PHP SSO Single Sign-on and logout function with CAs

Source: Internet
Author: User
Tags cas http authentication md5 encryption

PHP SSO Single Sign-on and logout function with CAs


One.. CAS Server Setup

CAS Server side: http://downloads.jasig.org/cas/

Unzip Cas-server-4.0.0-release.zip to rename the Cas-server-webapp-4.0.0.war under the modules directory as Cas.war copy to under Tomcat's WebApps, launch Tomcat, Access: Http://localhost:8080/cas/login you will see the login screen:


CAS server by default is the user name = password authentication, and the use of HTTPS authentication, need to give Tomact configuration certificate, the system does not use HTTPS authentication, if the use of HTTPS authentication can be consulted:

http://blog.csdn.net/haydenwang8287/archive/2010/07/26/5765941.aspx

1. If you do not use HTTP authentication, the server needs to be configured as follows:

Locate the file Cas/web-inf/deployerconfigcontext.xml as follows:

<bean class= "Org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"  

Increase the parameter p:requiresecure= "false", whether the need for security verification, that is, Https,false is not used, plus go after, as follows:

<bean class= "Org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"   p:httpclient-ref= "httpClient"  p:requiresecure= "false"/>
Files found: Cas/web-inf/spring-configuration/ticketgrantingticketcookiegenerator.xml the following:

<bean id= "Ticketgrantingticketcookiegenerator" class= " Org.jasig.cas.web.support.CookieRetrievingCookieGenerator "   p:cookiesecure=" true "   p:cookiemaxage="-1 "   p:cookiename= "CASTGC"   p:cookiepath= "/cas"/>
Parameter p:cookiesecure= "True", which is related to HTTPS authentication, true for HTTPS authentication, FALSE for HTTPS authentication.
The parameter p:cookiemaxage= "-1", which is simply the maximum life cycle of a cookie, 1 is a life cycle, that is, only in the currently open IE window, ie close or reopen other windows, will still require validation. can be modified as necessary to a number greater than 0, such as 3600, meaning that within 3,600 seconds, open any IE window, do not need to verify.

Server-side exit Address:Http://localhost:8080/cas/logout,:


Configure the server-side cas-servlet.xml configuration if you wish to return after exiting

<bean id= "Logoutcontroller" class= "Org.jasig.cas.web.LogoutController" ... .../>

Add Property p:followserviceredirects= "true"

the Exit link is:http://localhost:8080/cas/logout?service=http://localhost:8080/Casclient/index.jsp

2. Change the server authentication method, using Database authentication

Modify the configuration file Deployerconfigcontext.xml, add DBCP Connection pool: (Oracle as an example)

<bean id= "Casdatasource" class= "Org.apache.commons.dbcp.BasicDataSource" >       <property name= " Driverclassname ">            <value>oracle.jdbc.driver.OracleDriver</value>       </property>       <property name= "url" >            <value>jdbc:oracle:thin:@192.168.18.26:1521:orcl</value>       </ property>       <property name= "username" >            <value>test</value>       </property>       <property name= "password" >            <value>test</value>       </property>     </ Bean>

The required jar packages are: (Cas-server-support-jdbc-3.4.4.jar,commons-dbcp-1.2.1.jar,commons-pool-1.3.jar,ojdbc14_g.jar)

Configure the encryption method, CAS has built-in MD5 encryption, you can also write your own encryption class, implement the Org.jasig.cas.authentication.handler.PasswordEncoder interface can:

<bean id= "Passwordencoder"        class= "Org.jasig.cas.authentication.handler.DefaultPasswordEncoder" autowire= " ByName ">            <constructor-arg value=" MD5 "/>       </bean>
comment out the default authentication method, using database query validation:

<property name= "Authenticationhandlers" >       <list>       <!----comment out the default authentication method here, Use the following verification querydatabaseauthenticationhandler-->      <!--  <bean class= " Org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler "/>         -- <bean class= "Org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler" >        <property name= " DataSource "ref=" Casdatasource "/>        <property name=" sql "            value=" Select password from userinfo where lower (username) = lower (?) "/>        <property  name=" Passwordencoder "ref=" Passwordencoder "  />       </bean>     </list>    
Server Configuration Complete


Two. Configure the PHP client

PHP Client: http://downloads.jasig.org/cas-clients/php/, currently the latest version is CAS-1.2.0.ORC2

New project: Phpcasclient. Copy the CAs folder and cas.php to the project, modify the cas/client.php, change the HTTPS to HTTP, and create a new PHP file: user.php , this file is used to process single sign-on with the following content:

</pre><p><pre name= "code" class= "PHP" ><pre name= "code" class= "PHP" ><?phpclass user{/** * Logs out the current user and redirect to homepage. */public function Logout () {session_start ();//When enabling single sign-on, go to Unified Certification Center logout && isset ($_session[' Phpcas ') && $ _session[' Phpcas ' [' auth_checked '] = = ' 1 '//inductive casinclude_once '/cas-1.2.0/cas.php ';//Initialize Phpcas//phpcas:: Client (CAS_VERSION_2_0, ' service address ', port number, ' CAS ' Access address ');p hpcas::client (cas_version_2_0, "192.168.142.1", "N", "/cas");// Method One: Log out after the success of the address of the jump-logout method Add this sentence/*phpcas::setserverloginurl ("https://192.168.142.1:80/cas/logout?embed=true& Service=http://localhost/phpcasclient/user.php?a=login ")//no SSL validation for the CAS Serverphpcas:: Setnocasservervalidation ();p hpcas::logout (); *///method Two: Return address after logging out--add this sentence in the Logout method Phpcas::setnocasservervalidation (); $ Param=array ("Service" = "Http://localhost/phpCasClient/user.php?a=login");p hpcas::logout ($param);} /** * @desc Logincas () Single Sign-on */public function Logincas () {Header (' p3p:cp= ' IDC DSP COR ADM DEVi taii PSA PSD Ivai ivdi CONi His our IND CNT "');//inductive casinclude ' cas-1.2.0/cas.php ';//Initialize Phpcas Phpcas::client (CAS_VERSION_2_0, ' service address ', port number, ' CAS ' Access address ');p hpcas::client (cas_version_2_0, "192.168.142.1", "80", "/ CAS ", true);//Can not be used for debugging, you can see the verification process through the cas.log of the server. Phpcas::setdebug ();//Landing successful after the address of the jump-login method Add this sentence Phpcas::setserverloginurl ("https://192.168.142.1:80/cas/login?embed =true&cssurl=http://localhost/phpcasclient/style/login.css&service=http://localhost/phpcasclient/ User.php?a=logincas ");//no SSL Validation for the CAS server does not use SSL service to verify Phpcas::setnocasservervalidation ();/ This will detect the server-side exit notification, you can implement PHP and other language platform synchronization log out of phpcas::handlelogoutrequests (); if (Phpcas::checkauthentication ()) {// Get login username $username=phpcas::getuser ();//user login successful, using JS to page jump echo "<script language=\" javascript\ "> parent.location.href= ' http://localhost/phpCasClient/home.php ';</script> ";} else{//access to CAS authentication phpcas::forceauthentication ();} Exit;}}? >



Create a new view layer, login. html, which is a single-point landing page with the following:

<! DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 transitional//en" "Http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd ">Attention:PHP configuration file php.ini need to open php_curl, that is to find, Extension=php_curl.dll, the sentence before the semicolon removed can be changed to Extension=php_curl.dll

At this time, access to login.html, you can see the single-point landing interface, the successful landing, the page jumps to home.php.

Click Log Out, control layer request user.php logout method, processing log out request. After the successful logout, the page jumps to login.html, prompting the user to log in


At this point, PHP using CAS single-sign-on, logout has been completed operation.





Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.