using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;
using SingleSignOn.Server.Auth;
namespace SingleSignOn.Server
{
public partial class LoginPage : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
string reply = Request.QueryString["reply"];
string identifier = Request.QueryString["id"];
HtmlInputHidden replyInput = new HtmlInputHidden();
replyInput.ID = "reply";
replyInput.Name = "reply";
replyInput.Value = reply;
HtmlInputHidden identifierInput = new HtmlInputHidden();
identifierInput.ID = "identifier";
identifierInput.Name = "identifier";
identifierInput.Value = identifier;
HtmlInputHidden opereteInput = new HtmlInputHidden();
opereteInput.ID= "operate";
opereteInput.Name="operate";
opereteInput.Value = "1";
this.Form.Controls.Add(opereteInput);
this.Form.Controls.Add(replyInput);
this.Form.Controls.Add(identifierInput);
}
else
{
if (!string.IsNullOrEmpty(Request.Form["operate"]) && Request.Form["operate"] == "1")
{
if (this.Form != null)
{
//delete old form ,and then create new Form Post to reply
this.Controls.Remove(this.Form);
}
TestProvider provider = new TestProvider();
string userName = Request.Form["username"];
string password = Request.Form["password"];
string reply = Request.Form["reply"];
string identifier = Request.Form["identifier"];
string token = provider.CreateAuthToken(userName, password, "TestSSOServer", identifier);
Response.AppendCookie(new HttpCookie("TestSSO", "identifier+commonkey"));
if (!string.IsNullOrEmpty(reply))
{
HtmlForm f = new HtmlForm();
f.ID = "loginForm";
f.Method = "POST";
f.Action = reply;
f.EnableViewState = false;
HtmlInputHidden hidden = new HtmlInputHidden();
hidden.ID = "cookie";
hidden.Attributes.Add("value", token);
f.Controls.Add(hidden);
this.Controls.Add(f);
}
this.Response.Write("<script type='text/javascript'>var willReply = 1;</script>");
}
}
}
}
}
以上是Token颁发中心的公用Login页面的后台代码。
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="LoginPage.aspx.cs" Inherits="SingleSignOn.Server.LoginPage" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
<script type="text/javascript">
function submitNewForm() {
try {
if (willReply != null) {
this.loginForm.submit();
}
} catch (err) {
//donothing
}
}
</script>
</head>
<body οnlοad="submitNewForm()">
<form id="loginForm" runat="server" action="#">
<div>
UserName : <input type="text" name="username" id="username" /><br />
Passoword: <input type="password" name="password" id="password" /><br />
<input type="submit" value="Submit" />
</div>
</form>
</body>
</html>
这一部分是Login页面的前台代码。
核心流程:
Client 需求登录-》重定向到STS的Login页面(附带数据接收地址reply与自身的identifier)-》STS验证凭据,并将结果Post到Reply页面,在POST之前,将STS的Token写入cookie以提供SingleSignOn功能-》Client解析STSPOST来的数据。
STS核心逻辑:
1.按照需求组装返回的数据和需要写在Cookie中Token,Token需要精心设计,否则真的是不安全的。
2.表单的置换,上述代码已经做了一些处理,但是可能会有不完善,只是个思路吧。