如何支持使用散列或加密密码的网络应用程序?

发布于 2024-07-08 05:15:41 字数 680 浏览 8 评论 0原文

在企业环境中支持新的 Web 应用程序时,通常需要以特定用户身份登录才能诊断他们遇到的实际或感知问题。 这里存在两个相反的问题:

  1. 最佳实践是使用散列或加密密码,而不是明文。 有时,中间会有第三方 SSO(单点登录)。 无法检索用户的密码。 除非用户提供(不鼓励),否则无法以该用户身份登录。

  2. 许多网络应用程序都具有个性化和复杂的授权。 不同的用户有不同的角色(管理员、经理、用户),具有不同的权限。 有时,用户只能看到他们的数据——他们的客户或任务。 某些用户具有只读访问权限,而其他用户则可以编辑。 因此,每个用户对网络应用程序的看法都是独一无二的。

假设在企业环境中,无法前往用户的办公桌或直接连接到他们的计算机。

你如何处理这种情况?

编辑:我想重申的是,在大型金融机构或典型的财富 500 强公司中,在全国乃至全世界拥有数十万员工,仅仅某个 IT 部门的开发人员不可能能够直接访问用户的机器。 其中一些是客户使用的面向公众的网络应用程序(例如网上银行和股票交易)。 而且,其中许多是依赖 Active Directory 或 SSO 的 Intranet 应用程序,这意味着许多应用程序的用户凭据是相同的。 我非常感谢大家的建议; 有些在其他类型的环境中可能非常有用。

When supporting a new web app in an enterprise environment, it is often necessary to log in as a specific user in order to diagnose a real or perceived problem they are having. Two opposing issues apply here:

  1. Best practice is to use hashed or encrypted passwords, not clear text. Sometimes, there is a third-party SSO (single sign-on) in the middle. There is no way to retrieve the user's password. Unless the user provides it (not encouraged), there is no way to log in as that user.

  2. Many web app's have personalization and complex authorization. Different users have different roles (admin, manager, user) with different permissions. Sometimes users can only see their data -- their customers or tasks. Some users have read-only access, while others can edit. So, each user's view of the web app is unique.

Assume that in an enterprise environment, it isn't feasible to go to the user's desk, or to connect directly to their machine.

How do you handle this situation?

Edit: I want to reiterate that in a large financial institution or typical Fortune 500 company with hundreds of thousands of employees all of the country, and around the world, it is not possible for a mere developer in some IT unit to be able to directly access a user's machine. Some of those are public-facing web apps used by customers (such as online banking and stock trading). And, many of those are intranet applications rely on Active Directory or an SSO, meaning that user credentials are the same for many applications. I do thank you all for your suggestions; some may be highly useful in other kinds of environments.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(7

清风挽心 2024-07-15 05:15:41

其中许多想法给用户带来不便,要么强迫他们更改密码,要么占用他们的桌面进行调试会话。

Markc 的想法是最好的:增强您的身份验证逻辑,通过提供的不是用户的凭据,而是用户名及其超级用户凭据,允许超级用户以特定用户身份登录。

我过去这样做过(伪Python):

if is_user_authenticated(username, userpassword):
    login the user
else if ':' in userpassword:
    supername, superpassword = userpassword.split(':')
    if is_superuser_authenticated(supername, superpassword):
        login the user

换句话说,如果用户名和密码没有经过身份验证,如果密码有冒号,那么它实际上是管理员用户名和管理员密码由冒号,因此如果管理员用户名和密码正确,则作为用户名登录。

这意味着您可以以用户身份登录,而无需知道他们的秘密,也不会给他们带来不便。

A number of these ideas inconvenience the user, either by forcing them to change their password, or by occupying their desktop for your debugging session.

Markc's idea is the best: augment your authentication logic to allow superusers to log in as a particular user by supplying not the user's credentials, but the user's name plus their superuser credentials.

I've done it like this in the past (pseudo-ish python):

if is_user_authenticated(username, userpassword):
    login the user
else if ':' in userpassword:
    supername, superpassword = userpassword.split(':')
    if is_superuser_authenticated(supername, superpassword):
        login the user

In other words, if the username and password don't authenticate, if the password has a colon, then it's actually the admin username and admin password joined by a colon, so login as the username if they are the right admin username and password.

This means you can login as the user without knowing their secrets, and without inconveniencing them.

葵雨 2024-07-15 05:15:41

对于我们的网络应用程序,我们使用的过程由于缺乏更好的术语而被定义为“劫持”用户帐户。

基本上,管理员只需单击一下按钮就可以“劫持”用户的帐户。 在代码中,您只需使用唯一标识符(用户 ID 在不太安全的环境中工作),然后在会话中建立必要的凭据,以便它们可以在该用户的配置文件中工作。 为了获得更安全的环境,您可以为每个用户使用唯一的哈希值。

为了确保这种劫持方法的安全,它总是首先验证请求是否是由具有适当权限的经过身份验证的管理员发出的。 因此,为了让某人能够利用应用程序中的劫持功能,必须劫持管理员的会话或捕获其身份验证凭据。

For our web applications we use a process that for lack of a better term is defined as 'hijacking' a user's account.

Basically, administrators can 'hijack' a user's account with a simple button click. In the code, you simply use a unique identifier (user id works in a less secure environment) that then establishes the necessary credentials in the session so that they can then work within that user's profile. For a more secure environment you could use a unique hash for each user.

In order to ensure that this hijack method is secure, it always first verifies that the request is being made by an authenticated administrator with the appropriate rights. Because of this it becomes necessary for either the administrator's session to be hijacked or for their authentication credentials to be captured in order for someone to ever exploit the hijack function within the application.

百变从容 2024-07-15 05:15:41

我有 4 个想法。 当我打字时,已经建议了其中 3 个(所以我对它们投了赞成票)

想法 3 的变体 - 模拟:

为了以最少的代码更改使其与正常登录“尽可能相同”,您可以添加直接模拟的功能通过提供管理员凭据和备用用户名进行登录,例如以管理员身份登录:用户、管理员密码。 系统会将其视为使用用户密码以用户身份登录。

想法 4:你能访问密码存储吗? 如果是这样,请暂时用已知密码的哈希值替换用户的哈希值。 (密码通常在线存储在数据库中。SQL 查询工具可以进行交换)

I had 4 ideas. While I was typing 3 of them were already suggested (so I upvoted them)

Variant on idea 3 - impersonation:

To make this as "identical as possible" to a normal login with minimal code changes, you might add the ability to impersonate directly at login by supplying Admin credentials plus an alternate username, e.g. login as Admin:user, adminpassword. The system would treat this exactly as logging in as user with userpassword.

Idea 4: Can you access the password store? If so, temporarily replace the user's hash with the hash of a known password. (the passwords are often stored online in a database. A SQL Query tool can do the swaps )

初见你 2024-07-15 05:15:41

管理员应该能够更改用户的密码。 将用户的密码更改为您知道的密码。 然后您可以以该用户身份登录。

完成调试后告诉用户重置他/她的密码。

An administrator should be able to change a user's password. Change the password for the user to something you know. You can then log in as that user.

Tell the user to reset his/her password after you are done debugging.

心碎无痕… 2024-07-15 05:15:41

通常通过某种可用于查看桌面的远程控制软件。 如果它们位于 Windows 终端服务器上,则可以使用内置的管理工具。 否则,我会在内部网络中使用 VNC 之类的东西,或者像 LogMeIn 这样的外部服务(http://www.logmein .com/)。

Usually by some sort of remote control software that can be used to view their desktop. If they're on a Windows terminal server, then the built in admin tools can be used for that. Otherwise I'd use something like VNC across an internal network, or an external service like LogMeIn (http://www.logmein.com/).

榆西 2024-07-15 05:15:41
  1. 您是否可以有一个测试环境,其中定期复制实时数据(显然经过清理以满足任何安全或数据保护问题)。 如果允许的话,可以使用与遇到问题的用户类似的设置来进行故障排除,或者实际上可以使用该用户来进行故障排除。

  2. 使用其他答案中提到的远程桌面客户端,但这对您来说可能不切实际。 如果您在域内拥有这些权限,我听说过错误处理,甚至进行屏幕抓取并将其包含在日志中! 但这对我来说听起来有点奇怪。

  3. 您是否可以提供一个管理工具来将用户克隆到模拟帐户中?

  1. Could you have a testing environment where there is a regular cut of live data copied to (obviously sanitised to meet any security or data protection issues). A user similar in setup to the one having trouble could be used to troubleshoot or indeed the very user if this is allowed.

  2. Use a remote desktop client as mentioned in other answers, but again this may not be practical for you. If you have these rights within the domain, I have heard of error handling even doing a screenscrape and including this in logs! but this sounds a little odd to me.

  3. Could you have an admin tool to clone a user into a demo account?

余厌 2024-07-15 05:15:41

我们在 Web 应用程序中使用的解决方案是让 authN/authZ 返回所需的用户作为有效用户。 我们通过使用管理功能来设置伪装来做到这一点,然后当我们请求当前登录的用户(current_user)时,我们处理伪装:

  def current_user_with_effective_user
    if masked?
      current_user_without_effective_user.masquerade_as
    else
      current_user_without_effective_user
    end
  end
  alias_method_chain, :current_user, :effective_user

The solution we have used in our web apps is to have the authN/authZ return the desired user as the effective user. We do this by having an admin feature to setup a masquerade, and then when we ask for the currently logged in user (current_user), we handle the masquerade:

  def current_user_with_effective_user
    if masked?
      current_user_without_effective_user.masquerade_as
    else
      current_user_without_effective_user
    end
  end
  alias_method_chain, :current_user, :effective_user
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文