本文简要介绍了CAS及其实现原理,并对CAS demo环境的搭建进行了描述。
一、CAS简介
CAS(Central Authentication Service) 最初是 Yale 大学发起的一个开源项目,后来成为Jasig 组织下的一个项目,故也成为Jasig CAS。
CAS是一个开源的,提供一个java服务端并且支持多种语言编写的客户端(Java、.Net、PHP等)的单点登录解决方案。
二、CAS实现原理
CAS SSO 访问流程如图所示
1. 访问服务: SSO 客户端发送请求访问应用系统提供的服务资源。
2. 定向认证: SSO 客户端会重定向用户请求到 SSO 服务器。
3. 用户认证:用户身份认证。
4. 发放票据: SSO 服务器会产生一个随机的 Service Ticket 。
5. 验证票据: SSO 服务器验证票据 Service Ticket 的合法性,验证通过后,允许客户端访问服务。
6. 传输用户信息: SSO 服务器验证票据通过后,传输用户认证结果信息给客户端。
三、CAS应用搭建
本次环境搭建选用的版本为服务端cas-server-webapp-4.0.0,客户端cas-client-3.1.10
1、cas服务端
下载cas-server-webapp-4.0.0.zip,解压之,在modules文件夹下找到cas-server-webapp-4.0.0.war
将cas-server-webapp-4.0.0.war放到Tomcat的webapps文件加下,启动Tomcat,如图可访问该cas server
在webapps\cas-server-webapp-4.0.0\WEB-INF下找到deployerConfigContext.xml,
如图可知其默认认证方式为用户名casuser,密码Mellon
在登录页输入给定的用户名密码,如图可登录cas server
以上为http方式,CAS强烈建议使用https方式进行登录验证。为cas server的tomcat配置ssl以支持https登录,如图
2、cas客户端
cas客户端可以是你的任一web应用,只需配置web.xml并添加cas-client的jar支持,即可与cas server交互。
下载cas-client-3.1.10-release.zip,解压之,在modules文件夹下可看到cas-client相关jar包,如图。
本例使用的cas客户端应用是官网下载的mywebapp.war,里面已经配置了web.xml,只需根据我们的环境进行修改。
将mywebapp.war放到tomcat的webaps下,启动后在解压的mywebapp lib下放入cas-client相关jar包。
修改后的web.xml如下
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 2008, Martin W. Kirst
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of the Martin W. Kirst nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-->
<web-app id="mywebapp" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>mywebapp</display-name>
<description>
Simple sample, how to use CAS Java Client 3.x.
In this sample exists a public area (/)
and a private area (/protected/*).
</description>
<!-- Sign out not yet implemented -->
<!--
<filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
-->
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://localhost:8080/cas/</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8060</param-value>
</init-param>
<init-param>
<param-name>renew</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>gateway</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://localhost:8080/cas/</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://localhost:8060</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<!-- ************************* -->
<!-- Sign out not yet implemented -->
<!--
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
-->
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/protected/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/proxyCallback</url-pattern>
</filter-mapping>
<!-- *********************** -->
<!-- Sign out not yet implemented -->
<!--
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
-->
<!-- *********************** -->
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>
启动客户端tomcat,如图所示
点击‘got to protected area’则跳入cas server登录页面,输入用户名密码即可进行登录。
客户端tomcat中复制一份mywebapp ,命名为mywebapp2,启动tomcat可看到如mywebapp 登录,则访问mywebapp2的保护页面时,可直接获取登录信息,无需再次进行登录。
四、参考资料
CAS教程
https://wiki.jasig.org/display/CASUM/Home
CAS客户端web.xml配置
https://wiki.jasig.org/display/CASC/Configuring+the+Jasig+CAS+Client+for+Java+in+the+web.xml
CAS客户端样例
https://wiki.jasig.org/display/CASC/JA-SIG+Java+Client+Simple+WebApp+Sample
CAS实现SSO单点登录原理