What is cas certification?

CAS is the abbreviation of Central Authentication Service, and it is an independent and open command protocol.

CAS is? Yale? An open source project initiated by the university aims to provide a reliable single sign-on method for Web application systems. CAS officially became a project of JA-SIG in June 2004.

trait

1, open source enterprise single sign-on solution.

2.CAS server is a Web application that needs to be deployed independently.

3.CAS client supports many clients (here refers to various Web applications in the single sign-on system), including Java,. NET, PHP, Perl, Apache, Uportal, Ruby, etc.

Principles and agreements

Structurally, CAS consists of two parts: CAS server and CAS client. CAS server needs to be deployed independently, which is mainly responsible for user authentication;

The CAS client is responsible for handling access requests to the client's protected resources and redirecting to the CAS server when login is required. The picture shows the most basic protocol flow of CAS:

CAS clients are deployed with protected client applications to protect protected resources as filters. For each Web request to access a protected resource, the CAS client analyzes whether the requested Http request contains a service ticket.

If not, it means that the current user has not logged in, so the request is redirected to the specified CAS server login address, and the service (that is, the address of the target resource to be accessed) is delivered so that the address can be transmitted back after the login is successful.

The user enters authentication information in step 3. If the login is successful, the CAS server will randomly generate a unique and unforgeable service ticket with a long length and cache it for future verification.

Then the system automatically redirects to the address where the service is located, and sets a ticket granting Cookie(TGC) for the client browser.

After obtaining the service and the newly generated ticket, the CAS client verifies the identity with the CAS server in steps 5 and 6 to ensure the legitimacy of the service ticket.

In this protocol, all interactions with ca adopt SSL protocol to ensure the security of ST and TGC. There will be two redirection processes during the protocol work, but the ticket verification process between CAS client and CAS server is transparent to users.

In addition, CAS protocol also provides a proxy mode to adapt to more advanced and complex application scenarios. For details, please refer to the relevant documents of official website, Chinese Academy of Sciences.

Extended data

Using CAS to deploy client application in Tomcat single sign-on

The purpose of single sign-on is to make multiple related applications use the same login process. In the process of explanation, this paper constructs two simple applications, taking casTest 1 and casTest2 as examples, both of which have only one page to display welcome information and current login user name.

These two applications use the same set of login information, and only the logged-in user can access them. Through the configuration in this paper, single sign-on is realized, that is, you only need to log in once to access these two applications.

Establish trust relationship with CAS server

Assuming that the CAS server is deployed on machine A alone and the client application is deployed on machine B, since the communication between the client application and the CAS server adopts SSL, it is necessary to establish a trust relationship between JRE of A and B. ..

First, like machine A, to generate a certificate on machine B, Tomcat's SSL protocol needs to be configured.

Secondly, download/Andreas/entry/no _ more _ impossible _ to _ find? InstallCert.java, run the command "java InstallCert compA:8443".

And enter 1 in the next query.

In this way, A is added to B's trust store. If multiple client applications are deployed on different machines, each machine needs to establish a trust relationship with the machine where the CAS server is located.

Configure CAS filter

After being ready to apply casTest 1 and casTest2, they are deployed on B and C machines respectively. Since casTest 1 is completely equivalent to casTest2, B and C, we will introduce the configuration of casTest 1 on the B machine.

Suppose that the domain names of A and B are domainA and domainB respectively.

Rename CAS-client-Java-2.1.zip to CAS-client-Java-2. 1.jar and copy it to the caster1/web-INF/lib directory, modify the web.xml file and add CAS filters, such as listing.

Listing 10. Add CAS filter

& lt network application & gt...& lt filter & gt& lt/filter-name & gt；CAS filter & lt/filter-name >

& lt filter class & gtedu.Yale.its.tp.cas.client.filter.cas filter < /filter-class & gt； & ltinit-param & gt；

& ltparam-name & gt； edu . Yale . its . TP . cas . client . filter . log in URL & lt； /param-name & gt； & lt parameter value & gthttps://domaina: 8443/cas/login < /param-value & gt；

& lt/init-param & gt； & ltinit-param & gt；

& ltparam-name & gt； edu . Yale . its . TP . cas . client . filter . validate URL & lt； /param-name & gt；

& lt parameter value & gthttps://domaina: 8443/cas/servicevalidate <; /param-value & gt； & lt/init-param & gt；

& ltinit-param & gt； & ltparam-name & gt； edu . Yale . its . TP . cas . client . filter . servername & lt； /param-name & gt；

& lt parameter value & gt domain name b: 8080 <; /param-value & gt； & lt/init-param & gt；

& lt/filter & gt； & lt filter mapping & gt

& lt/filter-name & gt；CAS filter & lt/filter-name >

& lturl mode & gt/protected-pattern/* & lt； * < /URL-pattern & gt； & lt/filter-mapping & gt；

...& lt/we B- app & gt；

All resources that meet the path of caster1/protected-pattern/need to log in to the CAS server. If you need to protect the entire caster1,you can specify the url-pattern as "/*".

As can be seen from the listing 10, we can specify some parameters for CASFilter, some of which are required. Table 1? What about the second grade? Parameters in are required and optional, respectively:

Table 1. Parameters required by Casfilter

Table 2. CASFilter optional parameter

Pass the login user name

After successful login, CAS will send a Cookie back to the browser and set a new service ticket. However, client applications have their own sessions, so how do we get the user name of the currently logged-in user in each application?

The filter of CAS client has been processed, and can be obtained directly from the properties of Session after successful login, as shown in listing 1 1:

Listing 1 1. Get the login user name through Java session.

1// Both of the following conditions are acceptable.

2 session . get attribute（cas filter。 CAS _ FILTER _ USER）；

3 session . get attribute（“edu . Yale . its . TP . cas . client . filter . user“）；

The method of obtaining the user name in JSTL is shown in Listing 12:

Listing 12. Get login user name through JSTL

1 & lt； c:out value =“$ { session scope【CAS:‘edu . Yale . its . TP . CAS . client . filter . user‘】}“/& gt；

In addition, CAS also provides a CASFilterRequestWrapper class, which inherits from HttpServletRequestWrapper and mainly rewrites the getRemoteUser () method.

"edu as long as the parameters. When Yale. its.tp.cas.client.filter.wraprequest "is set to true, you can get the login user name through the getRemoteUser () method, as shown in Listing 13:

Listing 13. Get login user name through CASFilterRequestWrapper.

1? CASFilterRequestWrapper？ Reqwrapper = new casfilterrequestwrapper (request); 2? Out.println ("Login user:"+reqwrapper.getremoteuser () ");

Baidu encyclopedia-Chinese academy of sciences

IBM China-Using CAS to Realize Single Sign-on in Tomcat