单点登录SSO for ASP.NET （二）

上一篇和大家分享了SSO的基本原理，这篇将主要和大家分享下.NET如何使用SSO。

最于应用系统要改为SSO方式，需要进行以下几步：

1、去掉原先的登录方式

2、获取相关证书

3、进行SSO配置

4、书写相关代码

我逐步解释下：

第一步说的有点废话，不过如果忘记的话，用户将是多么的生气。

第二步就是从统一身份认证系统那里得到你需要的证书。

第三部进行配置，

1) 将单点登录服务证书导入到IIS；

2) 下载DotNetCasClient.dll，添加至项目引用中：
下载地址：https://wiki.jasig.org/display/CASC/.Net+Cas+Client

记住，最后发布后bin文件夹中一定要包含DotNetCasClient.dll

3) 配置Web.config，在configuration节点下添加

1. <membership>
2.       <providers>
3.         <clear/>
4.         <addname="AspNetSqlMembershipProvider"type="System.Web.Security.SqlMembershipProvider"connectionStringName="ApplicationServices"enablePasswordRetrieval="false"enablePasswordReset="true"requiresQuestionAndAnswer="false"requiresUniqueEmail="false"maxInvalidPasswordAttempts="5"minRequiredPasswordLength="6"minRequiredNonalphanumericCharacters="0"passwordAttemptWindow="10"applicationName="/"/>
5.       </providers>
6.     </membership>
7.     <profile>
8.       <providers>
9.         <clear/>
10.         <addname="AspNetSqlProfileProvider"type="System.Web.Profile.SqlProfileProvider"connectionStringName="ApplicationServices"applicationName="/"/>
11.       </providers>
12.     </profile>
13.     <roleManagerenabled="false">
14.       <providers>
15.         <clear/>
16.         <addname="AspNetSqlRoleProvider"type="System.Web.Security.SqlRoleProvider"connectionStringName="ApplicationServices"applicationName="/"/>
17.         <addname="AspNetWindowsTokenRoleProvider"type="System.Web.Security.WindowsTokenRoleProvider"applicationName="/"/>
18.       </providers>
19.     </roleManager>
20.   </system.web>
21.   <system.webServer>
22.     <modulesrunAllManagedModulesForAllRequests="true"/>
23.   </system.webServer>

第四步代码的书写，

引用命名空间：

1. using System.IO;
2. using System.Net;
3. using System.Xml;
4. using System.Security.Cryptography.X509Certificates;

添加代码：

1. ServicePointManager.CertificatePolicy = newMyPolicy();
2.             //ServicePointManager.ServerCertificateValidationCallback += new System.Net.Security.RemoteCertificateValidationCallback();
3.  
4.             // Look for the "ticket=" after the "?" in the URL
5.             string tkt = (Request["ticket"] == null ? "" : Request["ticket"]).ToString();
6.  
7.             // This page is the CAS service=, but discard any query string residue
8.             string service = Request.Url.GetLeftPart(UriPartial.Path) == null ? "": Request.Url.GetLeftPart(UriPartial.Path).ToString();
9.  
10.             // First time through there is no ticket=, so redirect to CAS login
11.             if (tkt == null || tkt.Length == 0)
12.             {
13.                 string redir = CASHOST + "login?service=" + service;
14.                 Response.Redirect(redir);
15.                 return"";
16.             }
17.             else
18.             {
19.                 // Second time (back from CAS) there is a ticket= to validate
20.                 string validateurl = CASHOST + "serviceValidate?" +
21.                   "ticket=" + tkt + "&" +
22.                   "service=" + service;
23.                 StreamReader Reader = newStreamReader(newWebClient().OpenRead(validateurl));
24.                 string resp = Reader.ReadToEnd();
25.                 // I like to have the text in memory for debugging rather than parsing the stream
26.  
27.                 // Some boilerplate to set up the parse.
28.                 NameTable nt = newNameTable();
29.                 XmlNamespaceManager nsmgr = newXmlNamespaceManager(nt);
30.                 XmlParserContext context = newXmlParserContext(null, nsmgr, null, XmlSpace.None);
31.                 XmlTextReader reader = newXmlTextReader(resp, XmlNodeType.Element, context);
32.  
33.                 string netid = null;
34.  
35.                 // A very dumb use of XML. Just scan for the "user". If it isn't there, its an error.
36.                 while (reader.Read())
37.                 {
38.                     if (reader.IsStartElement())
39.                     {
40.                         string tag = reader.LocalName;
41.                         if (tag == "user")
42.                             netid = reader.ReadString();
43.                     }
44.                 }
45.                 // if you want to parse the proxy chain, just add the logic above
46.                 reader.Close();
47.                 // If there was a problem, leave the message on the screen. Otherwise, return to original page.
48.                 if (netid == null)
49.                 {
50.                     Label1.Text = "CAS returned to this application, but then refused to validate your identity.";
51.                 }
52.                 else
53.                 {
54.                     Session["UserName"] = netid;
55.                     Label1.Text = "Welcome " + netid;
56.                     FormsAuthentication.RedirectFromLoginPage(netid, false); // set netid in ASP.NET blocks
57.                 }
58.                 return netid;
59.             }

1. publicclassMyPolicy : ICertificatePolicy
2. {
3.     publicbool CheckValidationResult(
4.           ServicePoint srvPoint
5.         , X509Certificate certificate
6.         , WebRequest request
7.         , int certificateProblem)
8.     {
9.         //Return True to force the certificate to be accepted.
10.         returntrue;
11.  
12.     }
13. }

这样四步走下来，基本就差不多了，另外string CASHOST ="https://sso.test.com:xxxx/casServer/"；可以将sso服务器的地址写入web.config，从config读取便于以后维护。

刘国柱作于2012-09-20

原创文章转载请注明出处