?CAS SSO為耶魯大學(xué)開發(fā)的一個開源的SSO(單點登錄系統(tǒng)),下載地址為:
目前SSO應(yīng)用較為廣泛,IBM,BEA都有自己商業(yè)方案,一般如有Portal,都會應(yīng)用SSO.
Sun成立了OpenSSO.,在進行SSO的開發(fā)。
.net主要有passport方案
另有一個java開源的JOSSO,不過網(wǎng)上評價不高,
CAS目前討論得比較多的地方是BEA廣州UserGroup,地址為:
版主為David,java安全信息的專家,對cas有很深的研究,他的blog為
當(dāng)然SSO也可以自己編寫,關(guān)鍵是多個應(yīng)用如何共享用戶信息及數(shù)據(jù)安全,以及如何跨語言,跨域等.
以上都是基于java的實現(xiàn).
?
CAS只提供一個簡單的身分認證,認證方式很簡單,只要用戶名和密碼相同,即通過,如果應(yīng)用數(shù)據(jù)庫驗證,還需要自己編寫。授權(quán)和權(quán)限沒有提供,留給子系統(tǒng)去做。
CAS demo中的asp例子,可能不大完善,主要原因可以是,在tomcat中建立了和casserver的信任,但在IIS還沒有。需要在IIS中建立證書,加入SSL.如需要更好的應(yīng)用需要多了解SSL和PKI,及SSL在CasServer和CasClient之間ticket的交換.
如果應(yīng)用CAS,還需要做的是,如何將yale的登錄模塊,定制成自己應(yīng)用的Login模塊.
?
在tomcat中配置CAS過程如下:
?1:建立證書
keytool -genkey -alias tomcat -keyalg RSA? -keystore tomcat.keystore
在輸入用戶名時,如果是本機請輸入localhost,否則輸入域名
?
2:導(dǎo)入證書
???? keytool -export -file myserver.cert -alias tomcat ?keystore tomcat.keystore
?
3:導(dǎo)入到JVM中
???? keytool -import -keystore d:\jdk\jre\lib\security\cacerts(根據(jù)jdk的安裝位置輸入) -file myserver.cert -alias tomcat
以上操作最好放在tomcat的home目錄下建立,需要熟悉jdk的命令 keytool
?
開放SSL 8443端口
編輯tomcat的配置文件server.xml,去掉下面SSL Connector的注釋,修改為如下:
<Connector port="8443"
?????????????? maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
?????????????? enableLookups="false" disableUploadTimeout="true"
?????????????? acceptCount="100" debug="0" scheme="https" secure="true"
?????????????? clientAuth="false" sslProtocol="TLS" >
???????????????????? ?? <Factory className="org.apache.coyote.tomcat5.CoyoteServerSocketFactory"
??????????????? keystoreFile="jama.keystore"
?????????????? keystorePass="xx" clientAuth="false" protocol="TLS" />
</Connector>
keystorePass為建立證書的密碼
keystoreFile為建立證書的文件
?
5.將CAS server3.0.2中target目錄中的CAS.war復(fù)制到%tomcat_home%\webapps目錄下.
(或者\cas-server-2.0.12\lib目錄中的CAS.war也可以)
?
6.將cas-client-java-2.1.1\dist\casclient.jar文件復(fù)制到%tomcat_home%\webapps\servlets-examples\WEB-INF\lib中(沒有l(wèi)ib文件夾,自己建一個)
?
修改tomcat自帶的servlet-examples的web.xml, 加入cas的過濾器:
?
<filter>
?
??? <filter-name>CASFilter</filter-name>
?
??? <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>
?
??? <init-param>
?
??????? <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>
?
??????? <param-value>https://localhost:8443/cas/login</param-value>
?
??? </init-param>
?
??? <init-param>
?
??????? <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>
?
??????? <param-value>https://localhost:8443/cas/proxyValidate</param-value>
?
??? </init-param>
?
??? <init-param>
?
??????? <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>
?
??????? <param-value>localhost:8080</param-value>
<!―localhost:8080為自己的服務(wù)器名
??? </init-param>
?
</filter>
?
<filter-mapping>
?
??? <filter-name>CASFilter</filter-name>
?
??? <url-pattern>/*</url-pattern>
?
</filter-mapping>
?
6.啟動tomcat !,CAS.war文件被自動在webapps下釋放出CAS目錄
?
進入http://localhost:8080/servlets-examples, 被自動轉(zhuǎn)發(fā)到CAS的登陸頁面.
?
輸入相同的用戶名和密碼,之后跳轉(zhuǎn)回原來頁面
注意:
?
在制作一個自簽名的credential了, 在生成keystore文件的時候密碼是:changeit(這是tomcat默認的),你的名字一定要是:localhost,當(dāng)然這是你需要把CAS client和CAS server放在同一臺機器上進行測試用的
?
?
在瀏覽器-工具-internet選項里導(dǎo)入myserver.cert后就不會出現(xiàn)安全警報
IIS中配置
將asp demo的cas.asp copy到某一虛擬目錄下.本例中建立了一個虛擬目錄test
修改cas.asp內(nèi)容,見紅色內(nèi)容
<%@ Language=JScript %>
<%
// Sample ASP code that uses CAS
// By Howard Gilbert
?
// If you logon, it says "Hello " followed by your userid
// For the Web server to talk to the CAS server, this code depends on the
// Microsoft ServerXMLHTTP control provided with MSXML. If the MS XML
// parser is not already installed on the IIS host machine,
// download version 3.0 SP1 or better from http://www.microsoft.com/xml
?
// Insert name of CAS Server at your location
//var CAS_Server = "https://secure.its.yale.edu/cas/servlet/";
var CAS_Server = "https://localhost:8443/cas/";? --cas驗證服務(wù)器地址
?
// Insert public name of IIS Server hosting this script
// Note: Request.ServerVariables("SERVER_NAME") or anything based on
// the HTTP "Host" header should NOT be used; this header is supplied by
// the client and isn't trusted. (--SB)
var MyServer = "http://192.168.0.11/test/";? //此處為虛擬目錄路徑
?
????????????? var http = Server.CreateObject("MSXML2.ServerXMLHTTP.4.0");
????????????? var url =CAS_Server+"validate?ticket="+ticket+"&"+
???????????????????? "service="+MyServer+"HelloCas/default.asp";? //認證通過后轉(zhuǎn)向的頁面
//這里轉(zhuǎn)向HelloCas/default.asp 所以需要在test目錄中建立HelloCas目錄和default.asp
????????????? http.open("GET",url,false); // HTTP transaction to CAS server
????????????? http.send();
?????????????
????????????? var resp=http.responseText.split('\n'); // Lines become array members
????????????? if (resp[0]=="yes")?? // Logon successful
???????????????????? greeting=resp[1]; // get userid for message
????????????? Session.Contents("Netid")=resp[1];????? // Save for subsequent calls
?????? }
}
%>
<HTML>
<HEAD><title>CAS ASP Example application</title></HEAD>
<BODY>
<P>Hello <%=greeting%></P>
</BODY>
</HTML>
?
Asp.net中調(diào)用,
建立CASP.cs文件,內(nèi)容如下.
在其它處調(diào)用這個文件.
/**
??CASP.cs
CAS over ASP.NET!
? * Created by John Tantalo, john.tantalo@case.edu
?* Case Western Reserve University
? *?
? * Modification History:
?*?
? * 12/09/05 jnt5, created class
* 12/12/05 jnt5, removed cookie check
? * stores CASNetworkID in session instead of cache
?* clears Page session variable after ticket verification
? * 12/13/05 jnt5, removed Page session variable
??*? fixed bug which would cause loop due to incorrect service parameter
? * 04/04/06 jnt5, adapted serviceURL code courtesy Ali Cakmak
?* 04/10/06 jnt5, added new comments
?*?
? * References:
? *?
?* http://wiki.case.edu/Central_Authentication_Service
? * https://clearinghouse.ja-sig.org/wiki/display/CAS/CAS+2.0+Protocol+Specification
? */
//以上為正式文件
?
?using System ;
?using System.Web.UI ;
?using System.Net ;
using System.IO ;
?using System.Web.SessionState;
?
?/**??? 調(diào)用方式
??* CASP general usage: 使用方法
??*?
? *????? private void Page_Load(object sender, System.EventArgs e)
? *????? {
? *??????????? String NetworkID = CASP.Authenticate( "https://login.case.edu/cas/login", "https://login.case.edu/cas/validate", this ) ;
?*????? }
?*/
????????
public class CASP
?{
???? /**
????? * Authenticates a user with the given login and validation pages. After authentication
???????? * the user's browser is redirected to the original page.
???? */
????????
??????? public static String Authenticate( String LoginURL, String ValidateURL, Page Page )
???????? {
??????????????? return Authenticate( LoginURL, ValidateURL, Page, Page.Request.Url.AbsoluteUri.Split('?')[0] ) ;
??????? }
?
??????? /**
???????? * Authenticates a user with the given login and validation pages. After authentication
???????? * the user's browser is redirected to the location given as the service URL.
????????? */
???????? public static String Authenticate( String LoginURL, String ValidateURL, Page Page, String ServiceURL )
??????? {
??????????????? if( Page.Session["CASNetworkID"] != null ) // user already logged in
??????????????????????? return Page.Session["CASNetworkID"].ToString() ;
?????????????? else // user hasn't logged in
????????????? {
?????????????????????? if( Page.Request.QueryString["ticket"] != null ) // ticket received
?????????????????????? {
????????????????????????? ????try // read ticket and request validation
????????????????????????????? {
??????????????????????????????????????? StreamReader Reader = new StreamReader( new WebClient().OpenRead( ValidateURL + "?ticket=" + Page.Request.QueryString["ticket"] + "&service=" + ServiceURL ) ) ;
????????????????????????????????????????????????????????????????????? if( "yes".Equals( Reader.ReadLine() ) ) // ticket validated
?????????????????????????????????????? {
?????????????????????????????????????????????? // store network id in sesssion, return value
?
??????????????????????????????????????????????? return (String) ( Page.Session["CASNetworkID"] = Reader.ReadLine() ) ;
?
??????????????????????????????????????? }
????????????????????????????? }?
??????????????????? ???????????catch( WebException ) {}
?????????????????????? }?
????????
???????????????????????? // ticket was invalid, or didn't exist, so request ticket
????????????????
??????????????????????? Page.Response.Redirect( LoginURL + "?service=" + ServiceURL, true ) ;
??????????????????????? return null ;
???????????????? }
???????? }
?}
?
posted on 2006-11-07 15:37
robbin163 閱讀(4347)
評論(0) 編輯 收藏 所屬分類:
sso