35 DaoVanPhong CT1301

B GIO DC V O TO
TRNG I HC DN LP HI PHNG
-------o0o-------
N TT NGHIP
NGNH CNG NGH THNG TIN
HI PHNG 2013
B GIO DC V O TO
-------o0o-------
TM HIU C CH NG NHP MT LN
(SINGLE SIGN ON) V TH NGHIM DA TRN
TH VIN PHPCAS
N TT NGHIP I HC H CHNH QUY

Ngnh: Cng Ngh Thng Tin
HI PHNG - 2013
B GIO DC V O TO
-------o0o-------
TM HIU C CH NG NHP MT LN
(SINGLE SIGN ON) V TH NGHIM DA TRN
TH VIN PHPCAS
N TT NGHIP I HC H CHNH QUY

Gio vin hng dn: Th.s Bi Huy Hng

Sinh vin thc hin: o Vn Phong
M s sinh vin:
1351010001
HI PHNG - 2013
B GIO DC V O TO
CNG HA XA HI CH NGHA VIT NAM

c lp - T do - Hnh phc
-------o0o-------
NHIM V THIT K TT NGHIP
Sinh vin: o Vn Phong

Lp:
CT1301
M SV: 1351010001
Tn ti:Tm hiu c ch ng nhp mt ln (single sign on) v th nghim

da trn th vin phpCAS.
NHIM V TI
1. Ni dung v cc yu cu cn gii quyt trong nhim v ti tt nghip
a. Ni dung
- Tm hiu v ng nhp mt ln (Single Sign On).
- Tm hiu v CAS (Central Authentication Service).
- Th nghim, ci t CAS, kim th vi website PHP da trn th vin
phpCAS.
- Nghim tc thc hin cc nhim v v ni dung gio vin hng dn.
b. Cc yu cu cn gii quyt
- L thuyt
Nm c c s l thuyt ca ng nhp mt ln (Single Sign On).
Nm c qu trnh ci t CAS v cc thc trin khai Single Sign On.
- Thc nghim (chng trnh)
Ci t CAS v thc nghim vi website PHP
2. Cc s liu cn thit tnh ton.
.
3. a im thc tp.
CN B HNG DN TI TT NGHIP
Ngi hng dn th nht:
H v tn: Bi Huy Hng
Hc hm, hc v: Thc s
C quan cng tc: Trng i Hc Dn Lp Hi Phng
Ni dung hng dn:
- Tm hiu v Single Sign On da trn Central Authentication Service
- Th nghim vi website PHP s dng th vin phpCAS
Ngi hng dn th hai:
H v tn: .
Hc hm, hc v: .
C quan cng tc:
Ni dung hng dn: ..
ti tt nghip c giao ngy.thng.nm 2013.

Yu cu phi hon thnh trc ngy.thng.nm 2013.
nhn nhim v: .T.T.N
nhn nhim v: .T.T.N
Sinh vin
Cn b hng dn .T.T.N
o Vn Phong
Th.s Bi Huy Hng
Hi Phng, ngy ............thng.........nm 2013

HIU TRNG
GS.TS.NGT Trn Hu Ngh
PHN NHN XT TM TT CA CN B HNG DN
1. Tinh thn thi ca sinh vin trong qu trnh lm ti tt nghip:

.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
nh gi cht lng ca ti tt nghip (so vi ni dung yu cu ra
trong nhim v ti tt nghip)
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
3. Cho im ca cn b hng dn:
(im ghi bng s v ch)
.............................................................................................................................
.............................................................................................................................
.............................................................................................................................
Ngy.......thng.........nm 2013
Cn b hng dn chnh
(K, ghi r h tn)
PHN NHN XT NH GI CA CN B CHM PHN BIN TI

TT NGHIP
1. nh gi cht lng ti tt nghip (v cc mt nh c s l lun,

thuyt minh chng trnh, gi tr thc t).
2. Cho im ca cn b phn bin

(im ghi bng s v ch)
.............................................................................................................................
.............................................................................................................................
Ngy.......thng.........nm 2013
Cn b chm phn bin
(K, ghi r h tn)
n tt nghip
Trng H Dn Lp Hi Phng
LI CM N
Trc ht em xin chn thnh cm n cc thy gio, c gio Khoa Cng ngh
thng tin Trng i hc Dn lp Hi Phng, nhng ngi dy d, trang b cho
chng em nhng kin thc c bn, cn thit trong nhng nm hc va qua em c
iu kin hon thnh ti tt nghip ca mnh.
c bit em xin by t lng bit n su sc nht ti thy gio Ths. Bi Huy
Hng, thy hng dn, ch bo tn tnh trong sut thi gian lm ti tt nghip.
Em xin cm n hai thy on Quang Hng v thy Trng Hong Dng bn
trung tm th vin ICT h tr em rt nhiu trong qu trnh lm n.
Con xin gi n cha m li ghi n su sc, nhng ngi sinh ra v dy
bo con trng thnh n ngy hm nay. Cm n ngi ti yu ng vin cho
ti nhng lc ti mt mi. Em l ng lc ti c gng.
Mc d ht sc c gng hon thin bo co tt nghip song do kh
nng cn hn ch nn bi bo co vn cn nhiu thiu st. V vy em rt mong nhn
c nhng ng gp chn tnh ca cc thy c v bn b.
Mt ln na em xin chn thnh cm n!
Hi Phng, Ngy 04 thng 11 nm 2013.

Sinh vin
o Vn Phong
o Vn Phong - CT1301
n tt nghip
MC LC
LI CM N....................................................................................................................... 1
MC LC ............................................................................................................................ 2
DANH MC HNH ............................................................................................................. 4
DANH MC BNG............................................................................................................. 6
DANH SCH CH VIT TT ......................................................................................... 7
LI NI U ...................................................................................................................... 8
CHNG I GII THIU V C CH NG NHP 1 LN (SINGLE SIGN ON). 9
1.1. Tng quan v SSO. [1] ........................................................................... 9

1.2. Li ch m SSO mang li. ...................................................................... 9
1.3. Mt s vn thng gp khi trin khai SSO. .................................... 10
1.4. Cc gii php SSO hin nay.[2] ........................................................... 11
CHNG II PHN MM NGUN M CENTRAL AUTHENTICATION
SERVICE. ...........................................................................................................................16
2.1. Gii thiu v phn mm ngun m (Opensource).[3] ......................... 16

2.2. Dch v chng thc trung tm (Central Authentication Service).[4] .. 17
2.2.1 Tng quan v CAS. ........................................................................ 17
2.2.2 Lch s hnh thnh. [5] ................................................................... 18
2.2.3 Cc phin bn ca CAS. ................................................................ 19
2.2.4 CAS Protocol. ................................................................................ 19
2.2.5. Tng kt. ....................................................................................... 27
2.2.6. CAS Entities. ................................................................................. 29
2.2.7. Nguyn tc hot ng ................................................................... 32
2.2.8. Kin trc tng quan CAS. ............................................................. 37
2.3. Ruby CAS.[6] ....................................................................................... 40
2.4. CAS Client. .......................................................................................... 41
2.4.1. Gii thiu ngn ng xy dng website pha client. ...................... 41
2.5. Th vin phpCAS.[7] ........................................................................... 41
o Vn Phong - CT1301
n tt nghip
2.5.1. phpCAS requirements. .................................................................. 41

2.5.2 phpCAS examples. ......................................................................... 43
2.5.3. phpCAS logout. ............................................................................. 44
2.5.4. phpCAS troubleshooting. .............................................................. 45
2.6. Vn v bo mt cho SSO................................................................. 46
CHNG III THC NGHIM. .....................................................................................48
3.1. Ci t h thng. .................................................................................. 48

3.1.1. iu kin cn thit. ...................................................................... 48
3.1.2. Gii thiu...................................................................................... 48
3.1.3. Ci dt CAS-server. ..................................................................... 49
3.1.4. Tch hp CAS client vo h thng. .............................................. 64
3.2. Cc pha trong h thng khi user ng nhp. ........................................ 70
KT LUN .........................................................................................................................75
TI LIU THAM KHO .................................................................................................76
PH LC............................................................................................................................77
Ph lc A: CAS phn hi lc XML. ................................................... 77

Ph lc B: Chuyn hng an ton. ............................................................ 79
Ph Lc C: Phn code x l ng nhp SSO h thng 1............................ 80
Ph Lc D: Phn code x l ng nhp SSO h thng 2. .......................... 83
o Vn Phong - CT1301
n tt nghip
DANH MC HNH
Hnh 1.1: Single sign on l g? .......................................................................... 9

Hnh 2.1: Ngi dng truy cp vo ng dng khi chng thc vi CAS. .. 33
Hnh 2.2: Ngi dng truy cp vo ng dng khi cha chng thc vi CAS
server. .............................................................................................................. 34
Hnh 2.3: Login flow ....................................................................................... 38
Hnh 2.4: Proxy flow. ...................................................................................... 39
Hnh 2.5: logout flow. ..................................................................................... 40
Hnh 2.6: Nguyn tc hot ng phpCAS. ..................................................... 43
Hnh 2.7: S v tr CAS trong h thng mng. .......................................... 47
Hnh 3.1: Ti RubyInstaller............................................................................. 49
Hnh 3.2: Ci t RubyInstaller bc1. .......................................................... 50
Hnh 3.4: Ci t RubyInstaller bc 3. ......................................................... 51
Hnh 3.6: Gii nn Development Kit .............................................................. 52
Hnh 3.7: Ci t RubyInstaller bc 5. ......................................................... 53
Hnh 3.8: Ci dt Bunlde................................................................................. 53
Hnh 3.9: Ti m ngun RubyCAS. ................................................................ 54
Hnh 3.10: Trin khai RubyCAS bc1. ........................................................ 54
Hnh 3.11: To CSDL ngi dng cho RubyCAS xc thc........................... 57
Hnh 3.12: To CSDL ngi dng cho RubyCAS xc thc 2........................ 58
Hnh 3.13: Trin khai RubyCAS bc 2. ....................................................... 58
Hnh 3.17: Kim th qu trnh ci t RubyCAS. .......................................... 63
Hnh 3.18: Cu trc bng casserver_lt ............................................................ 63
Hnh 3.19: Cu trc bng casserver_pgt ......................................................... 63
Hnh 3.20: Cu trc bng casserver_st............................................................ 63
Hnh 3.21: Cu trc bng casserver_tgt .......................................................... 63
Hnh 3.22: Cu trc bng schema_migrations. ............................................... 64
Hnh 3.23: Trang ch website 1. ..................................................................... 64
Hnh 3.24: Trang ng k ngi dng website 1. .......................................... 65
Hnh 3.25: Trang ng nhp h thng website 1. ........................................... 65
Hnh 3.26: Thm mi bi vit. ........................................................................ 66
4
o Vn Phong - CT1301
n tt nghip
Hnh 3.27: Danh sch ngi dng. ................................................................. 66

Hnh 3.28: Cu trc CSDL website 1. ............................................................ 67
Hnh 3.29: Trang ch website 2. ..................................................................... 67
Hnh 3.30: ng k ngi dng website 2. .................................................... 68
Hnh 3.31: ng nhp h thng website 2. ..................................................... 68
Hnh 3.32:Trang upload video website 2. ....................................................... 69
Hnh 3.33: Cu trc CSDL website 2. ............................................................ 69
Hnh 3.34: Tch hp phpCAS vo website 1. ................................................. 70
Hnh 3.35: Tch hp phpCAS website 2. ........................................................ 70
Hnh 3.36: Lung x l khi client xin xc thc thng tin t CAS server....... 72
Hnh 3.37: ng nhp khi user khng tn ti CAS server. ......................... 73
Hnh 3.38: S lung pha 6 . ....................................................................... 74
o Vn Phong - CT1301
n tt nghip
DANH MC BNG
Bng 1.1: Danh sch cc gii php SSO. ........................................................ 11

Bng 2.1: Tng hp cc URI. ......................................................................... 27
Bng 2.2: Danh sch tham s phpCAS. .......................................................... 44
Bng 3.1: Thng tin table casserver_lt............................................................ 60
Bng 3.2: Thng tin table casserver_pgt. ........................................................ 61
Bng 3.3: Thng tin table casserver_st. .......................................................... 61
Bng 3.4: Thng tin table casserver_tgt.......................................................... 62
o Vn Phong - CT1301
n tt nghip
DANH SCH CH VIT TT

SSO
Single Sign On
CAS
Central Authentication Service
URI
Uniform Resource Identifier
URL
Uniform Resource Locator
HTTP
Hypertext Transfer Protocol
HTTPS
Hypertext Transfer Protocol Secure
SSL
Secure Sockets Layer
ST
Service Ticket
PT
Proxy Ticket
LT
Login Ticket
PGT
Proxy-granting ticket
PGTIOU
Proxy-granting ticket IOU
TGTIOU
Ticket -granting ticket IOU
TGT
Ticket-granting ticket
TGC
Ticket-granting cookie
CSDL
C s d liu
o Vn Phong - CT1301
n tt nghip
LI NI U
Khuynh hng cc dch v cng nhau chia s d liu ngi dng ang l
hng pht trin chung ca cng ngh thng tin,mt ngi dng phi qun l rt
nhiu ti khon, mt khu cho cc dch v h tham gia. iu ny s xy ra nhiu ri
ro do ngi dng phi ghi nh cc ti khon khc nhau. V hn na, cc ng dng
v dch v cng ngh thng tin ngy cng nhiu v a dng. Do vy nhu cu ng
nhp mt ln cho cc ng dng v dch v ny l khng th thiu.ng nhp mt
ln (Single Sign On) c nhiu t chc, cng ty trn th gii nghin cu v
pht trin, tuy nhin ti Vit Nam y vn l lnh vc cn kh mi. Trc vn
, em mong mun c tm hiu v thc nghim h thng ng nhp mt ln. Vi
nhng g nghin cu c, em hy vng s c ng gp mt phn nh vo
cng tc pht trin khoa hc. Mc ch: Tm hiu c ch ng nhp 1 ln v nghin
cu k thut Single Sign On p dng ng nhp mt ln da trn th vin
phpCAS.
Xin chn thnh cm n !
o Vn Phong - CT1301
n tt nghip
CHNG IGII THIU V C CH NG NHP 1 LN

(SINGLE SIGN ON).
1.1. Tng quan v SSO.[1]
SSO l mt c ch xc thc yu cu ngi dng ng nhp vo ch mt ln
vi mt ti khon v mt khu truy cp vo nhiu ng dng trong 1 phin lm
vic (session).
Hnh 1.1: Single sign on l g?

1.2. Li ch m SSO mang li.
Trc khi c ng nhp mt ln (SSO), mt ngi s dng phi nhp cc
ti khon v mt khu cho tng ng dng mi khi h ng nhp vo cc ng dng
khc nhau hoc cc h thng trong cng mt phin (session). iu ny r rng c
th tn nhiu thi gian, c bit l trong mi trng doanh nghip, ni m thi gian
l tin bc nhng thi gian l lng ph bi v nhn vin phi ng nhp mi khi h
truy cp vo mt h thng mi t my tnh ca h.
SSO thng c thc hin thng qua mt m-un xc thc phn mm ring
bit hot ng nh mt ca ng vo tt c cc ng dng yu cu ng nhp. Cc
o Vn Phong - CT1301
n tt nghip
m-un xc thc ngi s dng v sau qun l truy cp vo cc ng dng khc. N

hot ng nh mt kho d liu chung cho tt c cc thng tin ng nhp c yu
cu.
V d:
Mt v d v mt module SSO l h thng ca Google khi m ngi dng
ch cn ng nhp 1 ln th h c th s dng cc dch v ca Google hay Yahoo
m khng i hi ng nhp 1 ln na nh Gmail, Google Plus, Youtube..
Trong khi SSO l rt tin li, mt s nhn thy n nh l mt vn an ninh
ca ring mnh. Nu h thng SSO b tn thng, mt k tn cng c quyn truy
cp khng gii hn cho tt c cc ng dng chng thc ca cc module SSO.SSO
thng l mt d n ln cn lp k hoch cn thn trc khi thc hin.
1.3. Mt s vn thng gp khi trin khai SSO.
- C phi nu s dng SSO s ci thin vn bo mt?
Xin tr li rng:
ng nhp mt ln ( SSO ) l mt con dao hai li. SSO t n khng thc s
ci thin bo mt v trn thc t, nu khng trin khai ng cch c th lm gim
bo mt. SSO c s dng nhiu hn cho ngi s dng thun tin.
Nh h thng ca cng ty nhn, vi mi mt yu cu mt khu ring ca
mnh, SSO gip gim bt gnh nng phi dnh thi gian ng nhp vo tng h
thng ring. Nhng ng thi, nu SSO b tn thng, n mang li cho tin tc kh
nng truy cp vo ton b h thng s dng SSO. Mt khc, SSO c nhng li ch
nhiu hn nhng ri ro n mang li.
V vy, mc d SSO khng phi l thuc cha bch bnh bo mt trong v
ca chnh n, nhng n c th ng gp tch cc vo mt chng trnh bo mt
thng tin doanh nghip. Di y l cp c th.
H thng SSO thng da trn cc ng dng phc tp h thng qun l nh
IBM Tivoli (http://en.wikipedia.org/wiki/IBM_Tivoli_Directory_Server), hoc da
trn phn cng thit b t hng Imprivata Inc(1 hng cung cp gii php SSO ni
ting http://www.imprivata.com ). Kt qu l, h thng SSO c th tp trung xc
thc trn cc my ch c bit. H lm iu ny bng cch s dng cc my ch
chuyn dng gi cc module SSO. Cc my ch hot ng nh SSO ngi gc
o Vn Phong - CT1301
10
n tt nghip
cng, m bo tt c cc xc thc i u tin thng qua my ch SSO, sau i dc

theo cc chng ch c lu tr xc thc cc ng dng c th ng k vi
h thng SSO. H thng i hi phi lp k hoch c th v chi tit kim ton
ngn chn truy cp c hi hn so vi cc h thng SSO lm(C ngha l nu c
u t v phn cng thch hp th n s tng bo mt).
Ngoi ra, h thng SSO thng c lu tr an ton hn cc thng tin xc thc
v cc kha m ha, lm cho chng l mt thch thc i vi tin tc. H thng SSO
nm su trong kin trc IT ca cng ty. N thng giu mt cch an ton sau nhiu
bc tng la. iu ny s gip SSO an ton hn.
- Cc yu t cn xem xt trc khi trin khai SSO l g?
ng nhp mt ln (SSO) c th l mt gii php cho tnh hnh ca bn,
nhng tt c ph thuc vo hon cnh ca n v trin khai, c bit l nhu cu bo
mt v ngn sch. SSO c u im v nhng ri ro ca n.
Hai u im chnh l:
-
Thun tin: Ngi s dng ch cn ng nhp 1 ln s dng nhiu ng

dng.
Bo mt: Bi v ch c mt ng nhp mt ln, SSO c th loi b nhng

ri ro vn c trong vic ghi nh nhiu username/password.
Hai ri ro chnh l:
-
Bo mt: Nu mt k xm nhp lm tn hi ti khon ca ngi dng

hoc mt khu, k xm nhp c th c rng ri v d dng truy cp vo
rt nhiu ng dng.
Chi ph: trin khai SSO c th tn km, c v chi ph mua v ngun

nhn lc trin khai.
Hai yu t SSO l tt nht, ni truy cp c cp da trn s kt hp i vi

nhng g ngi s dng bit (mt khu hoc m PIN)
1.4. Cc gii php SSO hin nay.[2]
Di y l cc gii php SSO hin c sn.
Bng 1.1: Danh sch cc gii php SSO.
o Vn Phong - CT1301
11
n tt nghip
Tn sn
Nh pht
phm
trin
Accounts &
Nokia, Intel,
SSO
Loi hnh
Nn tng
M t
Client-side
implementation
with plugins for
Min ph
various
services/protoc
ols
webSSO to
Novell Access
Manager
NetIQ
browser based
applications
with rules,
Thng mi
policies and
methods to be
complied to
access-event.
Active
Directory
Federation
Services
Microsoft
Claims-based
system and
application
federation
Commercial
Athens access
and identity
management
Eduserv UK Thng mi
CAS / Central
Authenticatio Jasig
n Service
M ngun m
CoSign single University of T chc ring

o Vn Phong - CT1301
Yes
Protocol and
SSO
server/client
implementation
SSO for
12
n tt nghip
Tn sn
Nh pht
phm
trin
sign on
Michigan
Distributed
Access
Distributed
Loi hnh
Nn tng
M t
Michigan
University
Control
System
(DACS)
Systems
Software
Min ph
Enterprise
Sign On
Engine
Queensland
University of Min ph
Technology
Facebook SSO
Facebook
connect
Facebook
Facebook specific
SSO
Forefront
Identity
Manager
Microsoft
Thng mi
FreeIPA
Red Hat
Min ph
HP IceWall
SSO
HewlettPackard
Development Thng mi
Company,
L.P.
o Vn Phong - CT1301
to third parties
enabled by
Facebook
Yes
State-based
identity lifecycle
management
Web and
Federated
Single Sign-On
Solution
13
n tt nghip
Tn sn
Nh pht
phm
trin
LTPA
IBM Tivoli
Identity
Manager
IBM
Loi hnh
Nn tng
M t
Thng mi
Identity life-
IBM
Thng mi
Yes
cycle
management
product
Social and
Janrain Federa
Janrain
te SSO
Thng mi
JBoss SSO
Min ph
Federated
Single Sign-on
Min ph
Open Source
Single Sign-On
Server
JOSSO
Red Hat
JOSSO
Yes
conventional
user SSO
Computer
Kerberos
Microsoft
account
network
authentication
protocol
M.I.T.
Protocol
Microsoft
Min ph v
thng mi
(Microsoft by
gi thu ht cc
trang web mi
s dng h thng)
Microsoft
single sign-on
web service
Thng mi
Cloud single
myOneLogin VMware
o Vn Phong - CT1301
14
n tt nghip
Tn sn
Nh pht
phm
trin
Loi hnh
Nn tng
M t
sign-on
Single sign-on
Numina
Application
Framework
OneLogin
Numina
Solutions
OneLogin
Inc.
Thng mi
Yes
Thng mi v
Yes
Min Ph
system for
Windows
(OpenID RP &
OP, SAML IdP,
and proprietary)
Cloud-based
identity and
access
management
with single
sign-on (SSO)
and active
directory
integration
Okta
Okta,Inc.
Thng mi
On-demand
identity and
access
management
service in the
cloud
OpenAM
ForgeRock
o Vn Phong - CT1301
Min ph
Access
Yes, used in
management,
conjunction
entitlements
withOpenDJ and
and federation
OpenIDM
server platform
15
n tt nghip
Tn sn
Nh pht
phm
trin
Persona
Mozilla
Pubcookie
SecureLogin
SAML
University of
Washington
NetIQ
OASIS
Shibboleth
Shibboleth
Loi hnh
Nn tng
M t
Min ph
Protocol
Thng mi
Enterprize
Single-Sign-On
Protocol
XML-based
open standard
protocol
SAML-based
open source
Min ph
access control
Ubuntu Single Canonical

Sign On
Ltd.
OpenID-based
SSO for
Launchpad and
Thng mi v
min ph
Ubuntu services
ZXID
ZXID
Min ph
Yes
Reference
Implementation
of TAS3
security
CHNG IIPHN MM NGUN M CENTRAL AUTHENTICATION

SERVICE.
2.1. Gii thiu v phn mm ngun m (Opensource).[3]
Phn mm ngun m l g?
o Vn Phong - CT1301
16
n tt nghip
Open source software l nhng phn mm c vit v cung cp mt cch t

do. Ngi dng phn mm m ngun m khng nhng c dng phn mm m
cn c ti m ngun ca phn mm, ty sa i, ci tin v m rng cho
nhu cu cng vic ca mnh.
Mt phn mm p dng loi giy php m cho php bt c ai s dng di
mi hnh thc, c th l truy cp, chnh sa, sao chp,v phn phi cc phin bn
khc nhau ca m ngun phn mm, c gi l open-source software. Nhn chung,
thut ng Open source c dng li cun cc nh kinh doanh, mt iu thun
li chnh l s min ph v cho php ngi dng c quyn "s hu h thng".
Tin ch m opensource mang li chnh l quyn t do s dng chng trnh
cho mi mc ch, quyn t do nghin cu cu trc ca chng trnh, chnh sa
ph hp vi nhu cu, truy cp vo m ngun, quyn t do phn phi li cc phin
bn cho nhiu ngi, quyn t do ci tin chng trnh v pht hnh nhng bn ci
tin v mc ch cng cng.
2.2. Dch v chng thc trung tm (Central Authentication Service).[4]
2.2.1 Tng quan v CAS.
CAS l 1 giao thc ng nhp mt ln (SSO) cho web c pht trin bi i
hc Yale. Mc ch ca n l cho php ngi dng truy cp nhiu ng dng trong
khi ch cn cung cp thng tin ca h (v d nh username v password) ch mt
ln. N cng cho php cc ng dng web xc thc ngi s dng m khng cn
tip cn vi cc thng tin bo mt ngi dng, chng hn nh mt khu.
CAS h tr nhiu th vin pha client c vit bi nhiu ngn ng nh
PHP,.NET, JAVA,RUBY.
Giao thc CAS bao gm t nht ba bn: mt trnh duyt web ca client, cc
ng dng web yu cu chng thc, v cc my ch CAS. N cng c th lin quan
n mt dch v back-end, chng hn nh mt my ch c s d liu, n khng c
giao din HTTP ring ca mnh nhng giao tip vi mt ng dng web.
Khi client truy cp mt ng dng mong mun xc thc vi n, ng dng
chuyn hng n n CAS. CAS xc nhn tnh xc thc ca client, thng l bng
cch kim tra tn ngi dng v mt khu i vi mt c s d liu (chng hn nh
MYSQL/PGSQL). Nu xc thc thnh cng, CAS tr client v ng dng trc
thng qua 1 service ticket(ST). ng dng ny sau xc nhn ticket bng cch lin
o Vn Phong - CT1301
17
n tt nghip
h CAS trn mt kt ni an ton v cung cp dch v nhn dng ring ca mnh v

ticket.Nu CAS sau cung cp cho cc ng dng ng tin cy thng tin v vic
mt ngi dng c th thnh cng.Ngoi ra, ngi dng cng c th xc thc
thng tin trc tip ti trang ng nhp ca CAS, nu vt qua s xc thc ca CAS
th ngi dng c th dng bt c dch v no c ng k SSO. CAS cho php
chng thc a cp thng qua a ch proxy. Mt hp tc dch v back-end, nh mt
c s d liu hoc my ch mail, c th tham gia trong CAS, xc nhn tnh xc thc
ca ngi dng thng qua cc thng tin nhn c t cc ng dng web. Do ,
mt webmail v mt my ch email trc tuyn u c th thc hin CAS.
CAS cn cung cp tnh nng Remember Me. Nhng ngi pht trin c
th cu hnh tnh nng ny trong nhiu file cu hnh khc nhau v khi ngi dng
chn Remember Me trn khung ng nhp th thng tin ng nhp s c ghi
nh vi thi gian cu hnh mc nh l 3 thng v khi ngi dng m trnh duyt th
CAS s t ng chuyn hng ti service URL m ngi dng mun truy cp m
khng hin th form ng nhp.
2.2.2 Lch s hnh thnh.[5]
CAS c hnh thnh v pht trin bi Shawn Bayern ca Yale trng i
hc cng ngh v k hoch. Sau n c duy tr bi Drew Mazurek i hc
Yale. CAS 1.0 thc hin n-ng nhp. CAS 2.0 gii thiu xc thc y quyn
multi-tier. Mt s cc bn pht hnh CAS khc c pht trin vi tnh nng
mi.
Trong thng 12 nm 2004, CAS tr thnh mt d n ca Java Kin trc
Special Interest Group, chu trch nhim duy tr v pht trin ca n nm 2008.
Trc y gi l "i hc Yale CAS", CAS l by gi cn c gi l "Jasig
CAS".
Thng 12 nm 2006, Andrew W. Mellon Qu gii Yale ca n u tin hng
nm Mellon cho nghin cu khoa hc cng ngh, trong s tin $50.000, cho s pht
trin ca Yale ca CAS. Vo thi im gii CAS s dng ti "hng trm ca
trng i hc (trong s cc n v th hng)".
Hin nay rt nhiu trng i hc ni ting trn th gii tin dng vo h
thng ng nhp 1 ln SSO do i hc Yale cung cp. Chng ta c th xem ti a
ch: http://www.jasig.org/cas/deployments
o Vn Phong - CT1301
18
n tt nghip
2.2.3 Cc phin bn ca CAS.

CAS 1.0
-
c to bi Yale University, khi u t nm 1999.
L 1 SSO d s dng
CAS 2.0
-
Cng c to bi Yale University
Gii thiu thm tnh nng mi l Proxy Authentication.
JA-SIG CAS 3.0

-
Tr thnh JA-SIG project t nm 2004
Mc ch l cho n mm do hn v tch hp c vi nhiu h thng

hn.
2.2.4 CAS Protocol.

CAS l mt giao thc HTTP/HTTPS da trn giao thc m i hi mi
thnh phn ca n c th truy cp thng qua cc URI c th.
2.2.4.1./login.
Vai tr.
-
Yu cu chng thc.
Chp nhn chng thc.
Tham s
Theo nh HTTP yu cu cc tham s sau y c th c thng qua vi
/login trong khi n ang hnh ng nh mt ngi yu cu chng thc. Cc tham
s u l nhng trng hp nhy cm, v tt c u phi c x l bi /login.
-
Service[Ty chn] - nhn dng ca cc ng dng m client ang c gng

truy cp. Trong hu ht cc trng hp, n l URL ca ng dng. Lu
rng nh mt tham s yu cu HTTP, gi tr URL ny phi l URLencoded. Nu mt service khng c ch nh v 1 session SSO cha
tn ti th CAS nn yu cu chng thc t ngi s dng bt u mt
session SSO. Nu mt service khng c ch nh v session SSO
o Vn Phong - CT1301
19
n tt nghip
tn ti, CAS s hin th mt tin nhn thng bo cho client rng n

c ng nhp.
-
Renew [Ty chn] - nu tham s ny c thit lp, SSO s c b

qua. Trong trng hp ny, CAS s yu cu client trnh thng tin ng
nhp hin ti m khng quan tm n s tn ti ca session SSO vi
CAS. Tham s ny l khng tn ti song song vi tham s "gateway".
Service chuyn hng n cc URI v form login /login ng URI
/login. Khng nn t c "renew" v "gateway" trong 1 URL. Hnh vi
khng xc nh nu c hai c thit lp. Khuyn ngh trin khai CAS b
qua cc tham s "gateway" nu tham s "renew" c thit lp. Khuyn
ngh khi cc tham s renew c thit lp th gi tr ca n l "true".
Gateway [Ty chn] Nu tham s ny c thit lp th CAS s khng

yu cu client chng thc thng tin na. Nu client ng nhp t trc
y vi SSO session vi CAS hay nu SSO session c thit lp thng
qua khng tng ti nhau(tc l xc thc tin tng) th CAS c th
chuyn hng client ti URL c ch nh bi tham s service v
thm vo 1 ST hp l(CAS c th thng bo cho client rng c xc
thc xy ra trc y.). Nu client khng c SSO session vi CAS v
xc thc khng tng tc khng th thit lp th CAS phi chuyn hng
client n URL c ch nh bi tham s service khng c tham s
ticket no c thm vo URL. Nu tham s service khng c ch
nh v tham s gateway c t th cc hnh ng ca CAS l khng
khc nh. Tham s ny khng cng song hnh trn 1 URL vi tham s
renew. Hnh ng s khng xc nh nu c 2 c set. Cc tham s
gateway nn c gi tr mc nh l yes.
Phn hi
-
ng nhp thnh cng: chuyn hng client n URL c ch nh

bi tham s "Service" mt cch m s khng lm cho thng tin ng nhp
ca client c chuyn tip n service. Chuyn hng ny phi dn n
client a ra mt GET yu cu cho cc service. Yu cu phi bao gm
mt service ticket hp l, thng qua nh l tham s yu cu HTTP,
"ticket". Xem ph lc B bit thm thng tin. Nu khng xc nh
o Vn Phong - CT1301
20
n tt nghip
"Service", CAS phi hin th mt th thng bo cho client rng n

thnh cng bt u single sign-on session.
-
ng nhp tht bi: Tr li /login nh l mt requestor y nhim. l

khuyn co trong trng hp ny my ch CAS hin th mt thng bo
li c hin th cho ngi dng m t l do ti sao ng nhp khng
thnh cng (v d nh sai mt khu, ti khon b kha, vv), v nu cn
thit, cung cp mt c hi cho ngi dng th ng nhp li.
V d v tham s trong /login

ng nhp n gin.
https://server/cas/login?service=http://www.service.com
Khng nhc tn ngi dng v mt khu.

https://server/cas/login?service=http://www.service.com&gateway=true
Lun nhc tn ngi dng v mt khu.

https://server/cas/login?service=http://www.service.com&renew=true
2.2.4.2. /logout
Ph hy phin lm vic ca c ch SSO trn my client. TGC s b ph hy
v yu cu tip theo vo /login s khng c c ST cho n khi user thit lp mt
SSO session mi.
Tham s
Tham s url c th c ch nh n /logout v nu c ch nh url s
c hin th trong trang logout cng vi thng bo ng xut.
2.2.4.3. /validate. CAS[1.0]
Kim tra tnh hp l ca ST. CAS phi phn hi 1 ticket validation tht bi
khi c 1 proxy ticket c thng qua URI /validate.
Tham s
Nhng tham s sau c th ch nh n URI /validate.
-
Service [bt buc].
Ticket [bt buc] - service ticket c sinh ra bi /login.
o Vn Phong - CT1301
21
n tt nghip
Renew [Ty chn] - Nu tham s ny c thit lp, ticket validation s

ch thnh cng nu ST c pht hnh t bi trnh by ca chng ch
chnh ca ngi dng. N s khng thnh cng nu ticket c pht
hnh t mt SSO session.
Phn hi
/validate s tr li 1 trong hai phn hi sau.
Ticket validation thnh cng:
yes<LF>
username<LF>
Ticket validation tht bi:

no<LF>
<LF>
V d ca /validate
L lc xc thc n gin:
https://server/cas/validate?service=http://www.service.com&ticket=ST-1856339aA5Yuvrxzpv8Tau1cYQ7
Chc chn rng ST c ban hnh cc trnh by cc thng tin chnh.

https://server/cas/validate?service=http://www.service.com&ticket=ST-1856339aA5Yuvrxzpv8Tau1cYQ7&renew=true
2.2.4.4. /serviceValidate [CAS 2.0]

/serviceValidate s tr v phn hi l mt XML-fragment. Khi thnh cng
phn hi cha username v proxy-granting tickets. Khi tht bi, phn hi cha 1 m
li v 1 thng ip tng ng. Di y l 1 s m li tr v nu tht bi.
-
INVALID_REQUEST khng tm thy tham s cn tm tring request.
INVALID_TICKET Ticket cung cp khng hp l hoc ticket khng

n t login v renew c thit lp trn validation.
INVALID_SERVICE Ticket c cung cp hp l nhng dch v

c ch nh khng khp vi dch v lin kt vi ticket.
o Vn Phong - CT1301
22
n tt nghip
INTERNAL_ERROR Li cc b trong khi kim tra tnh hp l ca

ticket.
Phn hi
/serviceValidate s tr v 1 XML-formatted CAS c m t nh trong XML
schema. Di y l v d:
Xc thc Ticket thnh cng:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>username</cas:user>
<cas:proxyGrantingTicket>PGTIOU-84678-8a9d...
</cas:proxyGrantingTicket>
</cas:authenticationSuccess>
</cas:serviceResponse>
2.2.4.5. /proxy callback.

Nu mt dch v mong mun y quyn chng thc ca client ti mt service
back-end, n phi c c mt proxy-granting ticket(PGT). c c PGT th n
phi c x l thng qua mt URL callback. URL ny s duy nht v an ton xc
nh dch v back-end l proxying xc thc ca client. Cc dch v back-end c th
sau quyt nh c hay khng chp nhn cc chng ch da trn cc dch v
back-end xc inhk URL callback.
C ch lm vic ca n nh sau:
Cc dch v yu cu 1 PGT cp quy nh trn ST hoc PT xc nhn yu cu
tham s HTTP pgtUrl ti /serviceValidate (or /proxyValidate). l 1 callback
URL ca dch v m CAS s kt ni xc minh danh tch ca dch v. URL ny
phi c HTTPS v CAS phi xc minh c 2 chng ch SSL l hp l v chnh xc
tn ca dch v. Nu chng ch khng c xc nhn, khng c PGT s c cp
li v p ng dch v CAS khng phi cha 1 khi <proxyGrantingTicket>
o Vn Phong - CT1301
23
n tt nghip
<cas:proxyGrantingTicket>PGTIOU-84678-8a9d...
</cas:proxyGrantingTicket>

<cas:authenticationFailure code="INVALID_TICKET">
Ticket ST-1856339-aA5Yuvrxzpv8Tau1cYQ7 not recognized
</cas:authenticationFailure>
Ti thi im ny, vic cp pht 1 PGT phi dng li nhng xc nhn ST vn

tip tc, tr li thnh cng hoc tht bi nh l thch hp. Nu chng ch chng
nhn thnh cng, pht hnh 1 PGT c x l nh bc 2.
CAS s dng 1 HTTP GET request vt qua tham s HTTP pgId v
pgIou ti pgtUrl.
Nu HTTP GET tr li 1 mt m trng thi HTTP 200 (OK), CAS s phi
phn hi ti /serviceValidate (or /proxyValidate) yu cu cho mt phn hi dch v
c cha PGT IOU trong khi <cas:proxyGrantingTicket>. Nu HTTP GET tr v
bt k m trng thi khc, ngoi tr HTTP 3xx redirect, CAS phi phn hi
/serviceValidate (or /proxyValidate) yu cu cho 1 phn hi dch v m khng phi
c mt khi <cas:proxyGrantingTicket>. CAS c th lm theo by k HTTP
redirects do pgtUrl. Tuy nhin, xc nh cc callback url cung cp trn xc nhn
trong khi <proxy> phi cng mt URL m ban c thng qua vo
/serviceValidate (or /proxyValidate) l than s pgtUrl.
Dch v sau khi nhn 1 PGTIOU do CAS phn hi v c 1 PGT, 1 PGT IOU
t proxy callback, s s dng PGTIOU tng quan vi PGT vi cc phn ng xc
nhn. Dch v ny sau s s dng PGT cho vic c li cc PT nh m t trong
phn Proxy Tickets.
Mt PGT l 1 chui ngu nhin s dng bi 1 dch v c c PT cho
vic tip cn dch v back-end thay mt cho 1 client. PGT c th c s dng bi
cc dch v c c nhiu PT. PGTs khng phi l 1 ticket thi gian s dng.
o Vn Phong - CT1301
24
n tt nghip
PGT phi ht hn khi client c xc thc ang c cc bn ghi ra u nhim ca

CAS.
PGT nn bt u vi cc k t "PGT-".
URL v d ca /serviceValidate
L lc xc thc n gin:
https://server/cas/serviceValidate?service=http://www.service.com&ticket=ST1856339-aA5Yuvrxzpv8Tau1cYQ7
m bo ST c a ra bi cc trnh by thng tin ng nhp chnh:

https://server/cas/serviceValidate?service=http://www.service.com&ticket=ST1856339-aA5Yuvrxzpv8Tau1cYQ7&renew=true
Vt qua mt callbackURL cho proxying:

https://server/cas/serviceValidate?service=http://www.service.com&ticket=ST1856339-aA5Yuvrxzpv8Tau1cYQ7&pgtUrl=https://my-server/myProxyCallback
2.2.4.6. /proxyValidate [CAS 2.0].

Lm vic ging nh serviceValidate ngoi tr n lm cho proxy ticket c
hiu lc. Tham s v m li cng tng t. Khi thnh cng, phn hi cha PGT v
danh sch cc proxy ci m vic xc thc c thc thi. Nhng proxy c ving
thm gn nht s c lit k u tin v ngc li.
V d
<cas:proxyGrantingTicket>PGTIOU-84678-8a9d...</cas:proxyGrantingTicket>
<cas:proxies>
<cas:proxy>https://proxy2/pgtUrl</cas:proxy>
<cas:proxy>https://proxy1/pgtUrl</cas:proxy>
</cas:proxies>
o Vn Phong - CT1301
25
n tt nghip

<cas:authenticationFailure code="INVALID_TICKET">
ticket PT-1856376-1HMgO86Z2ZKeByc5XdYD not recognized
</cas:authenticationFailure>
URL v d ca /proxyValidate
Tng t nh /serviceValidate
2.2.4.7. /proxy [CAS 2.0]
Cung cp PT cc dch v c PGT v s c xc thc proxy vi cc
dch v back-end.
Tham s
2 tham s bt buc phi c l:
-
pgt [Bt buc] - proxy-granting ticket t c bi service tri qua

service ticket hoc proxy ticket validation.
targetService [Bt buc] - nh danh dch v ca dch v back-end. Lu

rng, khng phi tt c cc service back-end l dch v web nhn
dng dch v ny s khng phi lun lun l mt URL. Tuy nhin, nh
danh dch v quy nh y phi ph hp vi tham s service quy nh
cho / proxyValidate da trn xc nhn hp l ca proxy ticket.
Phn hi
/proxy s tr li 1 XML-formatted CAS c m t nh trong XML chema
trong phn Ph lc A. Bn di l 1 v d ca phn hi:
Yu cu thnh cng:
<cas:proxySuccess>
<cas:proxyTicket>PT-1856392-b98xZrQN4p90ASrw96c8</cas:proxyTicket>
</cas:proxySuccess>
o Vn Phong - CT1301
26
n tt nghip
Yu cu tht bi:
<cas:proxyFailure code="INVALID_REQUEST">
'pgt' and 'targetService' parameters are both required
</cas:proxyFailure>
M li
Cc gi tr sau y c th c s dng nh l thuc tnh "code" ca cc
phn ng tht bi. Sau y l cc thit lp ti thiu ca m li rng tt c cc my
ch CAS phi thc hin.
-
INVALID_REQUEST - khng phi tt c cc thng s yu cu cn thit

c mt
BAD_PGT - cc PGT cung cp khng hp l
INTERNAL_ERROR - mt li ni b xy ra trong qu trnh ticket

validation.
i vi tt c cc m li, khuyn ngh rng, CAS cung cp tin chi tit hn

trong phn body ca khi <cas:authenticationFailure> ca phn hi XML.
URL example of /proxy
Yu cu proxy n gin:
https://server/cas/proxy?targetService=http://www.service.com&pgt=PGT490649-W81Y9Sa2vTM7hda7xNTkezTbVge4CUsybAr
2.2.5. Tng kt.

Bng 2.1: Tng hp cc URI.
URI
M t
/login
N phn ng vi thng tin bng cch

hnh ng nh mt ngi chp nhn
chng ch v nu khng hot ng nh
o Vn Phong - CT1301
27
n tt nghip
mt ngi yu cu chng ch. Nu client

thit lp phin lm vic SSO (single
sign-on) vi CAS th web browser s
gi n CAS 1 Cookies an ton n bao
gm 1 chui xc nh 1 TGT(Ticket
granting ticket). Cookie ny c gi l
TGC(ticket-granting cookie). Nu kha
TGC hp l cho TGT, CAS c quyn
cp mt ST(service ticket) cung cp tt
c cc iu kin khc nhau trong c
im k thut n gp.
/logout
Ph hy phin lm vic ca c ch SSO

trn my client. TGC s b ph hy. v
yu cu tip theo vo /login nhp s
khng c c ST cho n khi user
thit lp mt SSO
/validate
Kim tra tnh hp l ca service ticket.

/validate l 1 phn ca giao thc CAS
1.0 v do n khng x l xc thc
proxy.
/serviceValidate
Kim tra tnh hp l ca mt ST v tr

v mt on XML( XML-fragment )
/proxyValidate
Thc hin cc nhim v tng t nh

/serviceValidate v b sung xc nhn
PT(proxy ticket).
/proxy
Cung cp PT cc dch v c PGT

v s c xc thc proxy vi cc dch
v back-end.
/samlValidate
o Vn Phong - CT1301
28
n tt nghip
/services/add.html
Mt chc nng qun tr. B sung thm

dch v vo danh sch dch v ng k.
/services/edit.html
Mt chc nng qun tr. Sa dch v

ng k.
/services/manage.html
Cung cp mt giao din qun l cc

dch v ng k (thm / sa / xa cc
dch v)
/services/logout.html
Thot khi trang qun tr
/services/loggedOut.html
Thot khi trang qun tr t trang dch

v
/services/deleteRegisteredService.ht
ml
Xa cc tham s dch v da vo ID
/openid/*
Yu cu map cho usernames n mt

trang hin th Login URL cho nh cung
cp nh OpenID
2.2.6. CAS Entities.

Ticket-granting ticket (TGT):
TGT s c to ra khi /login url vt qua c c dch v CAS v cc
thng tin cung cp s c chng thc thnh cng. 1 TGT l 1 truy cp chnh vo
lp dch v ca CAS. Nu khng c TGT th user ca CAS s khng lm c bt
c iu g. TGT l 1 chui ngu nhin vi tin t l TGT-. TGT s c thm vo
1 HTTP Cookies trn s thnh lp ca ca c ch SSO v bt c khi no user truy
cp vo cc ng dng khc nhau th cookies ny s gi c ch auto-login cho user
.
Ticket Granting Cookie (TGC):
TGC l 1 cookies ca HTTP cookies t bi CAS trn s khi to phin lm
vic ca c ch SSO. Ci Cookies ny duy tr trng thi ng nhp cho client v
khi client iu hng ti 1 ng dng khc th cookies s kim tra auto-login cho
o Vn Phong - CT1301
29
n tt nghip
user ny. TGC s b ph hy khi client ng trnh duyt v n cng b ph hy khi

client click vo /logout. Gi tr ca TGC nn bt u vi TGC-.
Service Ticket (ST):
ST s c to khi CAS url bao gm tham s dch v v cc thng tin
thng qua c xc thc thnh cng.
V d: https://server/cas/login?service=http://www.service.com
Cc dch v m bn thng qua url phi l mt dch v ng k thng qua cc
dch v qun l ca CAS nu khng mt dch v khng c xc thc s b nm
ra.ST l 1 chui ngu nhin c s dng bi client nh 1 thng tin c truy cp
vo 1 dch v. ST phi bt u vi ST-.
V d: ticket=ST-1856339-aA5Yuvrxzpv8Tau1cYQ7
Khi to ST, service identifier (thng l service url) khng phi l mt phn
ca ST.
Proxy Ticket (PT):
M t tm tt v proxy: 1 proxy hot ng nh 1 my ch, nhng khi c yu
cu t client, hot ng chnh ca n nh l 1 client n cc my ch thc. (N i
din cho client giao tip vi my ch.). 1 HTTP proxy khng chuyn tip cc yu
cu gi thng qua n. Thay vo , vic u tin n kim tra nu c cc trang
web yu cu trong b nh cache. Nu nh vy, sau n s trang v trang m
khng gi thm yu cu khc n my ch ch. Bi v cc proxy hon ton chn
dt cc knh giao tip, chng c coi l 1 cng ngh firewall an ton hn cc b
lc gi tin, v chng l tng ng k s c lp gia cc mng.
Trong CAS, proxy l 1 dch v mun truy cp vo cc dch v khc thay mt
cho 1 user c bit. PT c to ra t CAS trn 1 trnh by ca dch v hp l TGT
v 1 dch v nh danh (cc gi tr ca tham s service ca /proxy url) cho dch v
back-end m n c kt ni.
PT l mt chui ngu nhin m mt dch v s dng nh mt chng ch
c c quyn truy cp vo mt dch v back-end thay mt cho mt client.
PT ch c gi tr nh danh dch v quy nh cho/proxy url khi chng c to ra.
PT nn bt u vi cc k t PT-.
Proxy-granting Ticket (PGT):
o Vn Phong - CT1301
30
n tt nghip
PGT thu c t CAS khi xc nhn ca 1 ST hoc 1 PT. Nu mt dch v

mong mun y quyn chng thc cho client ti 1 dch v back-end, n phi c
c 1 PGT. S c c TGT ny c x l thng qua mt proxy callback URL.
Ci URL ny c o v an ton s xc nh cc dch v trong back-end sau l
proxy chng thc ca client. Dch v back-end sau c th quyt nh c hay
khng chp nhn cc thng tin da vo vic xc nh gi li cc URL.
Proxy-Granting Ticket IOU (PGTIOU):
1 PGT IOU l 1 chui ngu nhin vi tin t l PGTIOU-ci m c t
trong phn ng c cung cp bi /serviceValidate v /proxyValidate s dng
lin k mt ST hoc xc nhn PT vi 1 PGT c th. M t y ca qu trnh ny
kh dng ti phin lm vic ca PGT.
Qu trnh c m t n gin v y c a ra trong phin lm vic
PGT. 1 yu cu c gi cho PGT thng qua /serviceValidate hoc /proxyValidate
URI. CAS server khng th cung cp cho PGT phn ng tr trong phn ng ca n,
bi v n khng tin chc nhn dng ngi yu cu. Nu nhn dng ngi yu cu l
nhn dng chnh xc th CAS ni IOU (I Owe You) PGT v gi PGTIOU. Ngi
yu cu sau khi nhn c 1 PGTIOU trong phn hi CAS, c 1 PGT v 1 PGTIOU
t proxy callback c a ra nh gi tr tham s pgturl khi yu cu c gi, s s
dng PGTIOU tng quan cc PGT vi cc phn ng xc nhn. Ngi yu cu
sau s s dng PGT cho vic c c cc PT, nu ngi yu cu nhn din
chnh xc.
Ticket granting ticket IOU (TGTIOU):
Trn 1 ticket validation, 1 dch v ca th yu cu 1 PT. Trong CAS 2, con
ng chng ta xc thc l ng l yu cu dch v gi n PGT, PGTIOU cp
n 1 proxy callback URL uy nh nh 1 tham s yu cu. Proxy callback URL
ny phi trn 1 knh an ton. Chng ta xc mnh chng ch ca n. Kh nng nhn
callback ny xc nhn. Sau chng ta tr li trong xc nhn ticket phn ng
TGTIOU. T phn ng, cc dch v m rng t TGTIOU v s dng n tra cu
TGT t ni n c lu tr.
Login Ticket (LT):
Mt LT l 1 chui c to ra bi /login nh mt ngi yu cu chng ch
v vt qua /login nh l ngi chp nhn chng ch cho username/password. Mc
o Vn Phong - CT1301
31
n tt nghip
ch ca n l ngn chn s pht li cc thng tin do li trong trnh duyt, LT cp

bi /login phi l duy nht v nn bt u cc k t LT-.
Tt cc cc CAS tickets v gi tr ca GTC phi bao gm d liu ngu nhin
an ton khng l 1 ticket c th on c trong thi gian hp l thng qua cc
cuc tn cng brute-force [http://vi.wikipedia.org/wiki/Brute_force] v cng phi
cha cc k t t tp hp {A-Z, a-z, 0-9, and k t c bit ?-'} Ticket-granting
ticket, service tickets, proxy tickets and login tickets ch phi c gi tr trong 1 l
lc xc thc. C hay khng xc thc thnh cng, CAS sau phi mt hiu lc
nhng tickets ny gy ra tt c nhng n lc xc thc trong tng lai vi iu
th hin ca v c bit tht bi. CAS s ht hn hiu lc v dch v trong mt thi
gian hp l (ti a 5 pht) sau khi c ban hnh. Nu mt dch v trnh by xc
nhn service ticket ht hn, CAS phi p ng vi mt phn ng khng xc nhn.
2.2.7. Nguyn tc hot ng
2.2.7.1.Chng thc ngi dng vi CAS server.
Ngi dng nhp username v password vo khung ng nhp. cc thng tin
c truyn cho CAS server thng qua giao thc HTTPS hoc HTTP (ty theo cch
ngi dng t)
Xc thc thnh cng, TGC c sinh ra v thm vo trnh duyt di hnh
thc cookie. TGC ny s c s dng SSO vi tt c cc ng dng.
Truy cp ng dng.
Ngi dng truy cp vo ng dng khi chng thc vi CAS server.
-
Ngi dng truy xut ng dng thng qua trnh duyt,
ng dng ly TGC t trnh duyt v chuyn n cho CAS server thng

qua giao thc HTTPS/HTTP.
Nu TGC ny l hp l, CAS server tr v 1 ST cho trnh duyt, trnh

duyt truyn ST va nhn cho ng dng.
ng dng s dng ST nhn c t trnh duyt v sau chuyn n cho

CAS
CAS s tr v ID ca ngi dng cho ng dng, mc ch l thng bo

vi ng dng ngi dng ny c chng thc bi CAS
o Vn Phong - CT1301
32
n tt nghip
ng dng ng nhp cho ngi dng v bt u phc v ngi dng.
Hnh 2.1: Ngi dng truy cp vo ng dng khi chng thc vi CAS.
Ngi dng truy cp vo ng khi khi cha chng thc vi CAS.
-
Ngi dng truy cp vo ng dng, v cha nhn c TGC nn ng

dng s chuyn hng ngi dng n CAS.
Ngi dng cung cp username/password thng qua khung ng nhp

CAS xc thc. Thng tin c chuyn i bi giao thc HTTPS hoc
HTTP
Xc thc thnh cng, CAS s chuyn cho trnh duyt ng thi TGC v
ST.
o Vn Phong - CT1301
33
n tt nghip
Trnh duyt s gi li TGC phc v cho vic truy cp vo ng dng

khc v truyn cho ng dng ST.
ng dng chuyn ST cho CAS v nhn v ID ca ngi dng.
ng dng ng nhp v bt u phc v
Hnh 2.2: Ngi dng truy cp vo ng dng khi cha chng thc vi CAS server.
Di y l phn m t chi tit qu trnh hot ng xc thc ca CAS.
Dch v chng thc trung tm (CAS) c thit k nh 1 ng dng web c
lp. N hin ang c thc hin nh 1 s Java servlets v chy thng qua my ch
HTTP/HTTPS. N c truy cp thng qua 3 URL m t di y. URL login,
URL validation, v cc ty chn URL logout.
s dng dch v chng thc trung tm (CAS), 1 ng dng chuyn hng
ti ngi dng ca n, hoc ch n gin l to ra 1 siu lin kt (hyperlink) n
o Vn Phong - CT1301
34
n tt nghip
URL login. V d Yales CAS login URL l https://domain.com/cas/login. Ngi

dng cng c th truy cp vo URL ny nu h mun xc thc trc ci sessions
ca h.
URL login x l thc t v xc thc chnh. C ngh l n nhc nh ngi
dng cung cp 1 username v 1 password v xc thc n vi 1 nh cung cp chng
thc. c bit nhng ngi trin khai CAS s cm chung hoc ty chnh
PasswordHandlers xc thc tn ngi dng v mt khu vi bt k c ch xc
thc thch hp.
cho php kh nng ti xc thc sau , CAS cng c gng gi 1 cookies
trong b nh(1 trong s b ht hn khi ng trnh duyt) li cho trnh duyt.
Cookies ny ci m chng ta gi l Ticket Granting Cookies xc nh ngi dng
khi ng nhp thnh cng. Cn lu tng cookies ny l bt buc trong c ch
xc thc CAS. Vi n, ngi dng t c s xut hin ca ng nhp 1 ln
(SSO) cho nhiu ng dng web. l khi ngi dng nhp vo username v
password ca mnh ch 1 ln nhng c quyn truy cp vo tt c dch v no s
dng CAS. Nu khng c cc tp tin cookie, ngi dng s cn phi nhp username
v password ca mnh mi khi ng dng chuyn hng n n CAS (Ngi dng
c th ch o CAS ph hy cc tp tin cookie ny bng cch gi n URL logout.
V d https://domain.com/cas/logout).
Ngoi vic x l xc thc chnh, CAS cng lu cch dch v m ngi s
dng c chuyn hng hoc lin kt t . N c th lm iu ny bi v cc
ng dng chuyn hng hoc lin kt mt ngi dng n URL login c yu cu
cng phi vt qua dch v nh danh CAS. Nu xc thc thnh cng, CAS to ra 1
s di v ngu nhin m chng ta gi l 1 ticket. Sau lin kt ticket ny vi
ngi dng xc thc thnh cng v cc dch v m ngi s dng c gng xc
thc. C ngha l, nu ngi s dng c thng qua t dch v S, CAS to ra T
ticket cho php ngi dng truy cp vo dch v S. Ticket ny c thit k nh 1
chng ch ch s dng 1 ln. N hu ch cho ngi dng, ch cho dch v S v ch
s dng 1 ln. N ht hn ngay sau khi n c s dng.
Sau khi xc thc hon tt, CAS chuyn hng trnh duyt ca ngi dng tr
li ng dng m ni ngi dng truy cp vo. N bit ci URL chuyn hng
ngi dng n v cc tho lun serviceID trn cng c chc nng nh mt
callback URL. l cc nh danh m mt ng dng s dng phi i din cho 1
o Vn Phong - CT1301
35
n tt nghip
URL m mt phn hoc t nht kt hp vi ng dng ny(C ngha l mi 1 ng

dng c 1 URL ring). CAS chuyn hng trnh duyt ca ngi dng chuyn
hng tr li cc URL ny v thm ci ticket c tho lun trn (Service
Ticket) nh 1 tham s yu cu.
lm sng t iu ny th c 1 v d nh sau : Gi s ti mun xc thc
ngi dng trc khi h truy cp vo http://localhost/en, khi ngi dng ng nhp
s dng http://localhost/en, n s c chuyn hng sang
https://localhost:8082/login?service= http://localhost/en/processing.php
Gi s processing.php l mt phn ng dng webPHP. Trang web ny c

thit k mong i 1 chui ticket c thng qua vi n nh 1 tham s yu cu
t tn ticket.Trang PHP ny ch cn xc nhn ticket khi nhn c n bng cch
thng qua URL validation vi tham s ticket.
Trang PHP cn sp xp yu cu n URL ny v c d liu URL . Khi
xy dng cc yu cu ny, cc trang PHP cng cn phi vt qua cc serviceID
c s dng trc y khi chuyn hng ngi dng n URL login. lm iu
ny, n s dng cc tham s yu cu t tn dch v.
Khi CAS nhn c 1 ticket thng qua URL validation, n s kim tra
CSDL ni b ca mnh xc nh xem n tn ti cha hay ch va mi nhn
c. Nu n lm v cc dch v lin quan n ticket khp vi cc dch v
c thng qua bi cc ng dng ci m yu cu xc thc. N s tr li cc
username lin quan vi ticket ti cc ng dng yu cu. Nu khng n t chi xc
nhn yu cu.
Giao thc m URL validation s dng tr li d liu cho cc ng dng yu
cu l n gin. CAS s phn ng vi 2 dng (in a text/plain HTTP response), dng
u tin l yes hay no tng ng vi ticket l ng dng c trnh by hp l
hay khng? Nu ticket l hp l, dng th 2 cha cc tn ng nhp ca ch s hu
ticket c ngh l vic xc nh ngi s dng xc thc thnh cng. Nu ticket
khng hp l, dng th 2 l rng.
Di y l 1 v d
/validate s tr li 1 trong 2 cu tr li sau:
Xc thc ticket thnh cng:
o Vn Phong - CT1301
36
n tt nghip
yes<LF>
username<LF>
Xc thc ticket tht bi:

no<LF>
<LF>
Nu ticket l hp l, CAS ngay lp tc loi b n khng s dng 1 ln

na.Khi chu trnh hon thnh, mt ng dng web c th xc minh danh tnh ca
ngi dng m khng bao gi c quyn truy cp vo mt khu ca ngi dng .
Hn na, trong trng hp ca ngi dng chp nhn cookies, th c th ti xc
nh ngi s dng CAS ngi dng khng cn phi nhp username v
password ca mnh trong tng lai. (Hin nay, trong b nh " ticket-granting
cookies " vn hot ng trong tm gi.).
Hin nay, ngoi username m khi xc thc thnh cng CAS tr li cho client
th h thng CAS cn c ty bin tr li cho client nhiu thng tin khc na. N
c gi l Extra user attributes. Phn ny s c th hin r trong phn thc
nghim h thng thy r iu .
2.2.8. Kin trc tng quan CAS.
2.2.8.1./login flow
o Vn Phong - CT1301
37
n tt nghip
Hnh 2.3: Login flow
o Vn Phong - CT1301
38
n tt nghip
2.2.8.2./proxy flow
Hnh 2.4: Proxy flow.
o Vn Phong - CT1301
39
n tt nghip
2.2.8.3. /logout flow
Hnh 2.5: logout flow.

2.3. Ruby CAS.[6]
RubyCAS-server l mt thc thi y pha server ca JA-SIG's CAS
protocol, n cung cp gii php cross-domainSSO cho cc ng dng web.
Khi qut
RubyCAS-Server a cho bn:
Mt trang ng nhp c lp ni m ngi dng c th nhp thng tin ca
h. (v d username v password).
Mt c ch xc thc thng tin ngi dng da vo nhiu backends khc
nhau (1 bng trong SQL database, ActiveDirectory/LDAP, Google accounts,
vv.).
Mt back-end xc nhn cc client applications ni CAS cho php kt ni
kim tra xem ngi dng hin hnh c xc thc (nu ngi dng c
chng thc vi my ch CAS, sau h c php tip tc, nu khng h
c chuyn hng ti trang ng nhp CAS server ca xc thc).
o Vn Phong - CT1301
40
n tt nghip
C kh nng tng thch m vi rt nhiu nn tng (PHP framwork, various

Java frameworks,.NET, Zope, vv).
a ngn ng bn a ha, RubyCAS-servers s t ng pht hin ngn ng
a thch ca ngi dng v trnh by giao din thch hp.
RubyCAS-server c thc hin bng cch s dng Sinatra
microframework, v c thit k cho d dng trin khai hoc nh mt my ch
c lp (qua WEBrick hoc Mongrel) hoc di Apache (thng qua Rack). N hon
ton thc hin cc giao thc CAS 2.0 cng vi mt s tin ch m rng khng chnh
thc hin nay trong ng dng khch tham kho cho JA-SIG 3.x phin bn.
2.4. CAS Client.
2.4.1. Gii thiu ngn ngxy dng website pha client.
A. PHP l g?
PHP (vit tt hi quy "PHP: Hypertext Preprocessor") l mt ngn ng lp
trnh kch bn hay mt loi m lnh ch yu c dng pht trin cc ng dng
vit cho my ch, m ngun m, dng cho mc ch tng qut. N rt thch hp vi
web v c th d dng nhng vo trangHTML. Do c ti u ha cho cc ng
dng web, tc nhanh, nh gn, c php ging C v Java, d hc v thi gian xy
dng sn phm tng i ngn hn so vi cc ngn ng khc nn PHP nhanh
chng tr thnh mt ngn ng lp trnh web ph bin nht th gii.
Ngn ng, cc th vin, ti liu gc ca PHP c xy dng bi cng ng
v c s ng gp rt ln ca Zend Inc., cng ty do cc nh pht trin ct li ca
PHP lp nn nhm to ra mt mi trng chuyn nghip a PHP pht trin
quy m doanh nghip.
2.5. Th vin phpCAS.[7]
2.5.1. phpCAS requirements.
Webserver
-
Mi webserver nh Apache, IIS hay nhng ci khc u hot ng.
CURL (7.5+)
Th vin CRUL phi c bt trong h thng v phi c bin son vi

s h tr SSL.
o Vn Phong - CT1301
41
n tt nghip
cURL l mt hm hay ca PHP. Hm ny gip ta ly, chit tch hay c ni

dung mt trang web khc ngay trn Server ca chng ta. Mt thun li ln nht m
hm curl ny mang li l tc , nhanh hn rt nhiu so vi hm open file gn
gp 3 ln. cURL c v nh mt cng c giao tip a giao thc, gip ta xem hoc
ti mt a ch.
-
PHP >= 5.0 (PHP >= 4.2.2 for 1.1.x)
phpCAS users phi c PHP compiled vi cc ty chn sau:

-
--with-curl: H tr CURL, cn truy cp vo cc proxy.
--with-openssl: h tr SSLt, cn cho fopen('https://...'), kim tra tnh

hp l ca CAS ticket;
--with-dom: h tr DOM, cXML responses of the CAS server

(PHP4);
--with-zlib: h tr Zlib, ci ny cn bi DOM.
Khi n c s dng trn Horde FrameWork:

-
--with-gettext: H tr gettext.
Khi n c s dng trn Horde IMP:

-
--with-imap: h tr IMAP v POP, cn khi s dng IMP;
--with-kerberos: h tr Kerberos, cn bi IMAP.
Khi lu tr thng tin ngi dng Horde n c s d liu MySQL:

-
--with-mysql: h tr MySQL.
Ghi ch:
-
PHP> = 4.3.0 l cn thit c c thng tin ng nhp y (nh

debug_backtrace ()).
Trn mt s h thng (Fedora Core 2 v d), gi php_domxml l bt

buc.
SSL
Nu bn c k hoch vit mt proxy CAS, bn s cn phi m bo my ch

Apache ca bn vi OpenSSL. HTTPS cu hnh l cn thit s dng CAS proxy
o Vn Phong - CT1301
42
n tt nghip
(URL gi li cho my ch CAS truyn ti cc PGTIou phi c bo v). t

c iu ny, chnh sa file httpd.conf v thm dng nh:
SSLCertificateFile /etc/x509/cert.server.pem
SSLCertificateKeyFile /etc/x509/key.server.pem
SSLCertificateChainFile /etc/x509/cachain.pem
SSLCACertificateFile /etc/x509/cacert.pem
2.5.2 phpCAS examples.

Th vin phpCAS cung cp mt API n gin xc thc ngi s dng vi
CAS server. phpCAS c cu hnh bng cch s dng phng php API tnh nh
phpCAS :: client () v phpCAS :: setCasServerCACert (). Sau khi phpCAS c
cu hnh, mt cuc gi n phpCAS :: forceAuthentication () thc hin qu trnh
ng nhp ngi dng hin hnh cha c xc thc, chuyn hng n trang
ng nhp ca CAS server. Sau khi phpCAS :: forceAuthentication () c gi,
id ngi dng hin hnh c th truy cp thng qua phpCAS :: getUser ().
Hnh 2.6: Nguyn tc hot ng phpCAS.
o Vn Phong - CT1301
43
n tt nghip
2.5.3. phpCAS logout.

ng xut t phpCAS c thc hin bng cch gi mt trong nhng
phng thc phpCAS sau: phpCAS::logoutXxx(). Khi gi 1 trong nhng phng
thc th s c cc hnh ng c th nh:
-
Ph hy PHP session hin ti
Chuyn hng trnh duyt n CAS server
Ph hy CAS session
Hnh vi ca CAS server ph thuc vo:

-
Phng thc logout c gi
Cch cu hnh
phpCAS::logout()
Sau khi logout, CAS s show trang logout.
phpCAS::logoutWithRedirectService($service)
Sau khi logout, CAS server chuyn hng trnh duyt ti ci URL c a ra.
phpCAS::logoutWithUrl($url)
-
Yu cu phin bn CAS servers > 3.3.5.
Sau khi logout, CAS server show 1 trang vi ci link URL c a vo.
phpCAS::logoutWithRedirectServiceAndUrl($service, $url)
-
Yu cu phin bn CAS servers > 3.3.5.
Nu chuyn hng c kch hot. CAS server chuyn hng trnh duyt
n URL c cung cp ($service) v cc tham s $url c b qua.
Nu khng, CAS server cho thy mt trang vi mt lin kt n cc URL c
cung cp.
phpCAS::logout($params)
Service v cc tham s url c th cng vt qua nh trong mng:
Bng 2.2: Danh sch tham s phpCAS.
o Vn Phong - CT1301
44
n tt nghip
all with an array
shortcut
logout(array())
logout()
logout(array('service'=>'www.myser
vicesite.com'))
logoutWithRedirectService('www.myservic
esite.com')
logout(array('url'=>'www.myurlsite.
logoutWithUrl('www.myurlsite.com')
com'))
logout(array('service'=>'www.myser
vicesite.com',
'url'=>'www.myurlsite.com'))
logoutWithRedirectServiceAndUrl('www.m
yservicesite.com', 'www.myurlsite.com')
2.5.4. phpCAS troubleshooting.

pht hin c li, vui lng kch hot phpCAS debug log.
phpCAS::setDebug($filename);
Logfile ny mc nh l phpCAS.log hoc l c trong / tmp (Linux / Unix)
hoc trong windows ca bn th mc temp. Bn lun lun c th ch nh mt tp
tin nh $ filename. Ngoi ra kim tra cc bn ghi my ch web cho bt k li no.
Khng c Proxy-granting ticket IOU (PGTIOU) c truyn i khi ang
kim tra tnh hp l ca 1 ST hoc 1 PT
C l l my ch CAS khng tin tng ng dng. ng dng phpCAS cn
phi c truy cp thng qua https v giy chng nhn phi c tin cy bi cc
my ch CAS. (Thm mt keystore c cha cc chng ch ca my ch ng dng
ca bn v cc chui xc nhn vo my ch CA ca bn)
Nu nhn c tin nhn thng bo, cnh bo ni rng tiu c gi i,
v authentication fails.
Thm dng bn di vo trc phng thc phpCAS c gi
error_reporting(E_ALL & ~E_NOTICE);
o Vn Phong - CT1301
45
n tt nghip
V thm dng bn di vo trong file php.ini:

error_reporting=E_ALL & ~E_NOTICE)
2.6. Vn v bo mt cho SSO.
Hin nay vn bo mt ang l vn c quan tm hng u khi trin
khai 1 h thng no , n l mu cht ca thnh cng. Khi trin CAS cng khng
ngoi tr vic . Di y l 1 vi thng tin em tm hiu c trong qu trnh
nghin cu v trin khai CAS.
V pha CAS-server.
Nh ni chng I, trin khai h thng SSO khng n gin ch ci
t, cu hnh v tch hp m n cn rt nhiu vn cn lu tm. Bn thn CAS ch
l 1 ng dng, n mang tnh phc v hn c th t hiu sut tt nht phc v
cho cc yu cu t client. Bnh thng bn thn CAS cng c tch hp thm chc
nng bo mt cho chnh bn thn n nhng nu trin khai h thng ln n s
khng c dng v khi dng n s b gim hiu sut phc v, tiu hao nhiu ti
nguyn h thng.
Vy t ra cu hi l th vy n s bo v nh th no trc cc cuc tt cng nh DOS,
DDOS, FLOOD.?
Tr li: CAS c trin khai lp trong cng ca kin trc IT ca 1 t chc, n s

c bao bc, bo v bi cc tng la (firewall),cc my ch y quyn (proxy),
Mi vic ngn chn cc tn cng t bn ngoi s c h thng bo v chn li
v x l trc khi n c vi phn CAS server. Th nn khi quyt nh trin khai
SSO th cn phi c tnh ton k lng v mt chi ph, vn bo mt
o Vn Phong - CT1301
46
n tt nghip
Hnh 2.7: S v tr CAS trong h thng mng.

V pha CAS-client.
C ch bo mt cho CAS cng phi c ch trng ngay t pha client. Bn
ng ngh l ch cn CAS server c bo v tt c ngha l khng th b tn cng.
Client l ni tip nhn yu cu u tin, n cng l ni m ngi dng trc tip lm
vic v chuyn yu cu n CAS Server. Bn th hnh dung nu m CAS client b
sp th CAS server cng khng cn ngha g na. Mt ln na xin nhc li v vn
trin khai SSO l 1 vn cn phi c nh gi k cng trc khi trin
khai.
o Vn Phong - CT1301
47
n tt nghip
CHNG IIITHC NGHIM.

3.1. Ci t h thng.
3.1.1. iu kin cn thit.
A. Yu cu phn cng ti thiu.
-
Intel Xeon Quad Core Processor E3-1220 (8M Cache, 3.10

GHz)
2GB PC3-10600E UDIMMs DDR3
Hard Drive: 140Gb.
ServeRAID C100 for IBM System x supports RAID-0; -1
Power Supply 350 W fixed
IBM Prefer KYB USB US ENG 103P & IBM 3 Button Optical
Mouse USB
B. Yu cu phn mm.
-
RubyInstaller(Version 1.9.3-p448e)Development Kit(Version 324.5.2-20111229-1559 ) cho Ruby c ci t.
Git (version 1.8.4-preview20130916) c ci t.
Bundle c ci t
pgAdmin III (version 1.18.1) c ci t.
3.1.2. Gii thiu.

3.1.2.1. RubyInstaller.
RubyInstaller d n cung cp mt da trn Windows installer khp kn c
cha mt mi trng thc hin ngn ng Ruby, thit lp mt ng c s ca yu
cu RubyGems v tin ch m rng.
3.1.2.2. Development Kit.
Ruby Development Kit l b cng c pht trin Ruby. N bao gm nhiu
chng trnh tin ch nh trnh bin dch ruby(ruby compiler), chng trnh g li,
trnh pht sinh ti liu, ng gi d liu v.v...
o Vn Phong - CT1301
48
n tt nghip
3.1.2.3. Git.
Gi lp mi trng linux trn windows.
3.1.2.4. Bundle.
Bundle c chc nng qun l cc version, n s ti cc th vin cn thit
c khai bo trong file config.yml v.
3.1.2.4. pgAdmin III.
Cung cp Postgresql tool (version 9.31).
3.1.3. Ci dt CAS-server.
Ti RubyInstaller v Development Kitti:
http://rubyinstaller.org/downloads/
Hnh 3.1: Ti RubyInstaller

Ci t RubyInstallertheo cc bc di y.
o Vn Phong - CT1301
49
n tt nghip
Hnh 3.2: Ci t RubyInstaller bc1.

Bc 1: Chn ngn ng v nhn ok.

Bc 2: Chn I accept the License v nhn next.
o Vn Phong - CT1301
50
n tt nghip
Hnh 3.4: Ci t RubyInstaller bc 3.

Bc 3: Chn ng ng dn th mc ci t Ruby v click chn Add Ruby
excutables to your PATH. Nhn Install.
o Vn Phong - CT1301
51
n tt nghip

Bc 4: Nhn Finish.
Gi chuyn sang phn ci t Development Kit.
M Development Kit ti v, khi xut hin ca s, ta chn th mc gii nn
ton b ni dung ca Development Kit v nhn Extract.
Hnh 3.6: Gii nn Development Kit

Bc 5: M cmd v lm theo hnh bn di.
o Vn Phong - CT1301
52
n tt nghip
Hnh 3.7: Ci t RubyInstaller bc 5.

Bc 6: Ci t bundle. Hin ti th trong ca s cmd.exe th v tr ang
C:\DevKit th ti y ta g lnh:
Gem install bundle
Hnh 3.8: Ci dt Bunlde.

Ch qu trnh ci t hon tt v ta chuyn sang bc tip theo.
Bc 7: Ti b m ngun v gii nn bt k ch no ty theo thch. y ti gii
nn trong phn vng C.
Download RubyCAS ti: https://github.com/rubycas/rubycas-server
o Vn Phong - CT1301
53
n tt nghip
Hnh 3.9: Ti m ngun RubyCAS.
Hnh 3.10: Trin khai RubyCAS bc1.

Bc 8: Sao chp file config.example.yml trong config v dn ra th mc bn
ngoi ngang hng vi index. Sa tn thnh config.yml, m file config vi
notepad++.
Tm n dng 31, 32, 33:
server: webrick
o Vn Phong - CT1301
54
n tt nghip
port: 443
ssl_cert: /path/to/your/ssl.pem
Sa thnh:
server: webrick
port: 8082
#: /path/to/your/ssl.pem
Vic sa nh vy gip tt SSL, ty vo mc ch s dng m bn cn nhc tt hay

khng. y ti tt i cho d x l.
Tm n dng 101:
database:
adapter: mysql
database: casserver
username: root
password:
host: localhost
reconnect: true
Sa thnh thng tin kt ni CSDL RubyCAS ly thng tin xc thc, nu

bn c ht hng dn trong file th bn s thy c rt nhiu kiu cho chng ta
chn. y ti dng postgresql nn ti s sa thnh:
database:
adapter: postgresql
database: cas
host: 127.0.0.1
port: 5432
username: cas
password: 123456
reconnect: true
Tm n dng 202 v thm on ny vo sau:

authenticator:
class: CASServer::Authenticators::SQLEncrypted
database:
adapter: postgresql
o Vn Phong - CT1301
55
n tt nghip
database: cas
host: 127.0.0.1
port: 5432
username: cas
password: 123456
user_table: users
username_column: username
password_column: password
extra_attributes: username,permission,full_name,actived
encrypt_function: 'require "digest/md5"; user.password ==
Digest::MD5.hexdigest("#{@password}")'
Trong :
adapter: postgresql
database: tn c s d liu.
host: a ch c s d liu.
port: cng kt ni.
username: tn ngi dng c php truy cp vo c s d liu.
password: mt khu truy cp vo c s d liu.
user_table: bng cha thng tin ngi dng.
username_column: tn ca ct cha username
password_column: tn ct cha password.
extra_attributes: ly thm cc thuc tnh khc trong bng user ngoi
username c tr ra. Nh trn ngoi username th ti cn ly c
permission,full_name,actived.
encrypt_function: hm m ha mt khu.
Tm n dng 467 v thay:
log:
file: /var/log/casserver.log
level: INFO
thnh:
o Vn Phong - CT1301
56
n tt nghip
log:
file: log/casserver.log
level: INFO
L do ca vic thay th ny l do ban u h thng h tr trn linux nn ta

phi sa thnh v windows th n mi hot ng. Lu v ng file li.
Bc 8: m file Gemfile v thm vo dng cui cng on sau:
# gem for postgresql
gem "activerecord-postgresql-adapter"
on ny c ngha l thm driver RubyCAS c th kt ni c vi

Postgresql. Vi nhng ci khc th c th tm ti y: http://rubygems.org/gems.
Lu v ng li.
Bc 9: M pgAdmin III v to c d liu sao cho n ging vi nhng g bn
cu hnh trong file config.yml. Sau bn thm 1 bn ghi vo trong CSDL.
Hnh 3.11: To CSDL ngi dng cho RubyCAS xc thc.
o Vn Phong - CT1301
57
n tt nghip
Hnh 3.12: To CSDL ngi dng cho RubyCAS xc thc 2.

Bc 10: M 1 ca s cmd.exe mi v cd ti th mc rubycas-server c
gii nn t trc.
Hnh 3.13: Trin khai RubyCAS bc 2.

Bc 11: Chy lnh bundle ti cc th vin c khai bo trong file
rubycas-server.gemspec.
o Vn Phong - CT1301
58
n tt nghip

Bc 12: Sau khi ti cc th vin cn thit, ta chy lnh:
bundle exec rubycas-server -c config.yml
vic chy lnh ny hon tt qu trnh ci t RubyCAS-server.

Bc 13: Tr li vi pgAdmin III, lm ti CSDL xem s thay i.
o Vn Phong - CT1301
59
n tt nghip

Vy l xut hin thm 5 bng na, vic ny ng ngha vi vic RubyCASserver kt ni thnh cng ti CSDL.
Bng 3.1: Thng tin table casserver_lt.
Tn Columns
Kiu d liu
M t
Id
Serial
L kha chnh ca bng.
Ticket
Character varying (255)
Lu tr cc LT c CAS to ra.
Create_on
Timestamp without time

zone
Thi gian to LT.
Consumed

zone
Thi gian s dng.
Client_hostname Character varying (255)
o Vn Phong - CT1301
Tn hostname ca client.
60
n tt nghip
Bng 3.2: Thng tin table casserver_pgt.

Tn Columns
Kiu d liu
M t
Id
Serial
L kha chnh ca bng.
Ticket
Lu tr cc PGT c CAS to
ra.
Create_on
Thi gian to PGT.
zone
Client_hostname
Iou
Cha IOU ca PGT.
Service_ticket_id Interger
Cha ST ID t table casserver_st
Bng 3.3: Thng tin table casserver_st.

Tn Columns
Kiu d liu
M t
Id
Serial
L kha chnh ca bng.
Ticket
Lu tr cc ST c CAS to ra.
Service
Text
Cha service yu cu xc thc.
Create_on
Thi gian to ST.
zone
Consumed

zone
Thi gian s dng.
Client_hostname
Username
Cha thng tin username.
o Vn Phong - CT1301
61
n tt nghip
Type
Granted_by_pgt_id Integer
Cha pgt_id c chp nhn.
Granted_by_tgt_id
Cha tgt_id c chp nhn.
Integer
Bng 3.4: Thng tin table casserver_tgt.

Tn Columns
Kiu d liu
M t
Id
Serial
L kha chnh ca bng.
Ticket
Lu tr cc TGT c CAS to
ra.
Create_on
Thi gian to TGT.
zone
Client_hostname
Username
Cha thng tin username.
Extra_attributes
Text
Cha cc Extra_attributes.
Bc 14: kim tra chc chn rng CAS hot ng, hy m ng dn sau:
http://localhost:8082/login ng nhp vi thng tin thm vo csdl trc l:
Username: phongdao
Password: 123456
o Vn Phong - CT1301
62
n tt nghip
Hnh 3.17: Kim th qu trnh ci t RubyCAS.

Nu nhn c thng bo nh hnh trn th vic ci t CAS-server thnh cng.
Bc 15: Tr li vi CSDL v xem c cp nht khi ta ng nhp ln u tin
khng.
Hnh 3.18: Cu trc bng casserver_lt
Hnh 3.19: Cu trc bng casserver_pgt
Hnh 3.20: Cu trc bng casserver_st.
Hnh 3.21: Cu trc bng casserver_tgt

o Vn Phong - CT1301
63
n tt nghip
Hnh 3.22: Cu trc bng schema_migrations.
3.1.4. Tch hp CAS client vo h thng.

3.1.4.1. Gii thiu 2 website dng tch hp SSO.
A. Website 1
Hnh 3.23: Trang ch website 1.

Website 1 l website tin tc n gin nhng tiu chun lm website
tch hp c ch ng nhp 1 ln. Chc nng chnh ca website 1 bao gm:
ng k ngi dng
Kch hot ti khon thng qua email
ng nhp
Vit bi
Cp nht h s ngi dng.
o Vn Phong - CT1301
64
n tt nghip
Hnh 3.24: Trang ng k ngi dng website 1.
Hnh 3.25: Trang ng nhp h thng website 1.
o Vn Phong - CT1301
65
n tt nghip
Hnh 3.26: Thm mi bi vit.
Hnh 3.27: Danh sch ngi dng.
o Vn Phong - CT1301
66
n tt nghip
Hnh 3.28: Cu trc CSDL website 1.

B. Website 2.
Website l l website cho php ng ti v chia s video do ng c Tuyn
sinh vin kha 13 xy dng trong thi gian lm ti tt nghip t 1. Website
cho php thnh vin ng k, ng nhp v ng ti v chia s video.
Hnh 3.29: Trang ch website 2.
o Vn Phong - CT1301
67
n tt nghip
Hnh 3.30: ng k ngi dng website 2.
Hnh 3.31: ng nhp h thng website 2.
o Vn Phong - CT1301
68
n tt nghip
Hnh 3.32:Trang upload video website 2.
Hnh 3.33: Cu trc CSDL website 2.

3.1.4.2.Ci t phpCAS.
Ti th vin phpCAS ti a ch : http://downloads.jasig.org/casclients/php/current/. Gii nn vo include vo 2 website cn tch hp. Vi trng
hp 2 website ti a ra th nh sau:
A. Website 1: Vui lng xem phn tch hp ti ph lc C.
o Vn Phong - CT1301
69
n tt nghip
Hnh 3.34: Tch hp phpCAS vo website 1.

B. Website 2:Vui lng xem phn tch hp ti ph lc D.
Hnh 3.35: Tch hp phpCAS website 2.

3.2. Cc pha trong h thng khi user ng nhp.
Pha 1: Usertn ti trn 2 h thng th qu trnh s din ra nh th no?

i vi trng hp user tn ti song song trn 2 h thng th vic xc thc
thng tin, CAS server gi li cho client username v extra_atttributes nh bnh
o Vn Phong - CT1301
70
n tt nghip
thng. Ti client th vic x l thng tin nhn c t CAS server din ra hon
ton bnh thng. Xem hnh 2.6: Nguyn tc hot ng phpCAS.
Pha 2: user ch tn ti trong 1 trong 2 h thng th qu trnh din ra s nh th no
vi tng h thng, h thng 1 nh th no?H thng 2 nh th no?
Trng hp 1: User ch tn ti trn CAS server.
Khi ngi dngmun xc thc thng tin s dng ng dng, phpCAS s
chuyn hng ngi dng n form ng nhp ca CAS server, ti y ngi dng
nhp thng tin, CAS xc thc thng tin v tr li cho client username v
extra_Attributes(nu c). Ti client ty thuc vo nhu cu ca ng dng m c s
dng thng tin nhn c thm vo CSDL ca ng dng client hay khng? Vi
trng hp h thng ca em tch hp c nhu cu thm phn thng tin nhn c
vo CSDL th cc bc x l s nh sau:
Bc 1: Client s s dng username nhn c t CAS server) lm iu kin
truy vn vo CSDL ca ng dng client.
Bc 2: Kim tra kt qu truy vn vo CSDL th c 2 trng hp:
Trng hp 1: Khng tn ti bn ghi no theo iu kin a vo ->
Tin hnh thm username v cc extra_attributes nh email, address, status...(khng
bao gm password v l do an ton.) vo CSDL. Sau vic x l thng tin xc
thc din ra nh bnh thng.
Trng hp 2: tn ti bn ghi th ta li tip tc so snh cc thng
tin bn ghi va truy vn vi cc extra_attributes nu ging nhau th b qua v tin
hnh x l thng tin xc thc, nu khc nhau th tin hnh cp nht li cc thng tin
theo extra_attributes. Sau khi cp nht xong th li tip tc x l thng tin xc thc.
o Vn Phong - CT1301
71
n tt nghip
Hnh 3.36: Lung x l khi client xin xc thc thng tin t CAS server.
Trng hp 2: User ch tn ti trn client.
Vi trng hp ny th vic xc thc thng tin s tht bi v trong CSDL ca
CAS server khng tn ti thng tin ca ngi dng dn n khng c thng tin
xc thc.
o Vn Phong - CT1301
72
n tt nghip
Hnh 3.37: ng nhp khi user khng tn ti CAS server.

Pha 3: User b xa hon ton trn CSDL lu tr ngi dng trn CAS server, vy
khi ng nhp vo h thng s nh th no?
i vi trng hp ny th th n ging vi trng hp 2 ca pha 2: User ch
tn ti trn client.
Pha 4: User b no active ngha l trc y l thnh vin sau mt thi gian cn
phi tm thi khng cho user y ng nhp sau mt thi gian li cho ng nhp
li (VD: SVtrong trng ti thi im thi v cha hon thnh cc khon tin ln
khng th ng nhp vo h thng vo xem im ca mnh c. Sau khi hon
thnh cc khon tin sinh vin li c ng nhp li). Vn ny h thng thng
s c gii quyt th no?
Xin tha rng CAS server ch c nhim v lu tr thng tin ca 1 ngi
dng no nh username, password, email, role ty thuc vo role m xp user
thuc vo nhm ngi dng no (active, inactive, locked.) khi client c yu
cu CAS s tr li cho client thng tin trong c role v ti y vic x l tip
theo ty vo role m trin khai.
Pha 5: Khi user thay i thng tin ngi dng th h thng s x l nh th no?
Ging nh trng hp 2 ca pha 2.
Pha 6: Trng hp khi CAS server ngng hot ng th vic xc thc s din ra nh
th no ?
o Vn Phong - CT1301
73
n tt nghip
Trc khi client iu ngi dng ti CAS server th s kim tra http Status
code do CAS server tr v. Nu Status Code == 200 hoc 303 th iu hng client
n CAS server cn ngc li gp nhng status code khc th xc thc thng tin ti
CSDL local.
Hnh 3.38: S lung pha 6 .
o Vn Phong - CT1301
74
n tt nghip
KT LUN
Trong n ny em tm hiu c c ch ng nhp mt ln (single sign on)
v th nghim da trn th vin phpcas. n thc hin c nhim v ra v
t c cc kt qu sau:
-
Tm hiu tng qua v c ch ng nhp mt ln, cc thc lu tr, truy cp

vo CSDL.
C thm kin thc v h thng ng nhp 1 ln (SSO) v dch v xc

thc trung tm (CAS).
Trin khai thnh cng SSO thng qua RubyCAS.
Tch hp thnh cng th vin phpCAS cho cc website PHP.
K nng lp trnh, k nng tm hiu v phn tch c nng cao.
Trong qu trnh tm hiu v thc nghim h thng th cng ny sinh cc vn

nh sau:
-
Hu ht ti liu c vit bng ting Anh, v th trong qu trnh tm hiu

khng trnh c sai st nn mong s gp ca thy c v cc bn.
Thi gian b hn ch nn cha thc s tm hiu tht chi tit v h thng.
H thng SSO hot ng thng qua cookies nn vn pht sinh t pha

ngi dng l ngi dng v hay c tt cookies trn trnh duyt
nn h thng SSO s khng hot ng.
CAS cung cp ticket tng ng vi 1 cookie trn trnh duyt : v vy nu

2 ngi dng ngi vo mt my v s dng 1 trnh duyt th khng th
ng nhp c v khng c khi nim ng nhp thm user l 1 trong
nhng im hn ch so vi cc h thng ng nhp tp trung khc nh
google....
Hng pht trin s l:

-
Gii quyt cc vn cn tn ng trong qu trnh nghin cu xy dng

h thng.
Tip tc nghin cu v xy dng h thng tr ln hon thin hn.
Tch hp h thng SSO v cc nn tng, ngn ng khc nhau nh .NET,

JAVA, RUBY hay cc h thng ng.
o Vn Phong - CT1301
75
n tt nghip
TI LIU THAM KHO
[1] http://en.wikipedia.org/wiki/Single_sign-on
[2] http://en.wikipedia.org/wiki/List_of_single_sign-on_implementations
[3]http://vi.wikipedia.org/wiki/Phn_mm_ngun_m
[4]http://www.jasig.org/cas/protocol
[5]http://en.wikipedia.org/wiki/Central_Authentication_Service
[6]https://github.com/rubycas/rubycas-server/wiki
[7] https://wiki.jasig.org/display/CASC/phpCAS
o Vn Phong - CT1301
76
n tt nghip
PH LC
Ph lc A: CAS phn hi lc XML.
<!-The following is the schema for the Yale Central Authentication
Service (CAS) version 2.0 protocol response. This covers the responses
for the following servlets:
/serviceValidate
/proxyValidate
/proxy
This specification is subject to change.
Author: Drew Mazurek
Version: $Id: cas2.xsd,v 1.1 2005/02/14 16:19:06 dmazurek Exp $-->
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:cas="http://www.yale.edu/tp/cas"
targetNamespace="http://www.yale.edu/tp/cas"
elementFormDefault="qualified" attributeFormDefault="unqualified">
<xs:element name="serviceResponse" type="cas:ServiceResponseType"/>
<xs:complexType name="ServiceResponseType">
<xs:choice>
<xs:element name="authenticationSuccess" type="cas:AuthenticationSuccessType"/>
<xs:element name="authenticationFailure" type="cas:AuthenticationFailureType"/>
<xs:element name="proxySuccess" type="cas:ProxySuccessType"/>
<xs:element name="proxyFailure" type="cas:ProxyFailureType"/>
</xs:choice>
</xs:complexType>
<xs:complexType name="AuthenticationSuccessType">
<xs:sequence>
<xs:element name="user" type="xs:string"/>
o Vn Phong - CT1301
77
n tt nghip
<xs:element name="proxyGrantingTicket" type="xs:string" minOccurs="0"/>

<xs:element name="proxies" type="cas:ProxiesType" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="ProxiesType">
<xs:sequence>
<xs:element name="proxy" type="xs:string" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="AuthenticationFailureType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="code" type="xs:string" use="required"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:complexType name="ProxySuccessType">
<xs:sequence>
<xs:element name="proxyTicket" type="xs:string"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="ProxyFailureType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="code" type="xs:string" use="required"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
o Vn Phong - CT1301
78
n tt nghip
</xs:schema>
Ph lc B: Chuyn hng an ton.

Sau khi ng nhp thnh cng, chuyn hng mt cch an ton cho client t
CAS n ch cui cng ca n phi c x l cn thn. Trong hu ht cc trng
hp, client gi thng tin n my ch CAS trn mt yu cu POST. Trong c t
ny, my ch CAS sau phi chuyn ngi dng n cc ng dng vi mt yu
cu GET.
Cc HTTP/1.1 cung cp mt m phn hi 303: Bn cnh , n cung cp cho
cc hnh vi mong mun: mt kch bn tip nhn d liu thng qua mt yu cu
POST, thng qua 303 redirection, chuyn tip trnh duyt n mt URL khc thng
qua mt GET request. Tuy nhin, khng phi tt c cc trnh duyt thc hin
hnh vi ny mt cch chnh xc.
Cc phng php khuyn co chuyn hng l dng JavaScript. Mt trang
c cha mt window.location.href theo cch sau y thc hin y :
<html>
<head>
<title>Yale Central Authentication Service</title>
<script>
window.location.href="https://portal.yale.edu/Login?ticket=ST-..."
mce_href="https://portal.yale.edu/Login?ticket=ST-...";
</script>
</head>
<body>
<noscript>
<p>CAS login successful.</p>
<p> Click <a xhref="https://portal.yale.edu/Login?ticket=ST-..."
mce_href="https://portal.yale.edu/Login?ticket=ST-...">here</a>
to access the service you requested.<br /></p>
</noscript>
</body>
</html>
o Vn Phong - CT1301
79
n tt nghip
Ph Lc C: Phn code x l ng nhp SSO h thng 1.

Phn x l ng nhp trc khi tch hp phpCAS.
<?php if (!defined('BASEPATH'))
exit('No direct script access allowed');
class VerifyLogin extends CI_Controller
{
function __construct()
{
parent::__construct();
$this->load->library("form_validation");
}
public function index()
{
if ($this->my_auth->is_Login()) {
redirect(base_url(). "admin/home");
exit();
}
$this->form_validation->set_rules('username', 'Username',
'trim|required|xss_clean');
$this->form_validation->set_rules('password', 'Password',
'trim|required|xss_clean');
if ($this->form_validation->run() == false) {
//Xac nhan that bai. Nguoi dung bi dieu huong toi trang dang nhap
$this->load->view('admin/login');
} else {
$array = array('username' => $this->input->post('username'), 'password'
=> md5($this->
input->post('password')));
o Vn Phong - CT1301
80
n tt nghip
$result = $this->muser->checkLogin($array);
if ($result) {
if (!$this->my_auth->is_Active($result['userid'])) {
$data['error'] = "Ti khon cha c kch hot !";
$this->load->view('admin/login', $data);
} else {
$data = array(
"username" => $result['username'],
"userid" => $result['userid'],
"permission" => $result['permission'],
);
$this->session->set_userdata('logged_in', $data);
}
} else {
$this->load->view('admin/login', array("error" => "Username hoc
Password sai"));
}
}
}
}
?>
Sau khi tch hp:

<?php if (!defined('BASEPATH'))
exit('No direct script access allowed');
class Processing extends CI_Controller
{
function __construct()
{
parent::__construct();
o Vn Phong - CT1301
81
n tt nghip
$this->load->helper('h2');
}
public function index()
{
if ($this->my_auth->is_Login()) {
exit();
}
$result = phpCAS::getAttributes();
$data = array(
"username" => $result['username'],
"full_name" => $result['full_name'],
"permission" => $result['permission'],
);
if ($result) {
if ($this->muser->getInfo1($data['username']) != false) {
if (!$this->my_auth->is_Active($result['username'])) {
$data['error'] = "Ti khon cha c kch hot !";
$this->load->view('admin/login', $data);
} else {
}
} else {
$this->muser->AddNewUser1($data);
o Vn Phong - CT1301
82
n tt nghip
}
} else {
$this->load->view('admin/login', array("error" => "Username hoc
Password sai"));
}
}
}
?>
Trong :
$this->load->helper('h2') load phn helper tch hp phpCAS
Ph Lc D: Phn code x l ng nhp SSO h thng 2.
Phn x l trc khi tch hp phpCAS
<?php
@Header( "Content-Type: text/html; charset=utf-8" );
@Header( "Content-Language: ". $_POST['lang'] );
session_start();
include ( "config.php" );
if( isset( $_POST['dangky'] ) )
{
$username = $_POST['username'];
$password = $_POST['pass'];
$email = $_POST['email'];
$fullname = $_POST['fullname'];
// Kim tra tn ti ca user v email.
$sql = "select * from users where username='". $username. "'";
$query = mysql_query( $sql );
if( mysql_num_rows( $query ) == 0 )
{
o Vn Phong - CT1301
83
n tt nghip
$sql = "select * from users where email='". $email. "'";

if( mysql_num_rows( $query ) == 0 )
{
$sql = "INSERT INTO users (fullname, username, email, password,
permission)
VALUES ('". $fullname. "','". $username. "','". $email. "','". $password. "','1')";
if( $query )
{
$_SESSION['username'] = $username;
$_SESSION['pass'] = $password;
echo '<script>alert("ng k thnh cng. Bn c th tip
tc.")</script>';
echo
'<script>window.location.assign("http://localhost/doan2/")</script>';
}
}
else
{
echo '<script>alert("Email tn ti, vui lng dng email
khc.")</script>';
echo
}
}
else
{
echo '<script>alert("Ti khon tn ti, vui lng dng ti khon
khc.")</script>';
echo '<script>window.location.assign("http://localhost/doan2/")</script>';
}
}
else
if( isset( $_POST['dangnhap'] ) )
{
o Vn Phong - CT1301
84
n tt nghip
$username = $_POST['username'];
$password = $_POST['pass'];
$sql = "select * from users where username='". $username. "' and
password = '". $password. "'";
if( mysql_num_rows( $query ) != 0 )
{
$_SESSION['username'] = $username;
$_SESSION['pass'] = $password;
echo '<script>alert("ng nhp thnh cng. Nhn ok tr v
trang ch.")</script>';
echo
}
else
{
echo '<script>alert("Ti khon hoc mt khu khng chnh xc, vui
lng kim tra li.")</script>';
echo
}
}
else
{
echo '<script>alert("C li xy ra. Vui lng lin lc ti ngi qun
tr.")</script>';
}
?>
Sau khi tch hp phpCAS.

<?php
@Header( "Content-Type: text/html; charset=utf-8" );
@Header( "Content-Language: ". $_POST['lang'] );
session_start(); // Initialize session data
o Vn Phong - CT1301
85
n tt nghip
ob_start(); // Turn on output buffering

?>
<?php
// phpCAS proxied client (service) with sessioning
//
// import phpCAS lib
include ( "config.php" );
include_once('CAS/CAS.php');
// set debug mode
phpCAS::setDebug();
// initialize phpCAS
phpCAS::client(CAS_VERSION_2_0,'localhost',8082,'');
// no SSL validation for the CAS server
phpCAS::setNoCasServerValidation();
// force CAS authentication
phpCAS::forceAuthentication();
// at this step, the user has been authenticated by the CAS server
// and the user's login name can be read with phpCAS::getUser().
$_SESSION['username']=phpCAS::getUser();
$attr_thongttin= phpCAS::getAttributes();
$fullname =$attr_thongttin['full_name'];
$email = "daovanphongkq@gmail.com";
$password ="123456";
if( isset( $_SESSION['username'] ) )
o Vn Phong - CT1301
86
n tt nghip
{
// Kim tra tn ti ca user
$sql = "select * from users where username='". $_SESSION['username'].
"'";
if( mysql_num_rows( $query ) != 0 )
{
// echo '<script>alert("ng nhp thnh cng. Bn c th tip
tc.")</script>';
}else
{
$sql = "INSERT INTO users (fullname, username, email, password,
permission)
VALUES ('". $fullname. "','". $_SESSION['username']. "','". $email. "','".
$password. "','1')";
if( $query )
{
echo '<script>alert("ng nhp. Bn c th tip
tc.")</script>';
echo
}else{
echo '<script>alert("C li. Vui lng kim tra li h
thng.")</script>';
echo
}
}
}
?>
o Vn Phong - CT1301
87

35 DaoVanPhong CT1301

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

35 DaoVanPhong CT1301

Uploaded by

Copyright:

Available Formats

B GIO DC V O TO

N TT NGHIP I HC H CHNH QUY

N TT NGHIP I HC H CHNH QUY

Gio vin hng dn: Th.s Bi Huy Hng

CNG HA XA HI CH NGHA VIT NAM

NHIM V THIT K TT NGHIP

Sinh vin: o Vn Phong

Tn ti:Tm hiu c ch ng nhp mt ln (single sign on) v th nghim

2. Cc s liu cn thit tnh ton.

ti tt nghip c giao ngy.thng.nm 2013.

nhn nhim v: .T.T.N

Th.s Bi Huy Hng

Hi Phng, ngy ............thng.........nm 2013

GS.TS.NGT Trn Hu Ngh

PHN NHN XT TM TT CA CN B HNG DN

1. Tinh thn thi ca sinh vin trong qu trnh lm ti tt nghip:

PHN NHN XT NH GI CA CN B CHM PHN BIN TI

1. nh gi cht lng ti tt nghip (v cc mt nh c s l lun,

2. Cho im ca cn b phn bin

Hi Phng, Ngy 04 thng 11 nm 2013.

1.1. Tng quan v SSO. [1] ........................................................................... 9

2.1. Gii thiu v phn mm ngun m (Opensource).[3] ......................... 16

2.5.1. phpCAS requirements. .................................................................. 41

3.1. Ci t h thng. .................................................................................. 48

Ph lc A: CAS phn hi lc XML. ................................................... 77

Hnh 1.1: Single sign on l g? .......................................................................... 9

Hnh 3.27: Danh sch ngi dng. ................................................................. 66

Bng 1.1: Danh sch cc gii php SSO. ........................................................ 11

DANH SCH CH VIT TT

Central Authentication Service

Uniform Resource Identifier

Uniform Resource Locator

Hypertext Transfer Protocol

Hypertext Transfer Protocol Secure

Secure Sockets Layer

Proxy-granting ticket IOU

Ticket -granting ticket IOU

CHNG IGII THIU V C CH NG NHP 1 LN

Hnh 1.1: Single sign on l g?

m-un xc thc ngi s dng v sau qun l truy cp vo cc ng dng khc. N

cng, m bo tt c cc xc thc i u tin thng qua my ch SSO, sau i dc

Thun tin: Ngi s dng ch cn ng nhp 1 ln s dng nhiu ng

Bo mt: Bi v ch c mt ng nhp mt ln, SSO c th loi b nhng

Bo mt: Nu mt k xm nhp lm tn hi ti khon ca ngi dng

Chi ph: trin khai SSO c th tn km, c v chi ph mua v ngun

Hai yu t SSO l tt nht, ni truy cp c cp da trn s kt hp i vi

CoSign single University of T chc ring

Ubuntu Single Canonical

CHNG IIPHN MM NGUN M CENTRAL AUTHENTICATION

Open source software l nhng phn mm c vit v cung cp mt cch t

h CAS trn mt kt ni an ton v cung cp dch v nhn dng ring ca mnh v

2.2.3 Cc phin bn ca CAS.

c to bi Yale University, khi u t nm 1999.

Cng c to bi Yale University

Gii thiu thm tnh nng mi l Proxy Authentication.

JA-SIG CAS 3.0

Tr thnh JA-SIG project t nm 2004

Mc ch l cho n mm do hn v tch hp c vi nhiu h thng

2.2.4 CAS Protocol.

Chp nhn chng thc.

Service[Ty chn] - nhn dng ca cc ng dng m client ang c gng

tn ti, CAS s hin th mt tin nhn thng bo cho client rng n

Renew [Ty chn] - nu tham s ny c thit lp, SSO s c b