1. 架构

http://jasig.github.io/cas/4.0.0/planning/Architecture.html

System Components

The CAS server and clients comprise the two physical components of the CAS system architecture that communicate by means of various protocols.

CAS Server

The CAS server is Java servlet built on the Spring Framework whose primary responsibility is to authenticate users and grant access to CAS-enabled services, commonly called CAS clients, by issuing and validating tickets. An SSO session is created when the server issues a ticket-granting ticket (TGT) to the user upon successful login. A service ticket (ST) is issued to a service at the user’s request via browser redirects using the TGT as a token. The ST is subsequently validated at the CAS server via back-channel communication. These interactions are described in great detail in the CAS Protocol document.

CAS Clients

The term “CAS client” has two distinct meanings in its common use. A CAS client is any CAS-enabled application that can communicate with the server via a supported protocol. A CAS client is also a software package that can be integrated with various software platforms and applications in order to communicate with the CAS server via some authentication protocol (e.g. CAS, SAML, OAuth). CAS clients supporting a number of software platforms and products have been developed.

Platforms:

Applications:

  • Outlook Web Application (ClearPass + .NET CAS Client)
  • Atlassian Confluence
  • Atlassian JIRA
  • Drupal
  • Liferay
  • uPortal

When the term “CAS client” appears in this manual without further qualification, it refers to the integration components such as the Jasig Java CAS Client rather than to the application relying upon (a client of) the CAS server.

Protocols

Clients communicate with the server by any of several supported protocols. All the supported protocols are conceptually similar, yet some have features or characteristics that make them desirable for particular applications or use cases. For example, the CAS protocol supports delegated (proxy) authentication, and the SAML protocol supports attribute release and single sign-out.

Supported protocols:

  • CAS (versions 1, 2, and 3)
  • SAML 1.1
  • OpenID
  • OAuth (1.0, 2.0)

Software Components

It is helpful to describe the CAS server in terms of three layered subsystems:

  • Web (Spring MVC/Spring Webflow)
  • Ticketing
  • Authentication

Almost all deployment considerations and component configuration involve those three subsystems. The Web tier is the endpoint for communication with all external systems including CAS clients. The Web tier delegates to the ticketing subsystem to generate tickets for CAS client access. The SSO session begins with the issuance of a ticket-granting ticket on successful authentication, thus the ticketing subsystem frequently delegates to the authentication subsystem.

The authentication system is typically only processing requests at the start of the SSO session, though there are other cases when it can be invoked (e.g. forced authentication).

2. 协议

http://jasig.github.io/cas/4.0.0/protocol/CAS-Protocol.html

The CAS protocol is a simple and powerful ticket-based protocol developed exclusively for CAS. A complete protocol specification may be found at http://www.jasig.org/cas/protocol.

It involves one or many clients and one server.
Clients are embedded in cassified applications (called “CAS services”) whereas the CAS server is a standalone component: - the CAS server is responsible for authenticating users and granting accesses to applications - the CAS clients protect the CAS applications and retrieve the identity of the granted users from the CAS server.

The key concepts are: - the TGT (Ticket Granting Ticket), stored in the CASTGC cookie, represents a SSO session for a user - the ST (Service Ticket), transmitted as a GET parameter in urls, stands for the access granted by the CAS server to the cassified application for a specific user.

Versions

The current CAS protocol is the version 3.0, implemented by the CAS server 4.0.
It’s mainly a capture of the most common enhancements built on top of the CAS protocol revision 2.0.
Among all features, the most noticable update between versions 2.0 and 3.0 is the ability to return the authentication/user attributes in the /serviceValidate response.

Web flow diagram

Proxy web flow diagram

One of the most powerful feature of the CAS protocol is the ability for a CAS service to act as a proxy for another CAS service, transmitting the user identity.

Other protocols

Even if the primary goal of the CAS server is to implement the CAS protocol, other protocols are also supported as extensions: - OpenID - OAuth - SAML


Delegated Authentication

Using the CAS protocol, the CAS server can also be configured to delegate the authentication to another CAS server.

3. 界面

http://jasig.github.io/cas/4.0.0/installation/User-Interface-Customization.html

Overview

Branding the CAS User Interface (UI) involves simply editing the CSS stylesheet and also a small collection of relatively simple JSP include files, also known as views. Optionally, you may also wish to modify the text displayed and/or add additional Javascript effects on these views.

All the files that we’ll be discussing in this section that concern the theme are located in and referenced from: /cas-server-webapp/src/main/webapp.

Browser Support

CAS user interface should properly and comfortably lend itself to all major browser vendors:

  • Google Chrome
  • Mozilla Firefox
  • Apple Safari
  • Microsoft Internet Explorer

Note that certain older version of IE, particularly IE 9 and below may impose additional difficulty in getting the right UI configuration in place.

Getting Started

CSS

The default styles are all contained in a single file located in css/cas.css. This location is set in WEB-INF/classes/cas-theme-default.properties. If you would like to create your own css/custom.css file, for example, you will need to update standard.custom.css.file key in that file.

standard.custom.css.file=/css/cas.css
cas.javascript.file=/js/cas.js

CSS per Locale

Selecting CSS files per enabled locale would involve changing the top.jsp file to include the below sample code:

<%
String cssFileName = "cas.css"; // default
Locale locale = request.getLocale(); if (locale != null && locale.getLanguage() != null){
String languageCssFileName = "cas_" + locale.getLanguage() + ".css";
cssFileName = languageCssFileName; //ensure this file exists
} %>
<link href="/path/to/css/<%=cssFileName%>" rel="stylesheet" type="text/css"/>

Responsive Design

CSS media queries bring responsive design features to CAS which would allow adopter to focus on one theme for all appropriate devices and platforms. These queries are defined in the same css/cas.css file. Below follows an example:

@media only screen and (max-width: 960px) {
footer { padding-left: 10px; }
} @media only screen and (max-width: 799px) {
header h1 { font-size: 1em; }
#login { float: none; width: 100%; }
#fm1 .row input[type=text],
#fm1 .row input[type=password] { width: 100%; padding: 10px; box-sizing: border-box; -webkit-box-sizing: border-box; -moz-box-sizing: border-box; }
#fm1 .row .btn-submit { outline: none; -webkit-appearance: none; -webkit-border-radius: 0; border: 0; background: #210F7A; color: white; font-weight: bold; width: 100%; padding: 10px 20px; -webkit-border-radius: 3px; -moz-border-radius: 3px; border-radius: 3px; }
#fm1 .row .btn-reset { display: none; }
#sidebar { margin-top: 20px; }
#sidebar .sidebar-content { padding: 0; }
}

Javascript

If you need to add some JavaScript, feel free to append js/cas.js.

You can also create your own custom.js file, for example, and call it from within WEB-INF/view/jsp/default/ui/includes/bottom.jsp like so:

<script type="text/javascript" src="<c:url value="/js/custom.js" />"></script>

If you are developing themes per service, each theme also has the ability to specify a custom cas.js file under thecas.javascript.file setting.

The following Javascript libraries are utilized by CAS automatically:

Preserving Anchor Fragments

Anchors/fragments may be lost across redirects as the server-side handler of the form post ignores the client-side anchor, unless appended to the form POST url. This is needed if you want a CAS-authenticated application to be able to use anchors/fragments when bookmarking.

Changes to cas.js

/**
* Prepares the login form for submission by appending any URI
* fragment (hash) to the form action in order to propagate it
* through the re-direct (i.e. store it client side).
* @param form The login form object.
* @returns true to allow the form to be submitted.
*/
function prepareSubmit(form) {
// Extract the fragment from the browser's current location.
var hash = decodeURIComponent(self.document.location.hash); // The fragment value may not contain a leading # symbol
if (hash && hash.indexOf("#") === -1) {
hash = "#" + hash;
} // Append the fragment to the current action so that it persists to the redirected URL.
form.action = form.action + hash;
return true;
}

Changes to Login Form

<form:form method="post" id="fm1" cssClass="fm-v clearfix"
commandName="${commandName}" htmlEscape="true"
onsubmit="return prepareSubmit(this);">

JSP

The default views are found at WEB-INF/view/jsp/default/ui/.

Notice top.jsp and bottom.jsp include files located in the ../includes directory. These serve as the layout template for the other JSP files, which get injected in between during compilation to create a complete HTML page.

The location of these JSP files are configured in WEB-INF/classes/default_views.properties.

Tag Libraries

The following JSP tag libraries are used by the user interface:

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>

Glossary of Views

  • casAccountDisabledView
    Specific to Password Policy Enforcement; displayed in the event that authentication encounters an account that is disabled in the underlying account store (i.e. LDAP)

  • casAccountLockedView
    Specific to Password Policy Enforcement; displayed in the event that authentication encounters an account that is locked in the underlying account store (i.e. LDAP)

  • casBadHoursView
    Specific to Password Policy Enforcement; displayed in the event that authentication encounters an account that is not allowed authentication within the current time window in the underlying account store (i.e. LDAP)

  • casBadWorkstationView
    Specific to Password Policy Enforcement; displayed in the event that authentication encounters an account that is not allowed authentication from the current workstation in the underlying account store (i.e. LDAP)

  • casExpiredPassView
    Specific to Password Policy Enforcement; displayed in the event that authentication encounters an account that has expired in the underlying account store (i.e. LDAP)

  • casMustChangePassView
    Specific to Password Policy Enforcement; displayed in the event that authentication encounters an account that must change its password in the underlying account store (i.e. LDAP)

  • casWarnPassView
    Specific to Password Policy Enforcement; displayed when the user account is near expiration based on specified configuration (i.e. LDAP)

  • authorizationFailure
    Displayed when a user successfully authenticates to the services management web-based administrative UI included with CAS, but the user is not authorized to access that application.

  • casConfirmView
    Displayed when the user is warned before being redirected to the service. This allows users to be made aware whenever an application uses CAS to log them in. (If they don’t elect the warning, they may not see any CAS screen when accessing an application that successfully relies upon an existing CAS single sign-on session.) Some CAS adopters remove the ‘warn’ checkbox in the CAS login view and don’t offer this interstitial advisement that single sign-on is happening.

  • casGenericSuccess
    Displayed when the user has been logged in without providing a service to be redirected to.

  • casLoginView
    Main login form.

  • casLogoutView
    Displayed when the user logs out.

  • errors Displayed when CAS experiences an error it doesn’t know how to handle (an unhandled Exception). For instance, CAS might be unable to access a database backing the services registry. This is the generic CAS error page. It’s important to brand it to provide an acceptable error experience to your users.

  • serviceErrorView
    Used in conjunction with the service registry feature, displayed when the service the user is trying to access is not allowed to use CAS. The default in-memory services registry configuration, in ‘deployerConfigContext.xml’, allows all users to obtain a service ticket to access all services.

  • serviceErrorSsoView 
    Displayed when a user would otherwise have experienced noninteractive single sign-on to a service that is, per services registry configuration, disabled from participating in single sign-on. (In the default services registry registrations, all services are permitted to participate in single sign-on, so this view will not be displayed.)

Localization

The CAS Web application includes a number of localized message files:

  • English (US)
  • Spanish
  • French
  • Russian
  • Netherlands (Nederlands)
  • Swedish (Svenskt)
  • Italian (Italiano)
  • Urdu
  • Chinese (Simplified)
  • Dutch (Deutsch)
  • Japanese
  • Croatian
  • Czech
  • Slovenian
  • Polish
  • Portuguese (Brazil)
  • Turkish
  • Farsi
  • Arabic

In order to “invoke” a specific language for the UI, the /login endpoint may be passed a locale parameter as such:

https://cas.server.edu/login?locale=it

Configuration

All message bundles are marked under messages_xx.properties files at WEB-INF/classes. The default language bundle is for the English language and is thus called messages.properties. If there any custom messages that need to be presented into views, they may also be formatted under custom_messages_xx.properties files.

Messages are parsed and loaded via the following configuration:

<bean id="messageSource" class="org.jasig.cas.web.view.CasReloadableMessageBundle"
p:basenames-ref="basenames" p:fallbackToSystemLocale="false" p:defaultEncoding="UTF-8"
p:cacheSeconds="180" p:useCodeAsDefaultMessage="true" /> <util:list id="basenames">
<value>classpath:custom_messages</value>
<value>classpath:messages</value>
</util:list>

Messages are then read on each JSP view via the following sample configuration:

<spring:message code="message.key" />

In the event that the code is not found in the activated resource bundle, the code itself will be used verbatim.

Themes

With the introduction of Service Management application, deployers are now able to switch the themes based on different services. For example, you may want to have different login screens (different styles) for staff applications and student applications. Or, you want to show two layouts for day time and night time. This document could help you go through the basic settings to achieve this.

Components

Configuration of service-specific themes is backed by the Spring framework and provided by the following component:

<bean id="themeResolver" class="org.jasig.cas.services.web.ServiceThemeResolver"
p:defaultThemeName="${cas.themeResolver.defaultThemeName}"
p:servicesManager-ref="servicesManager"
p:argumentExtractors-ref="argumentExtractors" />

Furthermore, deployers may be able to use the functionality provided by the ThemeChangeInterceptor of Spring framework to provide theme configuration per each request.

Configuration

  • Add another theme properties file, which must be placed to the root of /WEB-INF/classes folder, name it astheme_name.properties. Contents of this file should match the cas-theme-default.properties file.
  • Add the location of related styling files, such as CSS and Javascript in the file above.
  • Specify the name of your theme for the service definition under the theme property.

cas 官方文档的更多相关文章

  1. 【AutoMapper官方文档】DTO与Domin Model相互转换(上)

    写在前面 AutoMapper目录: [AutoMapper官方文档]DTO与Domin Model相互转换(上) [AutoMapper官方文档]DTO与Domin Model相互转换(中) [Au ...

  2. 2DToolkit官方文档中文版打地鼠教程(三):Sprite Collections 精灵集合

    这是2DToolkit官方文档中 Whack a Mole 打地鼠教程的译文,为了减少文中过多重复操作的翻译,以及一些无必要的句子,这里我假设你有Unity的基础知识(例如了解如何新建Sprite等) ...

  3. 2DToolkit官方文档中文版打地鼠教程(二):设置摄像机

    这是2DToolkit官方文档中 Whack a Mole 打地鼠教程的译文,为了减少文中过多重复操作的翻译,以及一些无必要的句子,这里我假设你有Unity的基础知识(例如了解如何新建Sprite等) ...

  4. 2DToolkit官方文档中文版打地鼠教程(一):初始设置

    这是2DToolkit官方文档中 Whack a Mole 打地鼠教程的译文,为了减少文中过多重复操作的翻译,以及一些无必要的句子,这里我假设你有Unity的基础知识(例如了解如何新建Sprite等) ...

  5. 【AutoMapper官方文档】DTO与Domin Model相互转换(中)

    写在前面 AutoMapper目录: [AutoMapper官方文档]DTO与Domin Model相互转换(上) [AutoMapper官方文档]DTO与Domin Model相互转换(中) [Au ...

  6. 【AutoMapper官方文档】DTO与Domin Model相互转换(下)

    写在前面 AutoMapper目录: [AutoMapper官方文档]DTO与Domin Model相互转换(上) [AutoMapper官方文档]DTO与Domin Model相互转换(中) [Au ...

  7. Ionic2系列——Ionic 2 Guide 官方文档中文版

    最近一直没更新博客,业余时间都在翻译Ionic2的文档.之前本来是想写一个入门,后来觉得干脆把官方文档翻译一下算了,因为官方文档就是最好的入门教程.后来越翻译越觉得这个事情确实比较费精力,不知道什么时 ...

  8. Kotlin开发语言文档(官方文档)-- 目录

    开始阅读Kotlin官方文档.先上文档目录.有些内容还未阅读,有些目录标目翻译还需琢磨琢磨.后续再将具体内容的链接逐步加上. 文档链接:https://kotlinlang.org/docs/kotl ...

  9. 一起学微软Power BI系列-官方文档-入门指南(1)Power BI初步介绍

    我们在前一篇文章微软新神器-Power BI,一个简单易用,还用得起的BI产品中,我们初步介绍了Power BI的基本知识.由于Power BI是去年开始微软新发布的一个产品,虽然已经可以企业级应用, ...

随机推荐

  1. 【转】iOS申请发布证书-图文详解

    摘要 发布产品到App Store所需证书,2013年5月26日测试 IOS 发布证书 distribution 打包程序 真机调试证书 本文讲述发布证书的申请,申请真机调试证书请参考:http:// ...

  2. Swift - 14 - 字符串的基础操作

    //: Playground - noun: a place where people can play import UIKit // 拼接 var str = "Hello, playg ...

  3. PHP MySQL 读取数据

    PHP MySQL 读取数据 从 MySQL 数据库读取数据 SELECT 语句用于从数据表中读取数据: SELECT column_name(s) FROM table_name 如需学习更多关于 ...

  4. CSS 布局Float 【2】

    1.页面标准文档流.浮动层.float属性 1.1 文档流 HTML页面的标准文档流(默认布局)是:从上到下,从左到右,遇块(块级元素)换行. 1.2 浮动层 浮动层:给元素的float属性赋值后,就 ...

  5. 分享一个md5类

    这个md5干嘛用的,大家比我清楚就不说了,这里不是讲md5的原理.要讲md5的原理,网上一大堆,我也不是什么算法很厉害的人,我只是算法搬运工.咱是一般程序员,有时候能完成业务需要就可以,那些伟大算法的 ...

  6. 服务器之间socket传输单链接和多连接测试结果

    今天做了一下测试,目的是看看局域网内服务器a,通过一个连接往服务器b传输数据,和通过多个连接传输的不同. 结果发现和多少个连接没关系,一个进程一个连接就能跑满网卡,只要write的时候够快,read的 ...

  7. Extjs之combobox联动

    Ext.Loader.setConfig({ enabled : true }); Ext.Loader.setPath('Ext.ux', '../extjs/ux'); Ext.require([ ...

  8. angularjs现学现记之—$apply()和$digest()

    angularjs的双向数据绑定是个重要的特性,它让我们的代码简洁了许多,然而它又是如何知道数据发生了变化并改变页面的呢.最近看了一篇介绍觉得十分有用 首先,在angularjs中是有$watch事件 ...

  9. get_magic_quotes_gpc() 内置函数

    get_magic_quotes_gpc()函数 在PHP中是内置的函数,这个函数的作用就是得到php.ini设置中magic_quotes_gpc选项的值. 当magic_quotes_gpc=On ...

  10. __PUBLIC__模板文件路径配置

    __PUBLIC__ 默认指向 项目文件下的Public文件夹 注意: __PUBLIC__不是一个常量,只在模板中进行替换,__ROOT__是一个常量 项目文件路径 defined('__PUBLI ...