一文搞懂什么是中心授权服务CAS
CAS是一个单点的登入登出web协议,它允许用户一次登陆,到处访问;CAS协议一种基于ticket的协议(simple and powerful)
CAS server:负责验证用户和授权访问权限。
CAS client:通常和web应用集成在一起,通过CAS协议和CAS server交互,负责检索在CAS server已授权用户的标识;
service ticket:加密字符串,作为凭证被用来从客户端获取服务访问权限。
CAS 是基于http的协议,所以要求它的每一个组件都可以被url访问到,具体如下.
URI
Description
<code>/login</code>
credential requestor / acceptor
<code>/logout</code>
destroy CAS session (logout)
<code>/validate</code>
service ticket validation [CAS 1.0]
<code>/serviceValidate</code>
service ticket validation [CAS 2.0]
<code>/proxyValidate</code>
service/proxy ticket validation [CAS 2.0]
<code>/proxy</code>
proxy ticket service [CAS 2.0]
<code>/p3/serviceValidate</code>
service ticket validation [CAS 3.0]
<code>/p3/proxyValidate</code>
service/proxy ticket validation [CAS 3.0]
/login Simple login example:
The <code>service</code> query parameter here is the URL of the application. This URL value MUST be URL-encoded. In this example, <code>service</code> is <code>http://Fwww.example.org/service</code> Once CAS server authenticated user, it will redirect to this URL with a <code>serviceTicket</code> query parameter.
/logout destroys a client’s single sign-on CAS session. The ticket-granting cookie is destroyed, and subsequent requests to <code>/login</code> will not obtain service tickets until the user again presents primary credentials (and thereby establishes a new single sign-on session).
/validate [CAS 1.0] checks the validity of a service ticket. <code>/validate</code> is part of the CAS 1.0 protocol and thus does not handle proxy authentication. CAS MUST respond with a ticket validation failure response when a proxy ticket is passed to <code>/validate</code>.
/serviceValidate [CAS 2.0] checks the validity of a service ticket and returns an XML-fragment response. <code>/serviceValidate</code> MUST also generate and issue proxy-granting tickets when requested. <code>/serviceValidate</code> MUST NOT return a successful authentication if it receives a proxy ticket. It is RECOMMENDED that if <code>/serviceValidate</code> receives a proxy ticket, the error message in the XML response SHOULD explain that validation failed because a proxy ticket was passed to <code>/serviceValidate</code>.
/proxyValidate [CAS 2.0] MUST perform the same validation tasks as <code>/serviceValidate</code> and additionally validate proxy tickets. <code>/proxyValidate</code> MUST be capable of validating both service tickets and proxy tickets.
/proxy [CAS 2.0] provides proxy tickets to services that have acquired proxy-granting tickets and will be proxying authentication to back-end services.
/p3/serviceValidate [CAS 3.0] MUST perform the same validation tasks as <code>/serviceValidate</code> and additionally return user attributes in the CAS response.
/p3/proxyValidate [CAS 3.0] MUST perform the same validation tasks as <code>/p3/serviceValidate</code> and additionally validate proxy tickets.
在最新的CAS3.0中又添加了多个链接,感兴趣的大家可以上CAS官网查看。CAS官网
(注意:图中的第6步中from应该改为form)
Below are examples response in step 3 and request in step 4:
User send login credentials like username, password to CAS server directly. The request include <code>service</code> query parameter to indicate CAS server which service is doing authentication.
service ticket in query parameter <code>ticket</code>. CAS Client need validate <code>ticket</code> in following step.
Below is an example response
CAS Client need validate service ticket (ST) through CAS server <code>/serviceValidate</code> API.
The request is a GET request with <code>service</code> and <code>ticket</code> query parameter.
Below is an example request:
CAS response <code>/serviceValidate</code> to CAS client, the response is in XML format. If validate success, it will include user attributes (like username) in response.
Below is an example of <code>/serviceValidate</code> ticket validation successful XML response:
Below is an example of <code>/serviceValidate</code> ticket validation failure XML response:
CAS client redirect according <code>next</code> query parameter in <code>service</code>.
CAS client also set cookie in browser to store session info.
Browser also add cookie in request header to indicate user is logged in.
In step 14, CAS client need validate session cookie.
以上就是CAS flow完整的示例。