问题描述
我目前正在尝试在多个基于JVM(Grails,Servlets)的Web应用程序上实现单一登录解决方案,这些Web应用程序当前都部署在同一个servlet容器中(目前是Tomcat,但不希望将我的解决方案仅限于Tomcat) 。所有Web应用程序共享一个公共数据库。
I am currently trying to implement a single sign on solution across multiple JVM based (Grails, Servlets) web applications currently all deployed in the same servlet container (currently Tomcat, but don't want to limit my solution to just Tomcat). All web applications share a common database.
我查看了使用CAS或其他第三方库创建新的Web服务来处理单点登录的各种选项,但似乎没有人真正满足这项业务。我当前的实现涉及创建一个新的jar库,它具有,以及。
I've looked at various options from using CAS or other third party libraries to creating a new web service to handle Single Sign On, but none seem to really satisfy the business. My current implementation involves creating a new jar library which has a common implementation of AuthenticationProviders, and Pre-Authentication Filters based on Spring Security.
在这种方法中,我有多个AuthenticationProviders(当前是Active Directory和数据库) )对于应用程序进行身份验证。验证成功后,将在包含用户的会话表,过期时间和令牌中插入一行。令牌也将作为cookie存储在用户的计算机上,并用于验证他们在预认证过滤器中是否有当前会话。
In this approach I have multiple AuthenticationProviders (currently Active Directory, and Database) for the application to authenticate against. Upon successful authentication a row would be inserted in a session table that contains the user, an expiration time, and a token. The token would be also stored as a cookie on the user's machine and that would be used to validate they have a current session in the Pre-Authentication Filters.
从未完成在此之前我想确保我没有创建一个巨大的安全问题,而且我也想知道创建令牌需要什么?此时一个简单的GUID似乎足够了?
Having never done this before I want to make sure I'm not creating a huge security problem, and I'd also like to know what I would need to create the token? At this point a simple GUID seems to be sufficent?
目前我们正在开发Spring Security 3.0.x,尚未升级到3.1。
Currently we are working on Spring Security 3.0.x, and haven't upgraded to 3.1 yet.
提前致谢。
推荐答案
我通过以下方式解决了这个问题:
I ended up solving this problem by doing the following:
我创建了一个,它会向用户的会话添加一个cookie,该会话具有识别信息以及尝试尽可能保护它的主机名。 (该应用程序在大多数客户站点内部运行,因此这里的风险被确定为最小,但要小心cookie顶升。)
I created a AuthenticationSuccessHandler which would add a cookie to the user's session which had identifying information as well as the hostname to try to secure it as much as possible. (The application was running internally at most customer sites so the risks here were determined to be minimal, but be careful about cookie jacking.)
然后在每个需要的应用程序上有SSO我实现了,放在验证过滤器之前,它将把cookie拉出并创建一个Authentication对象。最后,我创建了一个验证了cookie中的信息。
Then on each application that needed to have SSO I implemented a AbstractPreAuthenticatedProcessingFilter, and placed in before the authentication filter which would pull the cookie out and create an Authentication object. Lastly I created an AuthenticationProvider which validated the information from the cookie.
希望将来可以帮助其他人处理此类请求。
Hopefully that helps someone else in the future for this type of request.
这篇关于如何使用Spring Security在多个基于JVM的应用程序上实现单点登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!