目前SSO应用较为广泛，IBM,BEA都有自己商业方案，一般如有Portal，都会应用SSO.

Sun成立了OpenSSO.，在进行SSO的开发。

.net主要有passport方案

另有一个java开源的JOSSO，不过网上评价不高，

CAS目前讨论得比较多的地方是BEA广州UserGroup，地址为:

版主为David，java安全信息的专家，对cas有很深的研究，他的blog为

当然SSO也可以自己编写，关键是多个应用如何共享用户信息及数据安全，以及如何跨语言，跨域等.

可以参考fins的一篇文章(http://fins.javaeye.com/blog/31947)和

王昱的一文(http://biaoming.spaces.live.com/blog/cns!905abeb7a7abc122!118.entry)

以上都是基于java的实现.

.net中的自己编写实现有http://www.asp121.com/wlbc/23/430.shtml

 

CAS只提供一个简单的身分认证，认证方式很简单，只要用户名和密码相同，即通过，如果应用数据库验证，还需要自己编写。授权和权限没有提供，留给子系统去做。

CAS demo中的asp例子，可能不大完善，主要原因可以是，在tomcat中建立了和casserver的信任，但在IIS还没有。需要在IIS中建立证书，加入SSL.如需要更好的应用需要多了解SSL和PKI，及SSL在CasServer和CasClient之间ticket的交换.

如果应用CAS，还需要做的是，如何将yale的登录模块，定制成自己应用的Login模块.

 

 1:建立证书

keytool -genkey -alias tomcat -keyalg RSA  -keystore tomcat.keystore

在输入用户名时，如果是本机请输入localhost，否则输入域名

 

2:导入证书

     keytool -export -file myserver.cert -alias tomcat ?keystore tomcat.keystore

 

3:导入到JVM中

     keytool -import -keystore d:\jdk\jre\lib\security\cacerts(根据jdk的安装位置输入) -file myserver.cert -alias tomcat

以上操作最好放在tomcat的home目录下建立，需要熟悉jdk的命令 keytool

 

开放SSL 8443端口

编辑tomcat的配置文件server.xml，去掉下面SSL Connector的注释,修改为如下：

keystorePass为建立证书的密码

keystoreFile为建立证书的文件

 

5.将CAS server3.0.2中target目录中的CAS.war复制到%tomcat_home%\webapps目录下.

（或者\cas-server-2.0.12\lib目录中的CAS.war也可以）

 

6.将cas-client-java-2.1.1\dist\casclient.jar文件复制到%tomcat_home%\webapps\servlets-examples\WEB-INF\lib中(没有lib文件夹，自己建一个)

 

修改tomcat自带的servlet-examples的web.xml, 加入cas的过滤器:

 

<filter>

 

    <filter-name>CASFilter</filter-name>

 

    <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class>

 

    <init-param>

 

        <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name>

 

        <param-value>https://localhost:8443/cas/login</param-value>

 

    </init-param>

 

    <init-param>

 

        <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name>

 

        <param-value>https://localhost:8443/cas/proxyValidate</param-value>

 

    </init-param>

 

    <init-param>

 

        <param-name>edu.yale.its.tp.cas.client.filter.serverName</param-name>

 

<!―localhost:8080为自己的服务器名

    </init-param>

 

</filter>

 

<filter-mapping>

 

    <filter-name>CASFilter</filter-name>

 

    <url-pattern>/*</url-pattern>

 

</filter-mapping>

 

6.启动tomcat !,CAS.war文件被自动在webapps下释放出CAS目录

 

进入http://localhost:8080/servlets-examples, 被自动转发到CAS的登陆页面.

 

输入相同的用户名和密码，之后跳转回原来页面

注意：

 

在制作一个自签名的credential了, 在生成keystore文件的时候密码是:changeit(这是tomcat默认的),你的名字一定要是:localhost,当然这是你需要把CAS client和CAS server放在同一台机器上进行测试用的

 

 

在浏览器-工具-internet选项里导入myserver.cert后就不会出现安全警报

<%@ Language=JScript %>

<%

// Sample ASP code that uses CAS

// By Howard Gilbert

 

// If you logon, it says "Hello " followed by your userid

// For the Web server to talk to the CAS server, this code depends on the

// Microsoft ServerXMLHTTP control provided with MSXML. If the MS XML

// parser is not already installed on the IIS host machine,

// download version 3.0 SP1 or better from http://www.microsoft.com/xml

 

// Insert name of CAS Server at your location

//var CAS_Server = "https://secure.its.yale.edu/cas/servlet/";

 

// Insert public name of IIS Server hosting this script

// Note: Request.ServerVariables("SERVER_NAME") or anything based on

// the HTTP "Host" header should NOT be used; this header is supplied by

// the client and isn't trusted. (--SB)

 

              var http = Server.CreateObject("MSXML2.ServerXMLHTTP.4.0");

              var url =CAS_Server+"validate?ticket="+ticket+"&"+

              http.open("GET",url,false); // HTTP transaction to CAS server

              http.send();

             

              var resp=http.responseText.split('\n'); // Lines become array members

              if (resp[0]=="yes")   // Logon successful

                     greeting=resp[1]; // get userid for message

              Session.Contents("Netid")=resp[1];      // Save for subsequent calls

       }

}

%>

<HTML>

<HEAD><title>CAS ASP Example application</title></HEAD>

<BODY>

<P>Hello <%=greeting%></P>

</BODY>

</HTML>

 

/**

  CASP.cs

CAS over ASP.NET!

  * Created by John Tantalo, john.tantalo@case.edu

 * Case Western Reserve University

  * 

  * Modification History:

 * 

  * 12/09/05 jnt5, created class

* 12/12/05 jnt5, removed cookie check

  * stores CASNetworkID in session instead of cache

 * clears Page session variable after ticket verification

  * 12/13/05 jnt5, removed Page session variable

  *  fixed bug which would cause loop due to incorrect service parameter

  * 04/04/06 jnt5, adapted serviceURL code courtesy Ali Cakmak

 * 04/10/06 jnt5, added new comments

 * 

  * References:

  * 

 * http://wiki.case.edu/Central_Authentication_Service

  * https://clearinghouse.ja-sig.org/wiki/display/CAS/CAS+2.0+Protocol+Specification

  */

//以上为正式文件

 

 using System ;

 using System.Web.UI ;

 using System.Net ;

using System.IO ;

 using System.Web.SessionState;

 

        

public class CASP

 {

     /**

      * Authenticates a user with the given login and validation pages. After authentication

         * the user's browser is redirected to the original page.

     */

        

        public static String Authenticate( String LoginURL, String ValidateURL, Page Page )

         {

                return Authenticate( LoginURL, ValidateURL, Page, Page.Request.Url.AbsoluteUri.Split('?')[0] ) ;

        }

 

        /**

         * Authenticates a user with the given login and validation pages. After authentication

         * the user's browser is redirected to the location given as the service URL.

          */

         public static String Authenticate( String LoginURL, String ValidateURL, Page Page, String ServiceURL )

        {

                if( Page.Session["CASNetworkID"] != null ) // user already logged in

                        return Page.Session["CASNetworkID"].ToString() ;

               else // user hasn't logged in

              {

                       if( Page.Request.QueryString["ticket"] != null ) // ticket received

                       {

                              try // read ticket and request validation

                              {

                                        StreamReader Reader = new StreamReader( new WebClient().OpenRead( ValidateURL + "?ticket=" + Page.Request.QueryString["ticket"] + "&service=" + ServiceURL ) ) ;

                                                                      if( "yes".Equals( Reader.ReadLine() ) ) // ticket validated

                                       {

                                               // store network id in sesssion, return value

 

                                                return (String) ( Page.Session["CASNetworkID"] = Reader.ReadLine() ) ;

 

                                        }

                              } 

                               catch( WebException ) {}

                       } 

        

                         // ticket was invalid, or didn't exist, so request ticket

                

                        Page.Response.Redirect( LoginURL + "?service=" + ServiceURL, true ) ;

                        return null ;

                 }

         }

 }

 

allenzhou 2006-11-07 15:37 发表评论