on several blogs about using cookies to implement single sign-on with domain and cross-domain systems, this article will introduce a single sign-on instance through CAs.
CAS is a single sign-on server developed by Yale University, which is mainly divided into two system modules: service and client. first, CAS implementation of the principle of SSO and certification process
The principle of using CAs to implement SSO is actually the same as creating a cookie, but CAS calls this authentication cookie ticket.
The certification process is as follows:
1, the browser issued a user request to the client program (for example, the above www.a.com,www.b.com belongs to two client programs).
2, Client Authentication: The client will verify locally that the request corresponds to the ticket information, if not, indicates that the user has not logged in, redirected to the CAS server, the server is responsible for generating a user ticket, returned to the client.
3, the client then sends the browser to the user request and the server returns the ticket authentication, valid returns the client to specify the page. The client saves the ticket for verification by the next user request.
The ticket of the CAS client is actually the credential cookie returned by the CAS service side. second, CAs to achieve single sign-on
1. Set up three domains to point to local IP
Two clients: 127.0.0.1 www.a.com, 127.0.0.1 www.b.com
One server: 127.0.0.1 www.server.com
2. Download CAS-related jar package cas-server3.xx.zip cas-client.zip
3, CAS server configuration decompression Cas-server.zip, and from which to find the servers-side war file, published to the application server tomcat, and configure the Tomcat Server.xml file add 2) Modify client Web. xml The address of the filter in the, the client will run normally after Tomcat is started. Third, CAs source ideas
Through the configuration we are not difficult to find, the implementation of the idea of CAs and the previous blog to realize the idea of SSO basically consistent:
The server-side code is responsible for generating ticket and maintaining these ticket with a map structure. The "Authentication Center" in the SSO architecture. It is also responsible for interacting with the database.
The client writes the validation code, primarily responsible for authenticating and verifying the ticket, which is the two core interceptors in Web. XML to intercept client requests. Used to redirect and receive ticket sent by the server respectively.
The server-side program for CAS is written by spring+spring Web flow. Use all of the spring configuration files. Iv.cas similar products
There are a number of options for the implementation of single sign-on, including:
1, the use of specialized SSO business software: mainly: Netgrity SiteMinder, has been acquired by the CA. Ichain of Novell Corporation. RSA Company's Cleartrust and so on.
2, using the Portal product supplier own SSO products, such as: Bea's WLES,IBM Tivoli Access Manager,sun Company's identity Server,oracle Company's OID and so on.
3, these commercial software is generally applicable to the customer demand for SSO is very high, and the enterprise uses COTS software such as: Domino,sap,sieble of the system more than the case. and combine identity management. Unified certification and other projects adopted. The use of these software is generally to be integrated with the system to do some modification, such as the system to be integrated to install agent. Now generally only provides common software such as: domino,sap,sieble, Common Application Server: Weblogic,websphere and so on agent. To unify the certification of these systems first. LDAP or database is generally used. Then SSO can be implemented. More trouble.
4, open source products mainly include:
josso:http://www.josso.org/
opensso:https://opensso.dev.java.net/
