Using CAs to implement PHP single sign-on

A few recent projects require single sign-on, the client contains Java, Ruby and Php,java have several applications, PHP is Discuz+supesite+ucenter, the configuration steps are as follows:

1, CAS service side:: http://downloads.jasig.org/cas/ ,There are many versions of the CAS server and client, the latest version and the old version have a great difference, Unzip Cas-server-3.4.4-release.zip to rename Cas-server-webapp-3.4.4.war under the modules directory called Cas.war Copy to Tomcat WebApps, launch Tomcat, Access: HTTP ://localhost:8080/cas/login can see the login interface;

CAS server by default is the user name = password authentication, and the use of HTTPS authentication, need to give Tomact configuration certificate, the system does not use HTTPS authentication, if the use of HTTPS authentication can be consulted:

Http://blog.csdn.net/haydenwang8287/archive/2010/07/26/5765941.aspx.

1.1, if not using HTTPS authentication, server side needs to configure

1, Cas\web-inf\deployerconfigcontext.xml

<bean class= "Org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpclient-ref= "HttpClient"/>

Increase the parameter p:requiresecure= "false", whether the need for security verification, that is, Https,false is not used, plus go after the following:

<bean class= "Org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpclient-ref= "HttpClient" p:requiresecure= "false"/>

2, cas\web-inf\spring-configuration\

Ticketgrantingticketcookiegenerator.xml

<bean id= "Ticketgrantingticketcookiegenerator" class= " Org.jasig.cas.web.support.CookieRetrievingCookieGenerator "

P:cookiesecure= "true"

P:cookiemaxage= "-1"

P:cookiename= "CASTGC"

P:cookiepath= "/cas"/>

Parameter p:cookiesecure= "True", which is related to HTTPS authentication, true for HTTPS authentication, FALSE for HTTPS authentication.

The parameter p:cookiemaxage= "-1", which is simply the maximum life cycle of a cookie, 1 is a life cycle, that is, only in the currently open IE window, ie close or reopen other windows, will still require validation. can be modified as necessary to a number greater than 0, such as 3600, meaning that within 3,600 seconds, open any IE window, do not need to verify

1.2, server-side exit Access: Http://localhost:8080/cas/logout,
If you wish to return after exiting, you need to configure

Service-Side Cas-servlet.xml configuration

<bean id= "Logoutcontroller" class= "Org.jasig.cas.web.LogoutController" ... .../>

Add Property p:followserviceredirects= "true"

The exit link is: http://localhost:8080/cas/logout?service=http://localhost:8080/Casclient/index.jsp

1.3, change the server-side authentication method, using Database authentication:

Modify the configuration file Deployerconfigcontext.xml, add DBCP Connection pool: (Oracle as an example)

<bean id= "Casdatasource" class= "Org.apache.commons.dbcp.BasicDataSource";
     <property name= "Driverclassname";
          <value> Oracle.jdbc.driver.oracledriver</value>
     </property>
      <property name= "url";
          <value> Jdbc:oracle:thin:@192.168.18.26:1521:orcl</value>
     </property>
      <property name= "username";
          <value>test</value>
     </property>
     < Property name= "Password";
          <value>test</ Value>
     </property>
   </bean>

The required jar packages are: (see annex: Cas-server-support-jdbc-3.4.4.jar,commons-dbcp-1.2.1.jar,commons-pool-1.3.jar,ojdbc14_g.jar)

Configure the encryption method, CAS has built-in MD5 encryption, you can also write your own encryption class, implement the Org.jasig.cas.authentication.handler.PasswordEncoder interface can:

<bean id= "Passwordencoder"
class= "Org.jasig.cas.authentication.handler.DefaultPasswordEncoder" autowire= "ByName" >
<constructor-arg value= "MD5"/>
</bean>

Comment out the default authentication method, using database query validation:

<property name= "Authenticationhandlers" >
<list>
<!----comment out the default authentication method here, using the following authentication querydatabaseauthenticationhandler-->
<!--
<bean
class= "Org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler"/>-- >

<bean class= "Org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler" >
<property name= "DataSource" ref= "Casdatasource"/>
<property name= "SQL"
value= "Select password from userinfo where lower (username) = lower (?)"/>
<property name= "Passwordencoder" ref= "Passwordencoder"/>
</bean>
</list>
</property>

---------------here, the CAS server configuration is complete.

2. Java Client configuration, download client: http://downloads.jasig.org/cas-clients/ , currently the latest version is: cas-client-3.2.0

Copy the jar under modules to the Java Client Casclient1 Lib and configure the filter in Web. config as follows (see attached for details):

<?xml version= "1.0" encoding= "UTF-8"?>
<web-app version= "2.4"
Xmlns= "HTTP://JAVA.SUN.COM/XML/NS/J2EE"
Xmlns:xsi= "Http://www.w3.org/2001/XMLSchema-instance"
Xsi:schemalocation= "Http://java.sun.com/xml/ns/j2ee
Http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd ">

<!--for single-point exit, which enables single-point logout, notifying other apps of a single point of logout-

<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>

<!--This filter is used for single-point logout, optional configuration. -

<filter>
<filter-name>cas filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>cas filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<!--the filter is responsible for the user's certification work, it must be enabled--
<filter>
<filter-name>CASFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://192.168.18.8:8080/cas/login</param-value>
<!--the server here is the service-side ip-->
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://192.168.18.8:8989</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<!--the filter is responsible for verifying the ticket, it must be enabled--
<filter>
<filter-name>cas Validation filter</filter-name>
<filter-class>
Org.jasig.cas.client.validation.cas20proxyreceivingticketvalidationfilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://192.168.18.8:8080/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>http://192.168.18.8:8989</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>cas Validation filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<!--
The filter is responsible for implementing the HttpServletRequest request package,
For example, allow developers to use the HttpServletRequest Getremoteuser () method to get the SSO login user's login name, optional configuration.
-
<filter>
<filter-name>cas HttpServletRequest Wrapper filter</filter-name>
<filter-class>
Org.jasig.cas.client.util.httpservletrequestwrapperfilter</filter-class>
</filter>
<filter-mapping>
<filter-name>cas HttpServletRequest Wrapper filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<filter>
<filter-name>cas Assertion Thread Local filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>cas Assertion Thread Local filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>


<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>

The page is:

<%
Attributeprincipal principal = (Attributeprincipal) request.getuserprincipal ();
String username = principal.getname ();
%>
<br/>----------------------------------------------------------<br/>
User name: <%=username%><br/>
<a href= "http://localhost:8989/Casclient2/index.jsp" > enter client 2</a><br/>

<a href= "http://localhost:8080/cas/logout?service=http://localhost:8989/Casclient1/index.jsp" > Exit </a ><br/>

-----------Here the Java Client Configuration succeeded, published to Tomcat, replicated Casclient1 renamed Casclient2, launched Tomcat,

Access to Casclient1, jump to the login page, successful login successfully to the Login Success page, then access Casclient2 found that do not need to login to display the login Success page, Java Single Sign-on success.

3, configure PHP client, download PHP client: http://downloads.jasig.org/cas-clients/php/,

New PHP Project: Phpcasclient1, copy CAs folder and cas.php to project, will docs/examples/example_simple.php

Copy to the Apache directory and modify the following:

<?php

//
Phpcas Simple Client
//

Import Phpcas Lib
Include_once (' cas.php ');

Phpcas::setdebug ();

Initialize Phpcas
Phpcas::client (cas_version_2_0, ' 192.168.18.8 ', 8080, ' CAS '); Note that the port number has no quotation marks
Phpcas::setnocasservervalidation ();

Force CAS Authentication
Phpcas::forceauthentication ();

At this step, the user had been authenticated by the CAS server
And the user ' s login name can be read with Phpcas::getuser ().

Logout if desired
if (Isset ($_request[' logout ')) {

$param =array ("service" = "http://localhost/Phpcasclient1/example_simple.php");//return after logging out

Phpcas::logout ($param);
}

For this test, simply print, the authentication is successfull
?>

Note: If the server is configured for HTTP, you will need to replace HTTPS in the cas/client.php file with HTTP (about four places, you can't remember), or you'll get an error:

CAS Authentication failed!

You were not authenticated.

You may submit a your request again by clicking.

If the problem persists, the contact the administrator for this site.

............................

<title>phpcas Simple client</title>
<body>
<p>the user ' s login is <b><?php echo phpcas::getuser ();?></b>.</p>
<p>phpcas version is <b><?php echo phpcas::getversion ();?></b>.</p>
<p><a href= "http://192.168.18.8:8989/Casclient1/index.jsp" > Go to Java Client 1</a></p>
<p><a href= "? logout=" > Exit </a></p>
</body>

PHP configuration needs to turn on Php_curl, can copy Phpcasclient1 to Phpcasclient2

Access: http://localhost/Phpcasclient1/example_simple.php, jump to login page, login after successful access to Phpcasclient2, do not need to login,

PHP Single Sign-on success, then again access to Java Client discovery also do not need to login, PHP and Java applications between single sign-on success.

Note: Php phpcas::client (cas_version_2_0, ' 192.168.18.8 ', 8080, ' CAS '); The address needs to be the same as the CAS server address in Java Web. XML, I started a write ip:192.168.18.8, a write localhost,

PHP and Java always can not sync login, depressed for a long time

----------------here the Java and PHP client has been configured to complete, now you will find PHP and Java can not be a single point of logout, PHP side exit Java Client also exited, and Java quit but PHP did not sync out

Here you need to make a configuration, in

Phpcas::setnocasservervalidation ();

Force CAS Authentication
Phpcas::forceauthentication ();

Here Plus

Phpcas::setnocasservervalidation ();

Force CAS Authentication

Phpcas::handlelogoutrequests (); This will detect the server-side Java exit notification, you can realize the synchronization between PHP and Java logout.

Phpcas::forceauthentication ();

As for the Discuz+supesite single sign-on, and then understand the PHP single-sign-on principle will need to transform the Discuz+supesite login code, discuz for the logging.php

Supersite for batch.login.php, I do Java development, is not very familiar with PHP, so the transformation of the feeling is not very reliable, basically let Discuz single sign in, get the user name, according to the user

Get the password in the database and give it to the Discuz system to log on to its own login system. The discuz is validated by a cookie, so discuz does not exit after the Java side exits.

If anyone has a successful transformation can communicate under.

Reference URL:

Http://blog.csdn.net/DL88250/archive/2008/08/20/2799522.aspx

http://www.wsria.com/archives/1349

http://tonrenyuye.blog.163.com/blog/static/30012576200922925820471/

Http://www.discuz.net/thread-1416206-1-1.ht

Using CAs to implement PHP single sign-on