一文搞懂什麼是中心授權服務CAS
CAS是一個單點的登入登出web協定,它允許使用者一次登陸,到處通路;CAS協定一種基于ticket的協定(simple and powerful)
CAS server:負責驗證使用者和授權通路權限。
CAS client:通常和web應用內建在一起,通過CAS協定和CAS server互動,負責檢索在CAS server已授權使用者的辨別;
service ticket:加密字元串,作為憑證被用來從用戶端擷取服務通路權限。
CAS 是基于http的協定,是以要求它的每一個元件都可以被url通路到,具體如下.
URI
Description
<code>/login</code>
credential requestor / acceptor
<code>/logout</code>
destroy CAS session (logout)
<code>/validate</code>
service ticket validation [CAS 1.0]
<code>/serviceValidate</code>
service ticket validation [CAS 2.0]
<code>/proxyValidate</code>
service/proxy ticket validation [CAS 2.0]
<code>/proxy</code>
proxy ticket service [CAS 2.0]
<code>/p3/serviceValidate</code>
service ticket validation [CAS 3.0]
<code>/p3/proxyValidate</code>
service/proxy ticket validation [CAS 3.0]
/login Simple login example:
The <code>service</code> query parameter here is the URL of the application. This URL value MUST be URL-encoded. In this example, <code>service</code> is <code>http://Fwww.example.org/service</code> Once CAS server authenticated user, it will redirect to this URL with a <code>serviceTicket</code> query parameter.
/logout destroys a client’s single sign-on CAS session. The ticket-granting cookie is destroyed, and subsequent requests to <code>/login</code> will not obtain service tickets until the user again presents primary credentials (and thereby establishes a new single sign-on session).
/validate [CAS 1.0] checks the validity of a service ticket. <code>/validate</code> is part of the CAS 1.0 protocol and thus does not handle proxy authentication. CAS MUST respond with a ticket validation failure response when a proxy ticket is passed to <code>/validate</code>.
/serviceValidate [CAS 2.0] checks the validity of a service ticket and returns an XML-fragment response. <code>/serviceValidate</code> MUST also generate and issue proxy-granting tickets when requested. <code>/serviceValidate</code> MUST NOT return a successful authentication if it receives a proxy ticket. It is RECOMMENDED that if <code>/serviceValidate</code> receives a proxy ticket, the error message in the XML response SHOULD explain that validation failed because a proxy ticket was passed to <code>/serviceValidate</code>.
/proxyValidate [CAS 2.0] MUST perform the same validation tasks as <code>/serviceValidate</code> and additionally validate proxy tickets. <code>/proxyValidate</code> MUST be capable of validating both service tickets and proxy tickets.
/proxy [CAS 2.0] provides proxy tickets to services that have acquired proxy-granting tickets and will be proxying authentication to back-end services.
/p3/serviceValidate [CAS 3.0] MUST perform the same validation tasks as <code>/serviceValidate</code> and additionally return user attributes in the CAS response.
/p3/proxyValidate [CAS 3.0] MUST perform the same validation tasks as <code>/p3/serviceValidate</code> and additionally validate proxy tickets.
在最新的CAS3.0中又添加了多個連結,感興趣的大家可以上CAS官網檢視。CAS官網
(注意:圖中的第6步中from應該改為form)
Below are examples response in step 3 and request in step 4:
User send login credentials like username, password to CAS server directly. The request include <code>service</code> query parameter to indicate CAS server which service is doing authentication.
service ticket in query parameter <code>ticket</code>. CAS Client need validate <code>ticket</code> in following step.
Below is an example response
CAS Client need validate service ticket (ST) through CAS server <code>/serviceValidate</code> API.
The request is a GET request with <code>service</code> and <code>ticket</code> query parameter.
Below is an example request:
CAS response <code>/serviceValidate</code> to CAS client, the response is in XML format. If validate success, it will include user attributes (like username) in response.
Below is an example of <code>/serviceValidate</code> ticket validation successful XML response:
Below is an example of <code>/serviceValidate</code> ticket validation failure XML response:
CAS client redirect according <code>next</code> query parameter in <code>service</code>.
CAS client also set cookie in browser to store session info.
Browser also add cookie in request header to indicate user is logged in.
In step 14, CAS client need validate session cookie.
以上就是CAS flow完整的示例。