenticate( String LoginURL, String ValidateURL, Page Page )
         {
                return Authenticate( LoginURL, ValidateURL, Page, Page.Request.Url.AbsoluteUri.Split('?')[0] ) ;
        }
 
        /**
         * Authenticates a user with the given login and validation pages. After authentication
         * the user's browser is redirected to the location given as the service URL.
          */
         public static String Authenticate( String LoginURL, String ValidateURL, Page Page, String ServiceURL )
        {
                if( Page.Session["CASNetworkID"] != null ) // user already logged in
                        return Page.Session["CASNetworkID"].ToString() ;
               else // user hasn't logged in
              {
                       if( Page.Request.QueryString["ticket"] != null ) // ticket received
                       {
                              try // read ticket and request validation
                              {
                                        StreamReader Reader = new StreamReader( new WebClient().OpenRead( ValidateURL + "?ticket=" + Page.Request.QueryString["ticket"] + "&service=" + ServiceURL ) ) ;
                                                                      if( "yes".Equals( Reader.ReadLine() ) ) // ticket validated
                                       {
                                               // store network id in sesssion, return value
 
                                                return (String) ( Page.Session["CASNetworkID"] = Reader.ReadLine() ) ;
 
                                        }
                              } 
                               catch( WebException ) {}
                       } 
        
                         // ticket was invalid, or didn't exist, so request ticket
                
                        Page.Response.Redirect( LoginURL + "?service=" + ServiceURL, true ) ;
                        return null ;
                 }
         }
 }
 
posted on 2006-11-07 15:37 robbin163 阅读(4335) 评论(0)  编辑  收藏 所属分类: sso

只有注册用户登录后才能发表评论。


网站导航:
博客园   IT新闻   Chat2DB   C++博客   博问  
 

<2024年12月>
24252627282930
1234567
891011121314
15161718192021
22232425262728
2930311234

常用链接

留言簿(3)

随笔分类

随笔档案

文章分类

文章档案

搜索

  •  

最新评论

阅读排行榜

评论排行榜