本文共 6026 字,大约阅读时间需要 20 分钟。
本文简要介绍了CAS及其实现原理,并对CAS demo环境的搭建进行了描述。
一、CAS简介
CAS(Central Authentication Service) 最初是 Yale 大学发起的一个开源项目,后来成为Jasig 组织下的一个项目,故也成为Jasig CAS。
CAS是一个开源的,提供一个java服务端并且支持多种语言编写的客户端(Java、.Net、PHP等)的单点登录解决方案。
二、CAS实现原理
CAS SSO 访问流程如图所示
1. 访问服务: SSO 客户端发送请求访问应用系统提供的服务资源。
2. 定向认证: SSO 客户端会重定向用户请求到 SSO 服务器。
3. 用户认证:用户身份认证。
4. 发放票据: SSO 服务器会产生一个随机的 Service Ticket 。
5. 验证票据: SSO 服务器验证票据 Service Ticket 的合法性,验证通过后,允许客户端访问服务。
6. 传输用户信息: SSO 服务器验证票据通过后,传输用户认证结果信息给客户端。
三、CAS应用搭建
本次环境搭建选用的版本为服务端cas-server-webapp-4.0.0,客户端cas-client-3.1.10
1、cas服务端
下载cas-server-webapp-4.0.0.zip,解压之,在modules文件夹下找到cas-server-webapp-4.0.0.war
将cas-server-webapp-4.0.0.war放到Tomcat的webapps文件加下,启动Tomcat,如图可访问该cas server
在webapps\cas-server-webapp-4.0.0\WEB-INF下找到deployerConfigContext.xml,
如图可知其默认认证方式为用户名casuser,密码Mellon
在登录页输入给定的用户名密码,如图可登录cas server
以上为http方式,CAS强烈建议使用https方式进行登录验证。为cas server的tomcat配置ssl以支持https登录,如图
2、cas客户端
cas客户端可以是你的任一web应用,只需配置web.xml并添加cas-client的jar支持,即可与cas server交互。
下载cas-client-3.1.10-release.zip,解压之,在modules文件夹下可看到cas-client相关jar包,如图。
本例使用的cas客户端应用是官网下载的mywebapp.war,里面已经配置了web.xml,只需根据我们的环境进行修改。
将mywebapp.war放到tomcat的webaps下,启动后在解压的mywebapp lib下放入cas-client相关jar包。
修改后的web.xml如下
- <?xml version="1.0" encoding="UTF-8"?>
- <!--
- Copyright (c) 2008, Martin W. Kirst
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- * Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- * Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- * Neither the name of the Martin W. Kirst nor the names of its
- contributors may be used to endorse or promote products derived from
- this software without specific prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
- IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
- OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- -->
- <web-app id="mywebapp" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
-
- <display-name>mywebapp</display-name>
-
- <description>
-
- Simple sample, how to use CAS Java Client 3.x.
- In this sample exists a public area (/)
- and a private area (/protected/*).
-
- </description>
-
-
- <!--
- <filter>
- <filter-name>CAS Single Sign Out Filter</filter-name>
- <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
- </filter>
- -->
-
- <filter>
- <filter-name>CAS Authentication Filter</filter-name>
- <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
- <init-param>
- <param-name>casServerLoginUrl</param-name>
- <param-value>http://localhost:8080/cas/</param-value>
- </init-param>
- <init-param>
- <param-name>serverName</param-name>
- <param-value>http://localhost:8060</param-value>
- </init-param>
- <init-param>
- <param-name>renew</param-name>
- <param-value>false</param-value>
- </init-param>
- <init-param>
- <param-name>gateway</param-name>
- <param-value>false</param-value>
- </init-param>
- </filter>
-
- <filter>
- <filter-name>CAS Validation Filter</filter-name>
- <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
- <init-param>
- <param-name>casServerUrlPrefix</param-name>
- <param-value>http://localhost:8080/cas/</param-value>
- </init-param>
- <init-param>
- <param-name>serverName</param-name>
- <param-value>http://localhost:8060</param-value>
- </init-param>
- </filter>
-
- <filter>
- <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
- <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
- </filter>
-
- <filter>
- <filter-name>CAS Assertion Thread Local Filter</filter-name>
- <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
- </filter>
-
-
-
-
- <!--
- <filter-mapping>
- <filter-name>CAS Single Sign Out Filter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
- -->
-
- <filter-mapping>
- <filter-name>CAS Authentication Filter</filter-name>
- <url-pattern>/protected/*</url-pattern>
- </filter-mapping>
-
- <filter-mapping>
- <filter-name>CAS Validation Filter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
-
- <filter-mapping>
- <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
-
- <filter-mapping>
- <filter-name>CAS Assertion Thread Local Filter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
-
- <filter-mapping>
- <filter-name>CAS Validation Filter</filter-name>
- <url-pattern>/proxyCallback</url-pattern>
- </filter-mapping>
-
-
-
-
- <!--
- <listener>
- <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
- </listener>
- -->
-
-
-
- <welcome-file-list>
- <welcome-file>index.jsp</welcome-file>
- </welcome-file-list>
-
- </web-app>
启动客户端tomcat,如图所示
点击‘got to protected area’则跳入cas server登录页面,输入用户名密码即可进行登录。
客户端tomcat中复制一份mywebapp ,命名为mywebapp2,启动tomcat可看到如mywebapp 登录,则访问mywebapp2的保护页面时,可直接获取登录信息,无需再次进行登录。
四、参考资料
CAS教程
CAS客户端web.xml配置
CAS客户端样例
CAS实现SSO单点登录原理