PHP SSO Single Sign-on and logout function with CAs
One.. CAS Server Setup
CAS Server side: http://downloads.jasig.org/cas/
Unzip Cas-server-4.0.0-release.zip to rename the Cas-server-webapp-4.0.0.war under the modules directory as Cas.war copy to under Tomcat's WebApps, launch Tomcat, Access: Http://localhost:8080/cas/login you will see the login screen:
CAS server by default is the user name = password authentication, and the use of HTTPS authentication, need to give Tomact configuration certificate, the system does not use HTTPS authentication, if the use of HTTPS authentication can be consulted:
http://blog.csdn.net/haydenwang8287/archive/2010/07/26/5765941.aspx
1. If you do not use HTTP authentication, the server needs to be configured as follows:
Locate the file Cas/web-inf/deployerconfigcontext.xml as follows:
<bean class= "Org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
Increase the parameter p:requiresecure= "false", whether the need for security verification, that is, Https,false is not used, plus go after, as follows:
<bean class= "Org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" p:httpclient-ref= "httpClient" p:requiresecure= "false"/>
Files found: Cas/web-inf/spring-configuration/ticketgrantingticketcookiegenerator.xml the following:
<bean id= "Ticketgrantingticketcookiegenerator" class= " Org.jasig.cas.web.support.CookieRetrievingCookieGenerator " p:cookiesecure=" true " p:cookiemaxage="-1 " p:cookiename= "CASTGC" p:cookiepath= "/cas"/>
Parameter p:cookiesecure= "True", which is related to HTTPS authentication, true for HTTPS authentication, FALSE for HTTPS authentication.
The parameter p:cookiemaxage= "-1", which is simply the maximum life cycle of a cookie, 1 is a life cycle, that is, only in the currently open IE window, ie close or reopen other windows, will still require validation. can be modified as necessary to a number greater than 0, such as 3600, meaning that within 3,600 seconds, open any IE window, do not need to verify.
Server-side exit Address:Http://localhost:8080/cas/logout,:
Configure the server-side cas-servlet.xml configuration if you wish to return after exiting
<bean id= "Logoutcontroller" class= "Org.jasig.cas.web.LogoutController" ... .../>
Add Property p:followserviceredirects= "true"
the Exit link is:http://localhost:8080/cas/logout?service=http://localhost:8080/Casclient/index.jsp
2. Change the server authentication method, using Database authentication
Modify the configuration file Deployerconfigcontext.xml, add DBCP Connection pool: (Oracle as an example)
<bean id= "Casdatasource" class= "Org.apache.commons.dbcp.BasicDataSource" > <property name= " Driverclassname "> <value>oracle.jdbc.driver.OracleDriver</value> </property> <property name= "url" > <value>jdbc:oracle:thin:@192.168.18.26:1521:orcl</value> </ property> <property name= "username" > <value>test</value> </property> <property name= "password" > <value>test</value> </property> </ Bean>
The required jar packages are: (Cas-server-support-jdbc-3.4.4.jar,commons-dbcp-1.2.1.jar,commons-pool-1.3.jar,ojdbc14_g.jar)
Configure the encryption method, CAS has built-in MD5 encryption, you can also write your own encryption class, implement the Org.jasig.cas.authentication.handler.PasswordEncoder interface can:
<bean id= "Passwordencoder" class= "Org.jasig.cas.authentication.handler.DefaultPasswordEncoder" autowire= " ByName "> <constructor-arg value=" MD5 "/> </bean>
comment out the default authentication method, using database query validation:
<property name= "Authenticationhandlers" > <list> <!----comment out the default authentication method here, Use the following verification querydatabaseauthenticationhandler--> <!-- <bean class= " Org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler "/> -- <bean class= "Org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler" > <property name= " DataSource "ref=" Casdatasource "/> <property name=" sql " value=" Select password from userinfo where lower (username) = lower (?) "/> <property name=" Passwordencoder "ref=" Passwordencoder " /> </bean> </list>
Server Configuration Complete
Two. Configure the PHP client
PHP Client: http://downloads.jasig.org/cas-clients/php/, currently the latest version is CAS-1.2.0.ORC2
New project: Phpcasclient. Copy the CAs folder and cas.php to the project, modify the cas/client.php, change the HTTPS to HTTP, and create a new PHP file: user.php , this file is used to process single sign-on with the following content:
</pre><p><pre name= "code" class= "PHP" ><pre name= "code" class= "PHP" ><?phpclass user{/** * Logs out the current user and redirect to homepage. */public function Logout () {session_start ();//When enabling single sign-on, go to Unified Certification Center logout && isset ($_session[' Phpcas ') && $ _session[' Phpcas ' [' auth_checked '] = = ' 1 '//inductive casinclude_once '/cas-1.2.0/cas.php ';//Initialize Phpcas//phpcas:: Client (CAS_VERSION_2_0, ' service address ', port number, ' CAS ' Access address ');p hpcas::client (cas_version_2_0, "192.168.142.1", "N", "/cas");// Method One: Log out after the success of the address of the jump-logout method Add this sentence/*phpcas::setserverloginurl ("https://192.168.142.1:80/cas/logout?embed=true& Service=http://localhost/phpcasclient/user.php?a=login ")//no SSL validation for the CAS Serverphpcas:: Setnocasservervalidation ();p hpcas::logout (); *///method Two: Return address after logging out--add this sentence in the Logout method Phpcas::setnocasservervalidation (); $ Param=array ("Service" = "Http://localhost/phpCasClient/user.php?a=login");p hpcas::logout ($param);} /** * @desc Logincas () Single Sign-on */public function Logincas () {Header (' p3p:cp= ' IDC DSP COR ADM DEVi taii PSA PSD Ivai ivdi CONi His our IND CNT "');//inductive casinclude ' cas-1.2.0/cas.php ';//Initialize Phpcas Phpcas::client (CAS_VERSION_2_0, ' service address ', port number, ' CAS ' Access address ');p hpcas::client (cas_version_2_0, "192.168.142.1", "80", "/ CAS ", true);//Can not be used for debugging, you can see the verification process through the cas.log of the server. Phpcas::setdebug ();//Landing successful after the address of the jump-login method Add this sentence Phpcas::setserverloginurl ("https://192.168.142.1:80/cas/login?embed =true&cssurl=http://localhost/phpcasclient/style/login.css&service=http://localhost/phpcasclient/ User.php?a=logincas ");//no SSL Validation for the CAS server does not use SSL service to verify Phpcas::setnocasservervalidation ();/ This will detect the server-side exit notification, you can implement PHP and other language platform synchronization log out of phpcas::handlelogoutrequests (); if (Phpcas::checkauthentication ()) {// Get login username $username=phpcas::getuser ();//user login successful, using JS to page jump echo "<script language=\" javascript\ "> parent.location.href= ' http://localhost/phpCasClient/home.php ';</script> ";} else{//access to CAS authentication phpcas::forceauthentication ();} Exit;}}? >
Create a new view layer, login. html, which is a single-point landing page with the following:
<! DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 transitional//en" "Http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd ">Attention:PHP configuration file php.ini need to open php_curl, that is to find, Extension=php_curl.dll, the sentence before the semicolon removed can be changed to Extension=php_curl.dllAt this time, access to login.html, you can see the single-point landing interface, the successful landing, the page jumps to home.php.
Click Log Out, control layer request user.php logout method, processing log out request. After the successful logout, the page jumps to login.html, prompting the user to log in
At this point, PHP using CAS single-sign-on, logout has been completed operation.