CAS Sample Client Code: .NET
To integrate CAS into your .net application the following code will be required:
- login.aspx - TAMU implementation of CAS client code
- logout.aspx - TAMU implementation of CAS logout
To integrate the TAMU CAS code into your .net application, the following code should be integrated into your code:
Imports System.Web.Security
Imports System.Net
Imports System.IO
Imports System.Text
'include system files to establish http connection and session state locally
Public Class Main
Inherits System.Web.UI.Page
' carry Session information across .net apps through browser
Private Const CAS_Server As String = "https://netid.tamu.edu/cas/"
' hard code where the cas service is and how to request it
<System.Diagnostics.DebuggerStepThrough()> Private Sub InitializeComponent()
End Sub
' required by the Web Form Designer
Private Sub Page_Init(ByVal sender As System.Object, ByVal e As System.Event Args) Handles MyBase.Init
'CODEGEN: This method call is required by the Web Form Designer
'Do not modify it imports the code editor.
InitializeComponent()
End Sub
Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.Event Args) Handles MyBase.Load
Dim ticket As String
Dim uid As String
Dim url As String
Dim resp As Array
Dim valReq As WebRequest
Dim valResp As WebResponse
Dim strArr(9999) As Byte
Dim strRes As Stream
Dim serverName As String
Dim appName As String
' local variables to handle request/response with cas service
uid = Session.Contents("empid")
' if empid is already set, we have a valid local session
' and do not need to talk to the cas server
If uid Is Nothing OrElse uid.Length = 0 Then
' Check for ticket returned by CAS redirect
ticket = Request.QueryString("ticket")
serverName = Request.ServerVariables("SERVER_NAME")
appName = Request.ApplicationPath()
'Doing this is not particularly secure, but convenient for testing
' what we should do is hard code the server_name and application path
' to point to this file.
If ticket Is Nothing OrElse ticket.Length = 0 Then
' if we do not have a session or ticket, we require the user
' to login using the cas service
url = CAS_Server & "login?" & "service=http://" & serverName & appName & "/logon.aspx"
' url = CAS_Server & "login?" & "service=http://my_server/my_app/index.aspx"
Response.Redirect(url)
' make a call to the cas login service
' we will not return until a valid login occurs
Response.End()
Else
' we do not have a session but do have a ticket, we need to
' validate the ticket to make sure it came from the cas server
' Back from CAS, validate ticket and get userid
' CAS will cross-validate ticket with service URL
url = CAS_Server & "validate?ticket=" & ticket & "&" & _
"service=http://" & serverName & appName & "/logon.aspx"
' url = CAS_Server & "validate?ticket=" & ticket & "&" & _
' "service=http://my_server/my_app/index.aspx"
valReq = HttpWebRequest.Create(url)
valReq.Method = "GET"
valResp = valReq.GetResponse
' pass the ticket to the cas server validate service
' we should get back a yes or a no
strRes = valResp.GetResponseStream
strRes.Read(strArr, 0, strArr.Length)
strRes.Close()
Response.Write(Encoding.ASCII.GetString(strArr))
Response.End()
resp = Encoding.ASCII.GetString(strArr).Trim().Split(vbLf)
' read response back from server and parse to get Uin
If resp(0).Equals("yes") Then ' // Logon successful
Session.Item("empid") = Left(resp(1), 9)
' // Save Uin into Session object for subs equent calls
'Everything OK ticket validated.
' Redirect to local application page that will set up
'session objects and get Authorization info.
Response.Redirect("success.aspx")
Else
'really should not be able to get here.
' if we are here, someone is feeding us invalid tickets
' or the cas server went down during a request
' - consider it a critical error
ErrorLog.RedirectToError("Authentication ticket error", "Authentication ticket error")
Response.End()
End If
End If
Else
Response.Redirect("success.aspx")
' we have a valid Session object and don't need to talk to cas
End If
End Sub
End Class
The CAS server stores the persistant session information in a cookie of the client browser so cookies must be set for proper operation. A separate state session can be maintained in the application using the Session object so that constant verification with the server is not needed. Once the user authenticates, the authentication is valid until the application exits, the session times out on the CAS server, or the browser exits destroying the cookies. If the application session information lasts longer than the CAS session, the user should not be prompted as long as the Session object is used for authentication between modules and applications.
You should also provide a mechanism to log the user out of the CAS authentication system. This can be done by calling the module on the CAS server. This is done by redirecting the user to https://netid.tamu.edu/cas/logout The logout.aspx script is an example of how to integrate this call into your .net code. Alternatively, you could integrate the following code into your application:
Imports System.Web.Security
Imports System.Net
Imports System.IO
Imports System.Text
Public Class Main
Inherits System.Web.UI.Page
Private Const CAS_Server As String = "https://netid.tamu.edu/cas/"
'This call is required by the Web Form Designer.
<System.Diagnostics.DebuggerStepThrough()> Private Sub InitializeComponent()
End Sub
Private Sub Page_Init(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Init
'CODEGEN: This method call is required by the Web Form Designer
'Do not modify it imports the code editor.
InitializeComponent()
End Sub
Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
Dim url As String
url = CAS_Server & "logout"
Response.Redirect(url)
Response.End()
End Sub
End Class