Proxy CAS Walkthrough
来源:互联网 发布:node.js 做信息系统 编辑:程序博客网 时间:2024/05/17 22:37
Proxy CAS Walkthrough
A manual walkthrough of CAS proxy tickets.
This walkthrough was provided by David Spencer on the CAS Mailman list.
Introduction
When I was trying to understand the mechanisms involved in writingproxying applications using CAS, I found it very helpful to manuallywalkthrough the aquisition of a proxy ticket. The CAS server playeditself in this exercise and I played all the other roles - user,proxying application and proxied application - simply by constructingURLs and feeding them into a web browser.
The only part of the exercise that can't be done with just a webbrowser and careful URL construction is the part where CAS makes it'sown callback to the proxying application. For this, I chose a proxycallback url on a machine for which I had access to the log files andscanned through the HTTP requests to find the information I wanted.
Step One: login
To start with, log in to CAS with some invented service:
https://foo.bar.com/is/cas/login?service=http://localhost/bling
On successful login, CAS will redirect you to the service with aticket appended (it doesn't matter that the service is made up as theticket you're after is part of the url and will appear in the locationbar even if your browser can't find the resource):
http://localhost/bling?ticket=ST-956-Lyg0BdLkgdrBO9W17bXS
Step Two
(a): verify the ticket and be done
So, playing the role of the first application (not a proxyingapplication at this stage - lets just see if we can get our applicationauthenticated without proxying for now), you need to take the ticketand turn it into a username:
https://foo.bar.com/is/cas/serviceValidate?ticket=ST-956-Lyg0BdLkgdrBO9W17bXS&service=http://localhost/bling
which will produce a result like:
<cas:serviceResponse xmlns:cas
='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>
endjs</cas:user>
</cas:authenticationSuccess>
</cas:serviceResponse>
This is the end of the road for normal applications that don't need to proxy other applications.
Step Two (b): verify the ticket and enable further proxying
If instead you do want to be able to proxy other applications youneed to also supply a pgtUrl to your validation request so that CAS cancallback with the Proxy Granting Ticket. This is where life getscomplicated, especially if you forget that service tickets areone-time-only tickets and that once you've used them withserviceValidate, you have to go back to CAS and get a new one (so ifyou've done Step One and Step Two (a) you'll need to do Step One againbefore you can do Step Two (b)).
The choice of pgtUrl here is fairly arbitrary except that it needsto be an https url and it needs to be on a server on which you canaccess the log files.
https://foo.bar.com/is/cas/serviceValidate?ticket=ST-956-Lyg0BdLkgdrBO9W17bXS
&service=http://localhost/bling&pgtUrl=https://foo.bar.com/pgtCallback
results in:
<cas:serviceResponse xmlns:cas
='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>
endjs</cas:user>
<cas:proxyGrantingTicket>
PGTIOU-85-8PFx8qipjkWYDbuBbNJ1roVu4yeb9WJIRdngg7fzl523Eti2td</cas:proxyGrantingTicket>
</cas:authenticationSuccess>
</cas:serviceResponse>
Step Three: dig out the PGT
Now our first application knows who the user is and has a ProxyGranting Ticket IOU. To find the real PGT we look in the apache accesslog for foo.bar.com and hunt out the request made by CAS to deliver thePGT:
foo.bar.com - - [10/Dec/2003:09:28:15 +0000] "GET
/pgtCallback?pgtIou=PGTIOU-85-8PFx8qipjkWYDbuBbNJ1roVu4yeb9WJIRdngg7fzl523Eti2td
&pgtId=PGT-330-CSdUc5fCBz3g8KDDiSgO5osXfLMj9sRDAI0xDLg7jPn8gZaDqS HTTP/1.1" 200 13079
(Editor's note: linebreaks introduced for page formatting.)
Step Four: get a proxy ticket
With the PGT in our grasp we can make a call on CAS to give us a proxy ticket for some other service we wish to proxy:
https://foo.bar.com/is/cas/proxy?targetService=http://localhost/bongo&pgt=PGT-330-CSdUc5fCBz3g8KDDiSgO5osXfLMj9sRDAI0xDLg7jPn8gZaDqS
resulting in:
<cas:serviceResponse>
<cas:proxySuccess>
<cas:proxyTicket>
PT-957-ZuucXqTZ1YcJw81T3dxf</cas:proxyTicket>
</cas:proxySuccess>
</cas:serviceResponse>
Step Five: verify the proxy ticket
Now we take on our final role for the exercise - the proxiedapplication. The proxying application has invoked our service url andhas passed in the proxy ticket it's got. We take that ticket andvalidate it to find out both who the user is and which applications arein the proxy chain:
https://foo.bar.com/is/cas/proxyValidate?service=http://localhost/bongo&ticket=PT-957-ZuucXqTZ1YcJw81T3dxf
resulting in:
<cas:serviceResponse xmlns:cas
='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>
endjs</cas:user>
<cas:proxies>
<cas:proxy>
https://foo.bar.com/pgtCallback</cas:proxy>
</cas:proxies>
</cas:authenticationSuccess>
</cas:serviceResponse>
Obviously, this walkthrough doesn't help with acquiring and pluggingin good proxying code for your application but it does help to see whatthe proxying code needs to be doing and makes it easier to write yourown.
Originally provided by: David Spencer on the CAS mailing list.
Useful links:
Cas installation:
http://www.ja-sig.org/wiki/display/CASUM/Demo
Java Client:
http://www.ja-sig.org/wiki/display/CASC/Using+the+basic+Java+CAS+Client+objects
- Proxy CAS Walkthrough
- CAS Proxy 的相关文章
- Cas(09)——Cas Proxy原理,通过Cas Proxy访问其它Cas应用
- CAS(9)-通过Proxy访问其它Cas应用
- CAS(9)-通过Proxy访问其它Cas应用
- 剖析CAS Proxy的设计原理
- 通过Proxy访问其它Cas应用
- Pillar Walkthrough
- Bandit Walkthrough
- Systrace Walkthrough
- Necko walkthrough
- Cas(09)——通过Proxy访问其它Cas应用
- Hell Gate London WalkThrough
- PhotoSynth Toolkit walkthrough
- Pillar Walkthrough 翻译
- Burp Suite Walkthrough
- Code Walkthrough - HashMap
- CAS
- 安全的打开文件对话框
- char、varchar、text、ntext、bigint、int、smallint、tinyint和bit的区别及数据库的数据类型
- 手工实现GridView排序、删除、编辑、新增数据功能
- 【水晶报表】创建报表 續
- 一些网络流行语的英语翻译 山寨版--Cheap Copy
- Proxy CAS Walkthrough
- 首骗
- 调调Eclipse3.5
- ListView和Dictionary的一个特点
- WAP网站流量分析 WAP流量统计 wap网站流量统计
- 上海回东北的,咋搞票?
- Visual Studio 2008 每日提示(六)
- Netlink 套接字
- c#.net环境下添加tlb引用失败,怎么回事