CAS 单点登录安装笔记4 -- asp.net client端的设置

CAS 单点登录安装笔记4
--- asp.net client端的设置

1、首先修改web.Config文件，加入以下设置：

<authentication mode="Forms" >
  <forms name="casauth" loginUrl="login.aspx" />
</authentication>
<authorization>
  <deny users="?" />
</authorization>

本人对.net不是很熟悉，感觉这里的配置类似java web应用程序中的过滤器，当用户访问web页时首先跳转到login.aspx页面进行验证。

2、加入以下c#代码到login.aspx页面的加载事件中：

    //CAS 身份验证 服务器地址
    private const string CASHOST = "https://sso.gzps.net:8443/cas/";

    protected void Page_Load(object sender, EventArgs e)
    {
        System.Net.ServicePointManager.CertificatePolicy = new MyPolicy();

        // Look for the "ticket=" after the "?" in the URL
          string tkt = Request.QueryString["ticket"];

          // This page is the CAS service=, but discard any query string residue
          string service = Request.Url.GetLeftPart(UriPartial.Path);

          // First time through there is no ticket=, so redirect to CAS login
          if (tkt == null || tkt.Length == 0)
          {
            string redir = CASHOST + "login?" +
              "service=" + service;
            Response.Redirect(redir);
            return;
          }

          // Second time (back from CAS) there is a ticket= to validate
          string validateurl = CASHOST + "serviceValidate?" +
            "ticket=" + tkt + "&"+
            "service=" + service;
          StreamReader Reader = new StreamReader( new WebClient().OpenRead(validateurl));
          string resp = Reader.ReadToEnd();
          // I like to have the text in memory for debugging rather than parsing the stream

          // Some boilerplate to set up the parse.
          NameTable nt = new NameTable();
          XmlNamespaceManager nsmgr = new XmlNamespaceManager(nt);
          XmlParserContext context = new XmlParserContext(null, nsmgr, null, XmlSpace.None);
          XmlTextReader reader = new XmlTextReader(resp, XmlNodeType.Element, context);

          string netid = null;

          // A very dumb use of XML. Just scan for the "user". If it isn't there, its an error.
          while (reader.Read())
          {
            if (reader.IsStartElement()) {
              string tag = reader.LocalName;
              if (tag=="user")
                netid = reader.ReadString();
            }
          }
          // if you want to parse the proxy chain, just add the logic above
          reader.Close();
          // If there was a problem, leave the message on the screen. Otherwise, return to original page.
          if (netid == null)
          {
            Label1.Text = "CAS returned to this application, but then refused to validate your identity.";
          }
          else
          {
              Session["UserName"] = netid;
            Label1.Text = "Welcome " + netid;
            FormsAuthentication.RedirectFromLoginPage(netid, false); // set netid in ASP.NET blocks
          }

    }
}

以上代码参照了ja-sig网站的解决方案：[url]http://www.ja-sig.org/wiki/display/CASC/ASP.NET+Forms+Authentication[/url]

3、以为这样就可以了，运行时可以跳到sso服务器进行验证，但跳转以后报以下错误：
" System.Net.WebException。 基础连接已关闭。 无法建立与远程服务器信任关系 "。
应该与CAS Server端安装了数字证书，而.net Client端并没有安装相应的证书有关。
可以通过[url="http://hi.baidu.com/wjmd521/blog/item/d0244e60edc9a045ebf8f898.html"]配置IIS服务器，支持HTTPS SSL协议实现安全数据交换[/url]中介绍的步骤导入CAS 服务端的数字证书,或者通过[url]http://support.microsoft.com/kb/823177/[/url]上介绍的解决方案进行处理：
实现类

using System.Net;
using System.Security.Cryptography.X509Certificates;

public class MyPolicy : ICertificatePolicy {
    public bool CheckValidationResult(
          ServicePoint srvPoint
        , X509Certificate certificate
        , WebRequest request
        , int certificateProblem) {

        //Return True to force the certificate to be accepted.
        return true;

    } // end CheckValidationResult
} // class MyPolicy

客户端代码中包含下列代码：

   System.Net.ServicePointManager.CertificatePolicy = new MyPolicy();

所有代码见附件WebSite.rar,将其部署到你的IIS服务器就可以了。
关于IIS服务器的设置见[url="http://tech.163.com/special/00091PDS/aspnet.html"]asp.net一夜速成教程[/url]