Construction and implementation of single sign-on solution

Existing applications to achieve single sign-on solution (single sign-on, SSO, that is logged once, we can all network resources to verify the user's identity) is very difficult, but in building the portal complex, each a developer must address this problem. Because portals need to back-end resources and integrate back-end resources, each has its own authentication needs, so the portal is often required to provide single sign-on features. In this article, Chris Dunne, step by step description of him as a Web portal solution for building single sign-on experience. He will explain how to set up an open source solution (from Yale University's Central Authentication Service), and how to extend it based on Microsoft Active Directory infrastructure for authentication.

I have found in their work on a variety of portal applications is growing. Portal technology and functional requirements become more complex. In spite of the tools to build simple portals, but portal with remote or legacy data sources, integrating the problem still is not easy to solve. One problem is authentication.

Authentication is a complex issue. Portal needs to back-end data sources and applications authenticate users, but these applications may have a separate one from the underlying security infrastructure. Ideal most efficient authentication solution is the single sign-on (single sign-on, SSO) solutions; in this solution, users need only log on once, we can all network resources to verify his identity.

Recently, the need for SSO's education to build a portal, I study a lot of commercial and open source SSO solution. In this article, I will be a step by step introduction to using the free SSO implementation (from Yale University in the CAS) process of building a simple SSO system.

Resources to download the file mentioned here and client libraries. )

First, download the CAS server and client libraries. Has been developed for many languages and the environment the client libraries, including Java, ASP, Perl, PHP and PL / SQL.

CAS uses HTTPS, it is necessary to enable this feature in Tomcat. I found that this requires a little skill, but if my instructions provided (readme_tomcat_ssl.txt file) to do, should not be difficult.

ZIP file on the CAS server, extract and use the Ant build script to build CAS server software. The WAR file (Web Archives) deployed to Tomcat's / webapps directory. When you start Tomcat using WAR file in Tomcat / webapps directory, create a CAS.

Download the CAS client libraries. Extract on the ZIP file, you will see a number of directories. I want to use the Java client library. Similarly, also provided Ant build script. Run the build script. This will generate the JAR file called casclient.jar. Copy this file to the root directory of the Tomcat common / lib directory.

Now, you need to configure applications to use CAS. Used in this article demonstrate the application is to provide reliable Tomcat "HelloWorld" servlet example. The application system should be in the Tomcat / webapps / examples directory. Modify the web.xml file to configure the servlet filter.

HelloWorld JSP's web.xml file contains the following servlet filter configuration. It HTTPS using a local host and port 8443. According to their configuration to modify these settings. I offer the zip file contains a web.xml file sample.

References are listed in the detailed description of a tutorial on how to create a sample application). Precisely, it is the GSS-API SASL mechanism, but only for the LDAP3 server Kerberos v5 authentication.

Kerberos authentication is a very simple process (if you carefully follow the instructions of the words):

  1. The JAAS configuration file for the application class configuration Login Module.  
    { required client=TRUE;
  2. Create a LoginContext, pass the class implementing the authentication name and CallBackHandler object.
    LoginContext lc = new LoginContext(CASApp.class.getName(), 
                        new CASCallbackHandler());
  3. Call login() method to perform authentication. If the execution is not abnormal, the authentication is successful. If you throw an exception, then the exception will be pointed out that the reason for the failure.

To understand Kerberos authentication, we recommend that you use this reference at the end. (I have also provided their own implementation and configuration files, KerberosAuthHandler and CASCallBackHandler.)

Need to create a new PasswordHandler achieve, KerberosAuthHandler, its use in accordance with the above method according to the Active Directory Server Kerberos v5 authentication.

References in the contains a web.xml example.

Must restart Tomcat, but this time also need to set some Java run-time attributes. On the ZIP file ( for extracting, and file cas_jaas.conf, krb5.conf and setkerberosjvmoptions.bat copied to the TOMCAT_HOME directory. Run setkerberosjvmoptions.bat, and then start Tomcat.

Now, you can then experiment with the HelloWorld application. This time, you can use the Active Directory Server defined Kerberos valid username and password pair.


If there is no unified strategy, developers must repeat for each web application to achieve a customized security mechanisms. This will lead to a variety of scalability and maintenance issues. Single sign-on solution for the security and authentication to provide a unified framework, which greatly reduces the user, the burden on administrators and developers.

Single sign-on concepts, technologies and implications for users and administrators are complex, and I in this article only touches the fur in this area. However, I explained how to use the Yale University of the CAS system the realization of a single-sign program, also described in detail how to extend this technology to the user on the LDAP server (specifically, is to use the Kerberos protocol for Active Directory Server) for identity verification.
标签: functional requirements, step introduction, yale university, client libraries, network resources, microsoft active directory, security infrastructure, step description, portal solution, s education, portal applications, single sign on sso, authentication solution, authentication service, s central, legacy data sources, open source solution, directory infrastructure, portal technology, dunne
分类: Tech
时间: 2010-06-19


  1. Little Ant-CAS single sign series (5) - Simple implementation of the SSO of the two

    In this series of articles in the first three, explain the use of CAS to implement a simple single sign-on pro ...
  2. CAS is implemented in Tomcat using the single sign (Reprinted)

    Use of CAS in achieving single sign-on Tomcat Document options <script type="text/javascript"> ...
  3. CAS is implemented in Tomcat using the single sign

    Reprinted: SSO (Single Sign On, referred to as SS ...
  4. CAS (single sign) --- A Summary

    Single sign-on (sso) is based on user / session authentication in a process, users simply provide a one-time c ...
  5. CAS (single sign) --- Summary 2

    Following the return to more user information. . . Configuration ssoAuth / WEB-INF / view / protocol / casServ ...
  6. ucenter single sign summary

    Hong Sing's products have been used, natural and ultimately a single point of landing, the next ucenter recent ...
  7. A single sign-on (SSO) solution

    SSO (Single Sign On), abbreviated as SSO, is the more popular of the enterprise business is one integrated sol ...
  8. Jetspeed2.0 implementation of single sign-on

    SSO (Single Sign On) is a major feature of the portal product, can provide businesses with access to a unified ...
  9. Single sign -01 (Analysis)

    I always thought the original "single sign" means an account can only be landed in one place, that t ...
  10. jasig-cas single sign of the custom validation - jdbc

    jasig-cas single sign of the custom validation - jdbc cas-servlet.xml is used in the spring-webflow such a thi ...
  11. To ask you, SSO single sign of problems

    By Cookie, cross-domain single sign carried out, a number of systems after landing, to ask you, what better wa ...
  12. ofbiz how to implement Single Sign On

    In the present project, to achieve single sign. SSH had previously realized. ofbiz search many documents on th ...
  13. Use the CAS to achieve single sign of the relevant configuration

    Use the CAS to achieve single sign of the relevant configuration, follow these steps: 1. Configuring SSL a) ge ...
  14. CAS (Single Sign) --- Summary II

    Following the return to more user information. . . Configuration ssoAuth / WEB-INF / view / protocol / casServ ...
  15. <Switch> CAS single sign out to achieve

    Ordinary items (not combined with Spring Security) that can add the following code in web.xml <filter> & ...
  16. Business SMS communication platform - construction and implementation of programs

    Business SMS communication platform - construction and implementation of programs Directory Overview of Chapte ...
  17. BIRT2.5 implementation of the javascript error solution

    BIRT2.5 implementation of the DataSet's javascript error when the script is as follows: java.lang.NullPointerE ...
  18. Achieved with a simple cookie single sign-

    See Bowen, on the single sign-on. Quote Write your own single sign-on (SSO) service: ...
  19. CAS Single Sign Series (4) - Using RDBMS Authentication

    In practice, the user authentication information usually stored in the RDBMS or LDAP, that can better guarante ...