2

我目前正在尝试让 PHP 登录并使用 CAS 单点登录服务器进行身份验证,这证明很困难。

官方网站在这里有一些基本的源代码,用于处理身份验证和登录用户。据我所见,在我的测试中,它完成了过程中的第 1 步和第 2 步(基本过程请参见此图)。登录到测试服务器后,我可以完成第 3 步并从将我发送回我的页面的 URL 中检索服务票证。似乎没有任何示例可以完成该过程的第 4 步和第 5 步。我需要编写自己的代码来做到这一点是否正确?

我试图取回票,然后使用我自己的一些带有 cURL 或 fsockopen 的代码将其发送到验证服务,但没有成功。

if (isset($_GET['ticket']))
{
    $currentProtocol = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') ? 'https://' : 'http://';
    $requestUri = explode('?', $_SERVER['REQUEST_URI']);
    $requestUri = $requestUri[0];
    $ticket = $_GET['ticket'];
    $port = ($_SERVER['SERVER_PORT'] != 80) ? ':8080' : '';
    $currentUrl = urlencode($currentProtocol . $_SERVER['SERVER_NAME'] . $port . $requestUri);
    $validateUrl = 'ssl://server.com/cas/serviceValidate?service=' . $currentUrl . '&ticket=' . $ticket;

    $errno = 0;
    $errstr = '';   
    $fp = fsockopen($validateUrl, 443, $errno, $errstr, 30);

    if (!$fp) {
        echo "$errstr ($errno)<br />\n";
    }
    else {
        var_dump($fp);

        $out = "GET / HTTP/1.1\r\n";
        $out .= "Host: www.example.com\r\n";
        $out .= "Connection: Close\r\n\r\n";
        fwrite($fp, $out);
        while (!feof($fp)) {
            echo fgets($fp, 128);
        }
        fclose($fp);
    }
}

如果我直接通过浏览器访问它,我可以从服务中获得合法的响应,例如:

https://server.com/cas/serviceValidate?service=http%3A%2F%2Flocalhost%3A8080%2Ftestcas%2Fcas-client.php&ticket=ST-35717-XLiWQ2ucCCuks2wsVNMJ-cas

它返回一个包含 Active Directory 用户 ID 的 XML 响应:

<cas:serviceResponse xmlns:cas='http://www.server.com/cas'>
    <cas:authenticationSuccess>
        <cas:user>c314317</cas:user>
    </cas:authenticationSuccess>
</cas:serviceResponse>

但我真的认为我需要能够使用 PHP 从服务器端直接访问该 URL,然后一旦我有了用户 ID,我就可以将它与我们的系统链接回来并将它们登录到站点中。

我的问题是似乎没有任何代码来处理票证和验证方面的事情。谁能指出我正确的方向?

非常感谢。

4

1 回答 1

0

好的,我想我用 cURL 解决了这个问题。我没有将 CURLOPT_SSL_VERIFYPEER 设置为 false,这就是它失败的原因。我现在可以使用 PHP 获取 XML 响应、处理 XML 响应并检索用户 ID。这是代码:

// Get the current server address we are executing the PHP from
$currentProtocol = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') ? 'https://' : 'http://';
$requestUri = explode('?', $_SERVER['REQUEST_URI']);
$requestUri = $requestUri[0];
$ticket = $_GET['ticket'];
$port = ($_SERVER['SERVER_PORT'] != 80) ? ':' . $_SERVER['SERVER_PORT'] : '';   # Don't need the port if it's 80, but needed if for example test server is running port 8080 
$currentUrl = $currentProtocol . $_SERVER['SERVER_NAME'] . $port . $requestUri;

// Setup the validation URL
$validateUrl = 'https://sso.server.com/cas/serviceValidate?service=' . strtolower(urlencode($currentUrl)) . '&ticket=' . $ticket;

// Send request to validate the URL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $validateUrl);        # The URL to get the data from
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);     # Return the value of curl_exec() instead of outputting it out directly.
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 120);      # The number of seconds to wait while trying to connect
curl_setopt($ch, CURLOPT_TIMEOUT, 120);             # The maximum number of seconds to allow cURL functions to execute
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);        # Check the existence of a common name and also verify that it matches the hostname provided
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);    # Stop cURL from verifying the peer's certificate
curl_setopt($ch, CURLOPT_HEADER, false);            # Don't include the header in the output

// Execute the request and close the handle
$xml = curl_exec($ch);
curl_close($ch);

// Get the user ID from the XML using XPath
$xml = new SimpleXMLElement($xml);
$result = $xml->xpath('cas:authenticationSuccess/cas:user');
$userId = null;

while(list( , $node) = each($result))
{
    $userId = (string) $node;
}

echo 'user: ' . $userId . "<br>";
于 2013-08-02T00:17:11.793 回答