asp.net 真正實現(xiàn)完全跨域單點(diǎn)登錄
單點(diǎn)登錄(Single Sign On)�����,簡稱為 SSO����,是目前比較流行的企業(yè)業(yè)務(wù)整合的解決方案之一��。SSO的定義是在多個應(yīng)用系統(tǒng)中����,用戶只需要登錄一次就可以訪問所有相互信任的應(yīng)用系統(tǒng)����。
asp.net跨域單點(diǎn)登錄分為:
1�、跨子域單點(diǎn)登錄。如 blog.a.com 和 info.a.com 這2個站點(diǎn)同屬一個主域.a.com��,實現(xiàn)跨子域單點(diǎn)登錄很簡單�,可以利用cookie,設(shè)置Domain為”.a.com'即可,這里就不再贅敘�。
2�����、完成跨域單點(diǎn)登錄。如 www.a.com www.b.com 這2個站點(diǎn)之間實現(xiàn)共享一個身份驗證系統(tǒng),只需在一處地方登錄���,下面主要談下這種方式的實現(xiàn)方法。
asp.net 跨域單點(diǎn)登錄實現(xiàn)原理:
當(dāng)用戶第一次訪問web應(yīng)用系統(tǒng)1的時候,因為還沒有登錄�����,會被引導(dǎo)到認(rèn)證中心進(jìn)行登錄����;根據(jù)用戶提供的登錄信息,認(rèn)證系統(tǒng)進(jìn)行身份效驗��,如果通過效驗�,返回給用戶一個認(rèn)證的憑據(jù);用戶再訪問別的web應(yīng)用的時候就會將這個Token帶上���,作為自己認(rèn)證的憑據(jù),應(yīng)用系統(tǒng)接受到請求之后會把Token送到認(rèn)證中心進(jìn)行效驗�����,檢查Token的合法性�����。如果通過效驗�,用戶就可以在不用再次登錄的情況下訪問應(yīng)用系統(tǒng)2和應(yīng)用系統(tǒng)3了�����。所有應(yīng)用系統(tǒng)共享一個身份認(rèn)證系統(tǒng)。認(rèn)證系統(tǒng)的主要功能是將用戶的登錄信息和用戶信息庫相比較����,對用戶進(jìn)行登錄認(rèn)證�;認(rèn)證成功后���,認(rèn)證系統(tǒng)應(yīng)該生成統(tǒng)一的認(rèn)證標(biāo)志��,返還給用戶��。另外,認(rèn)證系統(tǒng)還應(yīng)該對Token進(jìn)行效驗����,判斷其有效性��。 所有應(yīng)用系統(tǒng)能夠識別和提取Token信息要實現(xiàn)SSO的功能����,讓用戶只登錄一次�,就必須讓應(yīng)用系統(tǒng)能夠識別已經(jīng)登錄過的用戶。應(yīng)用系統(tǒng)應(yīng)該能對Token進(jìn)行識別和提取,通過與認(rèn)證系統(tǒng)的通訊�,能自動判斷當(dāng)前用戶是否登錄過�����,從而完成單點(diǎn)登錄的功能。
比如說,我現(xiàn)在有3個分站點(diǎn)和1個認(rèn)證中心(總站)。當(dāng)用戶訪問分站點(diǎn)的時候,分站點(diǎn)會發(fā)Token到驗證中心進(jìn)行驗證����。驗證中心判斷用戶是否已經(jīng)登錄�。如果未登錄����,則返回到驗證中心登錄入口進(jìn)行登錄�����,否之則返回Token驗證到分站點(diǎn)����,直接進(jìn)入分站點(diǎn)����。
如圖所示:
上面是實現(xiàn)單點(diǎn)登錄的原理圖,下面介紹下如何用asp.net實現(xiàn)跨域單點(diǎn)登錄:
一���、新建網(wǎng)站 MasterSite,作為總站認(rèn)證中心。配置web.config,采用form登錄驗證���。配置如下:
<authentication mode=”Forms”><forms name=”.AspxFormAuth” loginUrl=”Default.aspx” defaultUrl=”center.html” PRotection=”All” path=”/” timeout=”120”></forms></authentication><authorization><!--拒絕所有匿名用戶--><deny users=”?”/></authorization><authentication mode=”Forms”><forms name=”.AspxFormAuth” loginUrl=”Default.aspx” defaultUrl=”center.html” protection=”All” path=”/” timeout=”120”></forms></authentication><authorization><!--拒絕所有匿名用戶--><deny users=”?”/></authorization>
添加Default.aspx頁面,用來進(jìn)行登錄����。代碼如下:
HTML Code:
<%@ Page Language=”C#” AutoEventWireup=”true” CodeFile=”Default.aspx.cs” Inherits=”_Default” %><!DOCTYPE html PUBLIC ”-//W3C//DTD XHTML 1.0 Transitional//EN” ”http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”><html xmlns=”http://www.w3.org/1999/xhtml” ><head runat=”server”><title>總站登錄</title></head><body><form id=”form1” runat=”server”><div><asp:Login ID=”Login1” runat=”server” OnAuthenticate=”Login1_Authenticate” UserName=”test”></asp:Login></div></form></body></html><%@ Page Language=”C#” AutoEventWireup=”true” CodeFile=”Default.aspx.cs” Inherits=”_Default” %>
<!DOCTYPE html PUBLIC ”-//W3C//DTD XHTML 1.0 Transitional//EN” ”http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml” ><head runat=”server”><title>總站登錄</title></head><body><form id=”form1” runat=”server”><div><asp:Login ID=”Login1” runat=”server” OnAuthenticate=”Login1_Authenticate” UserName=”test”></asp:Login></div></form></body></html>
Default.cs Code:
using System;using System.Data;using System.Configuration;using System.Web;using System.Web.Security;using System.Web.UI;using System.Web.UI.WebControls;using System.Web.UI.WebControls.WebParts;using System.Web.UI.HtmlControls;using System.Text;public partial class _Default : System.Web.UI.Page{protected void Page_Load(object sender, EventArgs e){if (!IsPostBack){SSORequest ssoRequest = new SSORequest();#region 驗證 Post 過來的參數(shù)//--------------------------------// 請求注銷if (!string.IsNullOrEmpty(Request[”Logout”])){Authentication.Logout();return;}//--------------------------------// 各獨(dú)立站點(diǎn)標(biāo)識if (string.IsNullOrEmpty(Request[”IASID”])){return;}else{ssoRequest.IASID = Request[”IASID”];}//--------------------------------// 時間戳if (string.IsNullOrEmpty(Request[”TimeStamp”])){return;}else{ssoRequest.TimeStamp = Request[”TimeStamp”];}//--------------------------------// 各獨(dú)立站點(diǎn)的訪問地址if (string.IsNullOrEmpty(Request[”AppUrl”])){return;}else{ssoRequest.AppUrl = Request[”AppUrl”];}//--------------------------------// 各獨(dú)立站點(diǎn)的 Tokenif (string.IsNullOrEmpty(Request[”Authenticator”])){return;}else{ssoRequest.Authenticator = Request[”Authenticator”];}ViewState[”SSORequest”] = ssoRequest;#endregion//驗證從分站發(fā)過來的Tokenif (Authentication.ValidateAPPToken(ssoRequest)){string userAccount = null;// 驗證用戶之前是否登錄過//驗證 EAC 認(rèn)證中心的 Cookie,驗證通過時獲取用戶登錄賬號if (Authentication.ValidateEACCookie(out userAccount)){ssoRequest.UserAccount = userAccount;//創(chuàng)建認(rèn)證中心發(fā)往各分站的 Tokenif (Authentication.CreateEACToken(ssoRequest)){Post(ssoRequest);}}else{return;}}else{return;}}}//post請求void Post(SSORequest ssoRequest){PostService ps = new PostService();ps.Url = ssoRequest.AppUrl;ps.Add(”UserAccount”, ssoRequest.UserAccount);ps.Add(”IASID”, ssoRequest.IASID);ps.Add(”TimeStamp”, ssoRequest.TimeStamp);ps.Add(”AppUrl”, ssoRequest.AppUrl);ps.Add(”Authenticator”, ssoRequest.Authenticator);ps.Post();}/// <summary>/// 驗證登錄賬號和密碼是否正確/// </summary>/// <param name=”userName”>登錄賬號</param>/// <param name=”userPwd”>登錄密碼</param>/// <returns></returns>private bool ValidateUserInfo(string userName, string userPwd){//從數(shù)據(jù)庫中讀取,驗證登錄賬號和密碼//略...return true;}protected void Login1_Authenticate(object sender, AuthenticateEventArgs e){if (string.IsNullOrEmpty(Login1.UserName) || string.IsNullOrEmpty(Login1.PassWord)){Page.RegisterClientScriptBlock(”Add”, ”<mce:script lanuage=/”javascript/”><!--alert('用戶名密碼不能為空����!');// --></mce:script>”);return;}else if (ValidateUserInfo(Login1.UserName, Login1.Password) == false){Page.RegisterClientScriptBlock(”Add”, ”<mce:script lanuage=/”Javascript/”><!--alert('用戶名密碼錯誤�����!');// --></mce:script>”);return;}else{session[”CurrUserName”] = Login1.UserName;Session.Timeout = 120;SSORequest ssoRequest = ViewState[”SSORequest”] as SSORequest;// 如果不是從各分站 Post 過來的請求����,則默認(rèn)登錄主站if (ssoRequest == null){FormsAuthentication.SetAuthCookie(Login1.UserName, false);ssoRequest = new SSORequest();//主站標(biāo)識IDssoRequest.IASID = ”00”;ssoRequest.AppUrl = ”SiteList.aspx”;ssoRequest.TimeStamp = DateTime.Now.ToString(”yyyy-MM-dd HH:mm”);ssoRequest.Authenticator = string.Empty;Response.Redirect(”SiteList.aspx”);}ssoRequest.UserAccount = Login1.UserName;//創(chuàng)建Tokenif (Authentication.CreateEACToken(ssoRequest)){string expireTime = DateTime.Now.AddHours(3).ToString(”yyyy-MM-dd HH:mm”);Authentication.CreatEACCookie(ssoRequest.UserAccount, ssoRequest.TimeStamp, expireTime);Post(ssoRequest);}}}}using System;using System.Data;using System.Configuration;using System.Web;using System.Web.Security;using System.Web.UI;using System.Web.UI.WebControls;using System.Web.UI.WebControls.WebParts;using System.Web.UI.HtmlControls;using System.Text;
public partial class _Default : System.Web.UI.Page{protected void Page_Load(object sender, EventArgs e){if (!IsPostBack){SSORequest ssoRequest = new SSORequest();
#region 驗證 Post 過來的參數(shù)//--------------------------------// 請求注銷if (!string.IsNullOrEmpty(Request[”Logout”])){Authentication.Logout();return;}//--------------------------------// 各獨(dú)立站點(diǎn)標(biāo)識if (string.IsNullOrEmpty(Request[”IASID”])){return;}else{ssoRequest.IASID = Request[”IASID”];}
//--------------------------------// 時間戳if (string.IsNullOrEmpty(Request[”TimeStamp”])){return;}else{ssoRequest.TimeStamp = Request[”TimeStamp”];}
/
