简介

CAS 是 Central Authentication Service（中央认证服务）的简写，旨在在 Web 应用系统提供可靠的单点登录（Single Sign On）方法。CAS 目前在 Github 上管理其代码，遵循 Apache 2.0 协议。

协议过程

CAS 分为 CAS Server 和 CAS Client 两部分。CAS Server 独立部署，主要负责对用户的认证工作。CAS Client（我们的 Web App）负责处理客户端对受保护资源的访问请求，需要登录时，重定向到 CAS Server。下图是 CAS 协议的过程：

接下来通过抓包辅助理解该过程：

1，用户访问 Web App http://192.168.56.1:9876/，因为请求的 Cookie 中没有 Session Key，所以被重定向到 CAS Server Login Endpoint https://cas.server.com:8443/cas/login

请求：

​x
GET / HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: no-cache
Connection: keep-alive
Host: 192.168.56.1:9876
Pragma: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36

响应：

x
HTTP/1.1 307 Temporary Redirect
date: Tue, 22 Nov 2022 02:42:34 GMT
server: uvicorn
content-length: 0
location: https://cas.server.com:8443/cas/login?service=http%3A//192.168.56.1%3A9876/login

注意：

1. 需要为 CAS Server Login Endpoint 添加 service 参数

2，用户的浏览器自动跳转到 CAS Server Login Endpoint，因为 Cookie 中没有 TGC，所以返回登陆页面，让用户登录

请求：

x
GET /cas/login?service=http%3A//192.168.56.1%3A9876/login HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: no-cache
Connection: keep-alive
Cookie: JSESSIONID=FFACDCE638B493FED60F4C4893780F65
Host: cas.server.com:8443
Pragma: no-cache
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"

响应（Body 已省略）：

HTTP/1.1 200
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Type: text/html;charset=UTF-8
Content-Language: zh-CN
Transfer-Encoding: chunked
Date: Tue, 22 Nov 2022 02:29:05 GMT
Keep-Alive: timeout=60
Connection: keep-alive

3，用户完成登录后，CAS Server 设置 TGC Cookie，并重定向到 Web App 通过 service 参数指定的 URL 上

登陆请求（Body 已省略）：

x
POST /cas/login?service=http%3A//192.168.56.1%3A9876/login HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 4347
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=FFACDCE638B493FED60F4C4893780F65
Host: cas.server.com:8443
Origin: https://cas.server.com:8443
Pragma: no-cache
Referer: https://cas.server.com:8443/cas/login?service=http%3A//192.168.56.1%3A9876/login
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"

响应：

x
HTTP/1.1 302
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=15768000 ; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Set-Cookie: TGC=eyJhbGciOiJIUzUxMiJ9.ZXlKNmFYQWlPaUpFUlVZaUxDSmhiR2NpT2lKa2FYSWlMQ0psYm1NaU9pSkJNVEk0UTBKRExVaFRNalUySW4wLi52dnY2bF85YU1zMjh2YnRBRkFfSDR3LlpiT1hIaXVLWGktVldGRlFwLTdhOEZzZGMtWFYwaDhKWlNDOUsycTFBMG5OVUNQcDVjLURWSTRUN0pWYkM4WnhFRUZRb1o0UU5UNXJyMW5aNjlLb3ZYenBGLVNkT21NdnNRRjZudWptUnFpdDZQZXRxY0NPd3RQSFIzbFFCQ0RDZGVrSDF2MXBNb0F3UVI2Ym9NbmtDTlZ6Y1cxSjZFeTlaYnF3a0pWX2xtcW56N1J2Vk5oVGRjZW1SRlRTNm94QXNPYVhfNUhjWnhlX25DMld4SGY3ZjRQQVRxN3RjVWdtVnF1NEJ3ZlNsREF0eUk5UUEzemtxUUh6OUtqcTFVVk1YZlV0djhuZ2JIbXozZC1JMk1HTS1RLnoyUVRMU0luei1CNDZTNDNFVVVuTWc=.CF0Vtg2fEUA626Vp-edvG-MiIFUzkse0qOsb-yrV3LrEEGHmfGru7UmQYwXK8sZUPTw5leixWID1-4L9RyEZxA; Path=/cas/; HttpOnly
Location: http://192.168.56.1:9876/login?ticket=ST-6-RLUxzoIKpY7v6JDlnwhZiyAqkfEcas-111
Content-Length: 0
Date: Tue, 22 Nov 2022 02:41:45 GMT
Keep-Alive: timeout=60
Connection: keep-alive

注：

1. CAS Server 为 Web App 回调 URL 增加 ticket 参数，其值为 Service Ticket，Service Ticket 有时间（默认 10 秒）和使用次数限制（默认 1 次）

4，用户的浏览器自动跳转到 Web App 通过 service 参数指定的重定向 URL，Web App 在后台调用 CAS Server ServiceValidate Endpoint，验证通过后，在响应的 Cookie 中设置自己的 Session Key，并将用户重定向到其它页面，防止泄漏 Service Ticket

请求：

xxxxxxxxxx
GET /login?ticket=ST-6-RLUxzoIKpY7v6JDlnwhZiyAqkfEcas-111 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: no-cache
Connection: keep-alive
Host: 192.168.56.1:9876
Pragma: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36

响应：

x
HTTP/1.1 307 Temporary Redirect
date: Tue, 22 Nov 2022 02:55:13 GMT
server: uvicorn
content-length: 0
location: /
set-cookie: TEST_CAS_SESSION_ID=ST-6-RLUxzoIKpY7v6JDlnwhZiyAqkfEcas-111; Path=/; SameSite=lax
set-cookie: user_name=admin; Path=/; SameSite=lax

注：

1. CAS Client 和 CAS Server 间验证 Service Ticket 的过程对用户透明

5，用户的浏览器自动跳转到 Web App 指定的重定向 URL 上，浏览器自动提交 Web App 设置的 Cookie，Web App 验证通过后，给用户下发资源

请求：

x
GET / HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: no-cache
Connection: keep-alive
Cookie: TEST_CAS_SESSION_ID=ST-6-RLUxzoIKpY7v6JDlnwhZiyAqkfEcas-111; user_name=admin
Host: 192.168.56.1:9876
Pragma: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36

响应（Body 已省略）：

xxxxxxxxxx
HTTP/1.1 200 OK
date: Tue, 22 Nov 2022 02:55:13 GMT
server: uvicorn
content-length: 18
content-type: text/plain; charset=utf-8

术语介绍

1. Ticket Granting Ticket（TGT）

   TGT 是 CAS Server 为用户签发的登陆票据，拥有 TGT 可以证明用户成功登陆 CAS。TGT 封装 Cookie 值及对应的用户信息。用户在 CAS 认证成功后，CAS 生成 Cookie（TGC），写到浏览器，同时生成 TGT 对象，放入 Ticket Registry，TGT 对象的 ID 就是 Cookie 的值

2. Ticket Granting Cookie（TGC）

   存放用户身份认证凭证的 Cookie

3. Service Ticket（ST）

   用户访问 Service 时，Service 发现用户没有 ST，则要求用户去 CAS Server 获取 ST。用户向 CAS Server 发出获取 ST 的请求时，如果 CAS Server 发现用户有 TGT，则签发 ST，返回给用户。用户拿着 ST 去访问 Serivce，Service 拿 ST 去 CAS Server 验证，验证通过后，允许用户访问资源