Central Authentication and Authorization Service Web Application (Hisashi NAITO) Graduate School of Mathematics, Nagoya University naito@math.nagoya-u.ac.jp (Shoji KAJITA) Information Technology Center, Nagoya University kajita@nagoya-u.jp,,,,.,,,,, (Web Application).,, Yale Central Authentication Service (CAS), Central Authentication and Authorization Service (CAS 2 )., CAS 2 Authentication and Authorization Service, 2005 CAS 2 Web. 1,,.,, Solution CAS 2. 1.1,,,, AAA. Authentication () ID,
2. Authorization (). Accounting (). UNIX. Authentication ID, Authorization,. Accounting,, UNIX,. Authentication, ID, BSD Flat Database /etc/passwd, UNIX NIS, LDAP,.,,, PAM. 1.2,. Authentication,. 1. URL, ID. 2. CGI/Servlet., Apache httpd server, httpd.conf,.htaccess,, Basic Authentication, mod_ldap LDAP.,, Authentication.,, CGI Servlet,.,,,,., httpd, session at once, CGI Servlet, Authentication,., Authentication, ID,
3., Cookie (hidden)url, Java Servlet API.,,,,,. Web Shopping Site,,,.,,.,,.,,,.,,.,,.,,.,,,,,. 1.3,, ID,,., Single Sign On.,, Channel.,.,., Channel,, Authorization,.,,,,,,.
4, Central Authentication Service,. 2 Central Authentication Service,. 1.,. 2.,,. 3. Authentication, Authorization. Central Authentication and Authorization Service,, Yale Central Authentication Service. 2.1 Central Authentication Service Yale ITS Technology & Planning, 1 2 Central Authentication Service (CAS). (See. [1]) CAS,. CAS 2, CAS 2 CAS., CGI Figure 1 1.,,. 1.. 2.. 3.. CAS, Java Servlet API 2.3 2. CAS,,.,, LDAP, Oracle. CAS, CAS Figure 2. 1 Figure 1,, LDAP. 2 Tomcat.
5 Figure 1 Figure 2 2.1.1 CAS (1) CAS. 1. CAS,, Service Ticket ST URL. (Figure 3-1, p.7) 2. ST,,ST 3,, CAS, CAS. (Figure 3-2a) 3. CAS, Ticket Validation Cookie TGC,., CAS, Service Parameter URL CAS. Service Parameter, URL(). 4. TGC, (Figure 3-2b),,.,, TGC. (Figure 4-3 p.7) 5. TGC,,, TGC, CAS, ST, URL., CAS, ST.,ST ST. (Figure 4-4) 6.,STURL,, ST CAS. (Figure 5-5a, p.7) 7. ST CAS, ST ST. (Figure 5-5b) 8., CAS ST,, Web. (Figure 5-6) 3 ST, 6.
6,. URL https://foo.nagoya-u.ac.jp/app/, CAS URL https://cas.nagoya-u.ac.jp/. 1. () URL https://foo.nagoya-u.ac.jp/app/?param1=value1¶m2=value2,st URL https://foo.nagoya-u.ac.jp/app/?ticket=st-xxxxxx %3Fparam1=value1%26param2=value2. URL ticket ST, XXXXXX. (Figure 3-1) 2. ST, Java Script, https://cas.nagoya-u.ac.jp/index.jsp?service=//foo.nagoya-u.ac.jp/app/ %3Fparam1=value1%26param2=value2. (Figure 3-2a) 3. CAS (TGC). cas.nagoya-u.ac.jp TGC-XXXXXX ON,, SSL,. 4.,3 TGC. (Figure 4-3) 5. CAS Java Script https://foo.nagoya-u.ac.jp/app/?ticket=st-xxxxx &service=https://foo.nagoya-u.ac.jp/app/ %3Fparam1=value1%26param2=value2. (Figure 4-4) 6. ST CAS https://cas.nagoya-u.ac.jp/validate/?ticket=st-xxxxx. (Figure 5-5a, p.7) 7. 6 CAS, ticket ST. (Figure 5-5b) 8. CAS,ST Figure 6 XML 4. (CAS ), XML netid( ID). (Figure 5-6) 4 XML ST,.
7 https://app.foo/ Web Application 1.Access Web Browser 2a.Redirection 2b.Login Window LDAP Server CAS Server ST Web Application Web Browser TGC 3b.Authentication 4.Redirection with TGC/ST LDAP Server 3a.Input UserID/Password with Service=https://app.foo/ 3c.Result CAS Server Figure 3: CAS (1) Figure 4: CAS (2) 5b.Validation Result Web Application CAS Server ST 5a.Send ST 6.Responce Web Browser LDAP Server Figure 5: CAS (3) <cas:serviceresponse xmlns:cas= http://www.yale.edu/tp/cas > <cas:authenticationsuccess> <cas:netid>userid</cas:netid> </cas:authenticationsuccess> </cas:serviceresponse> Figure 6: CAS XML, CAS TGC/ST,. ST-ZXZXZXZX remaining-time: 10 ST-ZZZZZZZZ remaining-time: 3 ST-YYYYYYYY remaining-time: 11 ST-XXXXXXXX remaining-time: 10 TGC-YYYY netid=kajita remaining-time: 300 TGC-XXXX netid=naito remaining-time: 150 Figure 7: CAS 2.1.2 CAS CAS,. Ticket Granting Cookie, Session Once 5., TGCd 5 Session Once,. TGC, CAS.
8 CAS. CAS. Service Ticket, URL, CAS 6. One Time Ticket, ST. CAS, CAS. Login Servlet, TGC, TGC., ST. Validation Servlet, ST.,. Logout Servlet, TGC.., TGC ST CAS. TGC, 7 Session Timeout., ST 8., CAS, TGC,ST Man-in-Middle Attack., CAS,, URL, (Java Script) Web, CAS. 2.1.3 CAS (2), CAS,,, CAS TGC,,., CAS Single Sign On., CAS, SSL Layer, CAS, https,. 6 ST TGC, TGC. 7. CAS, TGC, TGC. 8.
9 2.2 Central Authentication Service, CAS,, CAS 9,. CAS, CAS.,, CGI. 1. Welcome Page ID. 2. ID.,, CGI. ### FORM decode ID/ ### ID, ###, ### HTML ID CGI, CAS. ### FORM decode ID/ ### CAS client ###, ### HTML ID, CGI CAS. CAS, Yale, perl, Java, PHP, PL/SQL, Python, Ruby, CGI. 2.3, CAS, Yale CAS.. Form GET Form GET, URL, URL, Form GET, POST 9 CASify CAS. CAS CASified Application.
10., CAS POST. POST Form., Form, ST.. 1. Form, CAS, ST., ST, CAS Java Script.,CGI, CAS. 2. TGC CAS ST, Java Script. Form, 2, Form., CAS, JSP GET, CAS, Service Parameter JSP, CAS POST 1, POST Form. Form, Form HTML.,Form EUC-JP, Form EUC-JP. CAS Java, CAS UTF-8, EUC-JP URL Form 10. CAS CAS, Login,., Validation,, ST CAS, ST. Cross Site Scripting CAS URL. https://mynu.jp/cas/index.jsp?service=javascript %3aalert%28document.cookie%29%3b, Cross Site Scripting URL, TGC 11. 10, UTF-8,., EUC-JP Shift-JIS Oracle backend, PL/SQL, UTF-8. 11.
11, CAS.,, CAS Authentication, (Authorization).,, Validation,. 3 Central Authentication and Authorization Service,. CAS,,, (Authorization ).,, ID CAS, CAS.,,,.,,,,., CAS,.,, Service Based Authorization, CAS (Validation) Service Authorization., CAS, Cross Site Scripting. Service Based Authorization CAS, CAS 2. 3.1 CAS 2 CAS 2 Authorization, service, Service Based Authorization. service Authorization Validation, Validation service CAS 2. CAS 2,,,.,, LDAP.,. ST (Validation), URL.
12,. CAS Access Control List (CAS-ACL). CAS-ACL, CAS-ACL LDAP 12. 3.1.1 Access Control List CAS-ACL,. CAS-ACL dn: cn=uportal,ou=cas,o=nu cas-auth-type: basic cas-attributes: uid,mailaddrss,username,dn cas-service: https://app\.foo/.* cas-allow: (dn=.+,ou=people,o=nu) CAS-ACL. URL cas-service URL,, https://app\.foo/.* URL. URL cas-service,, LDAP cas-allow., dn dn=.+,ou=people,o=nu. Authorization, cas-attributes., LDAP dn,, uid, MailAddress, username. CAS-ACL, URL, CAS Access Control Class ( CAS-ACC ). Validation, service, cas-service CAS-ACL, (cas-allow )., cas-attributes.,st CAS-ACL. 3.3. 3.1.2 Access Control List CAS-ACL cas-allow,ldap, IP 12,, CAS 2.
13,., cas-attributes, LDAP. 9 5. cas-allow: (&(time>=0900)(time<1700)) 2005 7 1 2005 7 31. cas-allow: (&(date>=20050701)(date<=20050731)) 2005 7 1 9 2005 7 31 5. cas-allow: (&(datetime>=200507010900)(date<=200507311700)). cas-allow: (&(wday>=mon)(wday<=fri)). cas-allow: (IP=133.6.0.0/16),,.,., 2005 7 1 9 2005 7 31 5., 3 5...,, dn=.+,ou=staff,ou=people,ou=nu. cas-allow,, (&(&(dn=.+,ou=staff,ou=people,ou=nu) (&(datetime>=200507010900)(date<=200507311700))) (&(IP=133.6.0.0/16)( (time>0300)(time<=0500)))),,., CAS-ACL. CAS-ACL
14 dn: cn=access_time,ou=cas,o=nu cas-auth-type: accessfilter cas-allow: (&(datetime>=200507010900)(date<=200507311700)) dn: cn=without_mentenance_time,ou=cas,o=nu cas-auth-type: access_filter cas-allow: ( (time>0300)(time<=0500)) cas-auth-type: access_filter,, (&(&(dn=.+,ou=staff,ou=people,ou=nu) (access_filter=cn=access_time,ou=cas,o=nu) (&(IP=133.6.0.0/16) (access_filter=cn=without_mentenance_time,ou=cas,o=nu))))., dn: cn=access_time_0,ou=cas,o=nu cas-auth-type: access_filter cas-allow: (&(access_filter=cn=access_time,ou=cas,o=nu) (access_filter=cn=without_mentenance_time,ou=cas,o=nu)) dn: cn=staff_in_univ,ou=cas,o=nu cas-auth-type: access_filter cas-allow: (&(dn=.+,ou=staff,ou=people,ou=nu) (IP=133.6.0.0/16)), (&(access_filter=staff_in_univ,ou=cas,o=nu) (access_filter=cn=access_time_0,ou=cas,o=nu)).,,. 3.2 Service Ticket,ST. ST One-Time Ticket, ST.,, Login.,,3 CAS., Validation,, CAS-ACC URL. ST nextticket., CAS-ACC URL 1., CAS-ACC nextticket, CAS-ACL cas-attributes 1314. CAS 2, ST/TGC. 13 nextticket, cas-attributes nonextticket, nextticket. 14 3.3, nextticket.
15 ST-ZXZXZXZX remaining-time: 10 CAS-dn: dn=... ST-ZZZZZZZZ remaining-time: 3 CAS-dn: dn=... ST-YYYYYYYY remaining-time: 11 CAS-dn: dn=... ST-XXXXXXXX remaining-time: 10 CAS-dn: dn=... TGC-YYYY User Attributes for kajita remaining-time: 300 TGC-XXXX User Attributes for naito remaining-time: 150 Figure 8: CAS 2, TGC User Attributes, 15 Hash Table., CAS-ACL, TGC., Validation ST XML., <cas:attributes>, CAS-ACL. <cas:serviceresponse xmlns:cas= http://www.yale.edu/tp/cas > <cas:authenticationsuccess> <cas:ticket>st-xxxxx</cas:ticket> <cas:user>netid</cas:user> <cas:attributes> <cas:attribute-1>attribute-1-value</cas:attribute-1> <cas:attribute-2>attribute-2-value-1, attribute-2-value-2</cas:attribute-2> </cas:attributes> </cas:authenticationsuccess> </cas:serviceresponse> Figure 9: CAS 2 XML CAS( CAS 2 ) Attributes XML Hash Table, result,, UserID userid=result.netid, 15,.
16 fullname=result.attributes.fullname 16 3.3 nextticket, CAS,. 3.3.1 CAS 2 (1), 2.1.1, CAS, 2.1.1. 1. https://foo.nagoya-u.ac.jp/app/ ST., CAS Login. 2.1.1 (1). 2. 2.1.1 (3), CAS Login, TGC., ST, service CAS-ACL. (Figure 10 ) CAS-ACL (Authorization) ST,., CAS 2 ST, CAS-ACC (CAS-ACL dn ). 3. 2.1.1 (4),STCAS, CAS (Validation) https://cas.nagoya-u.ac.jp/validate/?ticket=st-xxxxx &service=https://foo.nagoya-u.ac.jp/app/ %3Fparam1=value1%26param2=value2 ticket, service, ST., URL CAS-ACL, ST CAS-ACC, CAS-ACC., ST,. CAS-ACL., CAS-ACL nextticket, ST. ST, ST CAS-ACC. (Figure 11 ), ST, ST 2 Service Based Authorization., CAS 2 16 CAS 2,.
17 ST CAS-ACC, service URL Man-in-Middle attack. ST Web Application Web Browser TGC 1a.Authorization 2.Redirection with ST CAS-ACL(LDAP) 1b.Result CAS Server CAS-ACL(LDAP) 4a.Authorization 4b.Result 3.Send ST ST Web Application CAS Server 5.Validation and send nextticket nextticket Web Browser TGC Figure 10: CAS 2 (1) Figure 11: CAS 2 (2) CAS-ACL(LDAP) 3a.Authorization 3b.Result 2.Send ST ST Web Application CAS Server 4.Not Valid 1.Access Web Browser TGC 5.Redirect Figure 12: CAS 2 (3) 3.3.2 CAS 2 (2), nextticket ST URL CAS-ACC URL 17., ST, 2.1.3 Login, CAS Validation ST., CAS 1., CAS-ACC URL, nextticket ST,ST CAS-ACC, CAS-ACC, ST., ST CAS, Login,, ST. (Figure 12 ), TGC,, CAS. 17 Figure 9, Validation XML, <cas:ticket> nextticket.
18 3.3.3 Cross Site Scripting Service Based Authorization, Cross Site Scripting (XSS)., XSS Form HTML., (HTML )(Sanitalize), XSS. CAS XSS, service 18, Service Based Authorization, service,,, CAS-ACC,. 3.4 CAS-ACL Service Based Authorization, CAS 2. POST...,, TGC, TGC,. CAS 2, CAS., POST, CAS CAS Java Script., CAS 2. CASREQUESTMETHOD GET POST. GET., Java Script. ENCODING character encoding. UTF-8., CAS 2, Java Script JSP character encoding.,., CAS, Form (GET POST), character encoding. CAS,., Form POST, Java Script, POST. 18 CAS service, Form (GET ).
19 3.5 Access Control List CAS-ACL CAS 2, CAS 2., CAS 2 Admin. Admin, CAS 2 CAS-ACL., Admin CAS-ACL, cas-auth-type: trusted, CAS-ACL. trusted CAS-ACL (1): dn: ou=cas,o=nu cas-allow: (uid=naito) cas-auth-type: trusted CAS-ACL LDAP DIT CAS-ACL subtree root node, uid=naito, CAS-ACL., Admin, CAS-ACL. trusted CAS-ACL (2): dn: ou=uportal,ou=cas,o=nu cas-allow: (uid=kajita) cas-auth-type: trusted CAS-ACL, ou=uportal,ou=cas,o=nu subtree root node, uid=kajita, subtree., Admin CAS-ACL, CAS 2. 4, CAS 2,, 2004 2005. 4.1 4.1.1 ([2], MyNU.),,,, 2004, 2005 2 19. MyNU 19 MyNU. 2.
20, (2005 ) MyNU.,,,, 20., 2005. MyNU,,.,,,,.,. MyNU,,, CAS 2. 4.1.2 CAS 2 MyNU,. MyNU CAS 2 LDAP Sun Fire V480 1 CAS 2 Sun Fire V120 (Hot Standby 1 ) LDAP Sun Fire V120 (Hot Standby 1 ) Sun Fire V210 4 Sun Fire V210 1 (+ Hot Standby 1 ) Sun Fire V210, V120 2 Sun Fire V240 1 Table 1: (Figure 13), Nortel Networks Alteon 21. 20,. 2. 21 MyNU, SSL. Alteon SSL, SSL, Alteon., Alteon,, MyNU SSL.
21 Figure 13: MyNU Figure 14: MyNU Login Window, MuNU uportal, Oracle 10g,.,,. uportal Java, uportal Java CAS 2, MyNU CAS 2., Oracle(9i) PL/SQL, PL/SQL CAS 2, MyNU CAS 2 CAS 2. 4.2, 16, 1000, 4000, 2005 2 19 (464 ),
22., 17, 2 4, 6500, 2005 3 9 (203 ),,., 2,., CAS 2, ID 22. 3.4 4.2.1,. 1. MyNU CAS 2 MyNU 2. 3. 4. 1 25,, 1. MyNU CAS 2 MyNU 2. 3. 4. 5., 1. MyNU CAS 2 MyNU 2. 3. 4.,,,,,. 22 ID, ID. (Figure 14).,, MyNU, LDAP ID., LDAP,,.
23,,1,,.,,. 4.2.2,, e-test suite (cf. [3]),.,, CPU 85%. 37.5 1.5 60.0 1.1 17.5 2.4 Table 2:, CAS, 3000.,. 1 10 MyNU. 150. (1 5.), CAS 2, 23. 4.2.3 CAS 2 CAS, 3000. 500 158559 1236 1418207 Table 3: CAS 23, Oracle 9i. SQL 150.
24, (10 ) CAS 2 24. Figure 15:, CAS, Login, 0.2, Validation, 0.05,. 4.2.4 CAS 2.,, 25. 1919 (25.0%) 982 (12.8%) net.bbtec 667 ( 8.7%) () 622 ( 8.1%) jp.ne.dion 597 ( 7.8%) jp.ne.ocn 402 ( 5.2%) jp.ne.starcat 235 ( 3.1%) () 207 ( 2.7%) jp.ne.so-net 197 ( 2.6%) jp.ne.aitai 4199 (57.0%) Windows.XP.MSIE 1757 (23.9%) Windows.2000.Netscape 757 (10.3%) Windows.98.MSIE 201 ( 2.7%) Windows.2000.MSIE 24 18 20,.,,. 25,,., 1.,.
25 Table 4:,, 30%,. 5,, CAS 2. CAS, Queens University, Central Authentication and Authorization Service. CAS 2, CAS Version 2, CAS Version 3, Spring Framework,., CAS 2 Spring Framework, Central Authentication and Authorization Service., CAS 2. CAS. CAS, CAS., TGC/ST, Java RMI TGC/ST. CAS.,., CAS.,,., CAS., CAS,, 26. CAS., CAS. 26, SSL,.
26 [1] Yale University ITS Technology & Planning, http://tp.its.yale.edu/tiki/tiki-index.php. [2] https://mynu.jp/. [3] e-test suite http://www.fmw.fujitsu.com/services/etestsuite/. [4] CAS Generic Handler, http://esup-casgeneric.sourceforge.net/. [5] JA-SIG, http://www.ja-sig.org/. [6] Central Authentication Service, http://jasigch.princeton.edu:9000/display/cas. [7] Internet2 Working Group, Shibboleth Architecture, http://docs.internet2.edu/doclib/draft-internet2-mace -shibboleth-architecture-05.html. [8] CAS Generic Handler, http://esup-casgeneric.sourceforge.net/. [9],,,,, CAS,, Vol. 2005, No. 39, pp. 35-40 (2005). [10],,,,, CAS, WebCT Conference, pp. 115-120 (2005).