在站点之间传递凭据
我在具有两个不同域的两台不同服务器上运行两个不同的站点。 一个站点运行 Joomla,另一个站点运行 Moodle。 我已将 Moodle 服务器配置为基于 Joomla 站点上的用户表进行身份验证,因此我们拥有权威的用户信息来源。
我想做的是:在有人登录 Joomla 站点后,提供一个指向 Moodle 站点的链接,该链接将默默地让他们登录,有点伪造单点登录解决方案。 Joomla 中的密码经过 MD5 处理,并且每个密码都有自己的秘密盐。
如何解决这个问题的第一个想法是告诉 Moodle 密码以纯文本形式存储,然后通过隐藏的表单输入,在单击链接时发送加密的密码。 除了明显的安全问题之外,这还意味着如果他们尝试通过 Moodle 界面登录,他们需要输入一个巨大的 MD5 字符串,因为这就是 Moodle 认为他们的密码。
我一直在考虑更改 Moodle 中的身份验证模块,以便如果提交的密码符合某些条件(例如:它是 32 个十六进制字符),那么在与 Joomla 版本进行比较之前不要对其进行 MD5 - 问题是任何人都可以(发现加密密码后)然后使用它来登录。我需要的是某种特殊的方式将加密密码从 Joomla 发送到 Moodle 并向 Moodle 发出信号以不同方式处理该登录请求。
有什么想法吗?
I am running two different sites on two different servers with two different domains. One site is running Joomla, the other Moodle. I have configured the Moodle server to base its authentication on the users table on the Joomla site, so we have an authoritative source of user information.
What I'd like to do is this: after someone signs in to the Joomla site, provide a link to the Moodle site which will silently log them in, kind of faking a single-sign-on solution. The passwords in Joomla are MD5'd and each has its own secret salt.
The first thought at how to tackle this was to tell Moodle that the passwords were being stored in plain text, then via a hidden form input, send the encrypted password when they click the link. Aside from the obvious security issues with that, it also meant that should they try to log in via the Moodle interface, they'd need to enter a giant MD5 string, since that's what Moodle thinks their password is.
I've been considering changing the authentication module in Moodle so that if the submitted password matches certain criteria (eg: it's 32 hex characters), then don't MD5 it before comparing to the Joomla version - the problem with that is that anyone could (upon discovering the encrypted password) then use that to log in. What I need is some special way to send the encrypted password from Joomla to Moodle and to signal to Moodle to treat that login request differently.
Any thoughts?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您可以对安全的单点登录解决方案执行以下操作:
You can do the following for a Secure single-sign-one solution :
您可以使用 Pro Moodle (http://www.promoodle.com/) 或 JFusion (http://www.jfusion.org/) 两者都支持为 Joomla / Moodle 创建单点登录系统系统。
这里还有一个指南: http://myjoomlaextensions.com/images/fbfiles/ files/MoodleBridge.pdf 到“Moodle 和 Joomla 之间的桥梁。
这里有一个修改 Moodle 代码以创建单点登录系统的指南:http://moodle.org/mod/forum/discuss.php?d=45126#211486(谨慎使用!) 。
尝试在不同领域使用这些解决方案的效果可能会有所不同
Could you use Pro Moodle (http://www.promoodle.com/) or JFusion (http://www.jfusion.org/) both of which proport to create a single sign on system for Joomla / Moodle system.
There is also a guide located here: http://myjoomlaextensions.com/images/fbfiles/files/MoodleBridge.pdf to "bridge between Moodle and Joomla.
There is a guide to modifying the Moodle code to create a single sign on system here: http://moodle.org/mod/forum/discuss.php?d=45126#211486 (use with caution!).
Your milage may vary trying to use these solutions across different domains.
如果您使用 Joomla! 1.5,不要忘记用户插件。 看一下plugins/user/example.php。 您可以在 onLoginUser 事件期间捕获密码,这可以帮助您桥接系统。
If you're using Joomla! 1.5, don't forget user plugins. Take a look at plugins/user/example.php. You can capture the password during the onLoginUser event which may help you bridge the systems.