CAS SSO为耶鲁大学开发的一个开源的SSO(单点登录系统),下载地址为:
目前SSO应用较为广泛,IBM,BEA都有自己商业方案,一般如有Portal,都会应用SSO.
Sun成立了OpenSSO.,在进行SSO的开发。
.net主要有passport方案
另有一个java开源的JOSSO,不过网上评价不高,
CAS目前讨论得比较多的地方是BEA广州UserGroup,地址为:
版主为David,java安全信息的专家,对cas有很深的研究,他的blog为
当然SSO也可以自己编写,关键是多个应用如何共享用户信息及数据安全,以及如何跨语言,跨域等.
以上都是基于java的实现.
CAS只提供一个简单的身分认证,认证方式很简单,只要用户名和密码相同,即通过,如果应用数据库验证,还需要自己编写。授权和权限没有提供,留给子系统去做。
CAS demo中的asp例子,可能不大完善,主要原因可以是,在tomcat中建立了和casserver的信任,但在IIS还没有。需要在IIS中建立证书,加入SSL.如需要更好的应用需要多了解SSL和PKI,及SSL在CasServer和CasClient之间ticket的交换.
如果应用CAS,还需要做的是,如何将yale的登录模块,定制成自己应用的Login模块.
在tomcat中配置CAS过程如下:
1:建立证书
keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
在输入用户名时,如果是本机请输入localhost,否则输入域名
2:导入证书
keytool -export -file myserver.cert -alias tomcat ?keystore tomcat.keystore
3:导入到JVM中
keytool -import -keystore d:\jdk\jre\lib\security\cacerts(根据jdk的安装位置输入) -file myserver.cert -alias tomcat
以上操作最好放在tomcat的home目录下建立,需要熟悉jdk的命令 keytool
开放SSL 8443端口
编辑tomcat的配置文件server.xml,去掉下面SSL Connector的注释,修改为如下:
<Connector port="8443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" >
<Factory className="org.apache.coyote.tomcat5.CoyoteServerSocketFactory"
keystoreFile="jama.keystore"
keystorePass="xx" clientAuth="false" protocol="TLS" />
</Connector>
keystorePass为建立证书的密码
keystoreFile为建立证书的文件
5.将CAS server3.0.2中target目录中的CAS.war复制到%tomcat_home%\webapps目录下.
(或者\cas-server-2.0.12\lib目录中的CAS.war也可以)
6.将cas-client-java-2.1.1\dist\casclient.jar文件复制到%tomcat_home%\webapps\servlets-examples\WEB-INF\lib中(没有lib文件夹,自己建一个)
修改tomcat自带的servlet-examples的web.xml, 加入cas的过滤器:
<filter>
<filter-name>CASFilter</filter-name>
<filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
<param-value>https://localhost:8443/cas/login</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
<param-value>https://localhost:8443/cas/proxyValidate</param-value>
</init-param>
<init-param>
<param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
<param-value>localhost:8080</param-value>
<!―localhost:8080为自己的服务器名
</init-param>
</filter>
<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
6.启动tomcat !,CAS.war文件被自动在webapps下释放出CAS目录
进入http://localhost:8080/servlets-examples, 被自动转发到CAS的登陆页面.
输入相同的用户名和密码,之后跳转回原来页面
注意:
在制作一个自签名的credential了, 在生成keystore文件的时候密码是:changeit(这是tomcat默认的),你的名字一定要是:localhost,当然这是你需要把CAS client和CAS server放在同一台机器上进行测试用的
在浏览器-工具-internet选项里导入myserver.cert后就不会出现安全警报
IIS中配置
将asp demo的cas.asp copy到某一虚拟目录下.本例中建立了一个虚拟目录test
修改cas.asp内容,见红色内容
<%@ Language=JScript %>
<%
// Sample ASP code that uses CAS
// By Howard Gilbert
// If you logon, it says "Hello " followed by your userid
// For the Web server to talk to the CAS server, this code depends on the
// Microsoft ServerXMLHTTP control provided with MSXML. If the MS XML
// parser is not already installed on the IIS host machine,
// download version 3.0 SP1 or better from http://www.microsoft.com/xml
// Insert name of CAS Server at your location
//var CAS_Server = "https://secure.its.yale.edu/cas/servlet/";
var CAS_Server = "https://localhost:8443/cas/"; --cas验证服务器地址
// Insert public name of IIS Server hosting this script
// Note: Request.ServerVariables("SERVER_NAME") or anything based on
// the HTTP "Host" header should NOT be used; this header is supplied by
// the client and isn't trusted. (--SB)
var MyServer = "http://192.168.0.11/test/"; //此处为虚拟目录路径
var http = Server.CreateObject("MSXML2.ServerXMLHTTP.4.0");
var url =CAS_Server+"validate?ticket="+ticket+"&"+
"service="+MyServer+"HelloCas/default.asp"; //认证通过后转向的页面
//这里转向HelloCas/default.asp 所以需要在test目录中建立HelloCas目录和default.asp
http.open("GET",url,false); // HTTP transaction to CAS server
http.send();
var resp=http.responseText.split('\n'); // Lines become array members
if (resp[0]=="yes") // Logon successful
greeting=resp[1]; // get userid for message
Session.Contents("Netid")=resp[1]; // Save for subsequent calls
}
}
%>
<HTML>
<HEAD><title>CAS ASP Example application</title></HEAD>
<BODY>
<P>Hello <%=greeting%></P>
</BODY>
</HTML>
Asp.net中调用,
建立CASP.cs文件,内容如下.
在其它处调用这个文件.
/**
CASP.cs
CAS over ASP.NET!
* Created by John Tantalo, john.tantalo@case.edu
* Case Western Reserve University
*
* Modification History:
*
* 12/09/05 jnt5, created class
* 12/12/05 jnt5, removed cookie check
* stores CASNetworkID in session instead of cache
* clears Page session variable after ticket verification
* 12/13/05 jnt5, removed Page session variable
* fixed bug which would cause loop due to incorrect service parameter
* 04/04/06 jnt5, adapted serviceURL code courtesy Ali Cakmak
* 04/10/06 jnt5, added new comments
*
* References:
*
* http://wiki.case.edu/Central_Authentication_Service
* https://clearinghouse.ja-sig.org/wiki/display/CAS/CAS+2.0+Protocol+Specification
*/
//以上为正式文件
using System ;
using System.Web.UI ;
using System.Net ;
using System.IO ;
using System.Web.SessionState;
/** 调用方式
* CASP general usage: 使用方法
*
* private void Page_Load(object sender, System.EventArgs e)
* {
* String NetworkID = CASP.Authenticate( "https://login.case.edu/cas/login", "https://login.case.edu/cas/validate", this ) ;
* }
*/
public class CASP
{
/**
* Authenticates a user with the given login and validation pages. After authentication
* the user's browser is redirected to the original page.
*/
public static String Authenticate( String LoginURL, String ValidateURL, Page Page )
{
return Authenticate( LoginURL, ValidateURL, Page, Page.Request.Url.AbsoluteUri.Split('?')[0] ) ;
}
/**
* Authenticates a user with the given login and validation pages. After authentication
* the user's browser is redirected to the location given as the service URL.
*/
public static String Authenticate( String LoginURL, String ValidateURL, Page Page, String ServiceURL )
{
if( Page.Session["CASNetworkID"] != null ) // user already logged in
return Page.Session["CASNetworkID"].ToString() ;
else // user hasn't logged in
{
if( Page.Request.QueryString["ticket"] != null ) // ticket received
{
try // read ticket and request validation
{
StreamReader Reader = new StreamReader( new WebClient().OpenRead( ValidateURL + "?ticket=" + Page.Request.QueryString["ticket"] + "&service=" + ServiceURL ) ) ;
if( "yes".Equals( Reader.ReadLine() ) ) // ticket validated
{
// store network id in sesssion, return value
return (String) ( Page.Session["CASNetworkID"] = Reader.ReadLine() ) ;
}
}
catch( WebException ) {}
}
// ticket was invalid, or didn't exist, so request ticket
Page.Response.Redirect( LoginURL + "?service=" + ServiceURL, true ) ;
return null ;
}
}
}
posted on 2006-11-07 15:37
robbin163 阅读(4335)
评论(0) 编辑 收藏 所属分类:
sso