使用 AuthType Digest 跨子域对用户进行一次身份验证的示例?
我有一个域,将由一小群私人人员访问。 所以我想通过身份验证来控制访问。
该域安装了一组应用程序,每个应用程序都有自己的子域。 例如:domain.com、app1.domain.com、app2.domain.com、app3.domain.com
我希望有一个单点登录解决方案,这样他们就不必为每个应用程序验证自己的身份。 此外,应用程序是用不同的语言(PHP、Python 和 Perl)编写的,因此通过 Apache 模块对用户进行身份验证是理想的选择。
我是消化身份验证的新手,但这似乎是一个很好的解决方案。 我已经使用 htdigest 来创建我的用户。 我已经配置了我的域和子域(见下文)。
如果我进入该域或任何子域,它会提示输入用户名和密码。 如果我输入正确的用户名和密码,它将验证我的身份并加载页面。 但是,如果我转到另一个子域,它会要求我再次输入用户名和密码。 如果我输入相同的用户名和密码,它就会起作用。
所以密码文件没问题,身份验证也没问题,但问题似乎出在 AuthDigestDomain 的配置上。
我在整个网络上搜索以找到在多个域上使用摘要式身份验证的示例,但我找不到解决我的问题的具体示例。
我希望这里有人可以提供帮助。 我是否在每个 Directory 中放置相同的身份验证信息? 我应该使用目录还是位置还是文件? 我是不是错过了什么?
提前致谢!
下面是我的domain.com 的Apache 配置示例:
<Directory /var/www>
AuthType Digest
AuthName "realm"
AuthDigestAlgorithm MD5
AuthDigestDomain / http://domain.com/ http://app1.domain.com/ http://app2.domain.com/ http://app3.domain.com/
AuthDigestNcCheck Off
AuthDigestNonceLifetime 0
AuthDigestQop auth
AuthDigestProvider file
AuthUserFile /etc/apache2/.htpasswd-digest
AuthGroupFile /dev/null
Require valid-user
</Directory>
这是app1.domain.com 的示例:
<Directory /var/lib/app1>
AuthType Digest
AuthName "realm"
AuthDigestAlgorithm MD5
AuthDigestDomain / http://domain.com/ http://app1.domain.com/ http://app2.domain.com/ http://app3.domain.com/
AuthDigestNcCheck Off
AuthDigestNonceLifetime 0
AuthDigestQop auth
AuthDigestProvider file
AuthUserFile /etc/apache2/.htpasswd-digest
AuthGroupFile /dev/null
Require valid-user
</Directory>
更令人困惑的是,这在使用IE6 时有效,但在使用Firefox 或Chrome 时无效。 是客户端没有正确发送身份验证,还是服务器没有发送正确的凭据?
我还一直在阅读 RFC 2617 并使用 PHP 编写身份验证标头以确保请求/响应质询是正确的。 这根本没有帮助!
I have a domain that will be accessed by a small, private group of people. So I want to control access via authentication.
The domain has a collection of applications installed that each have their own sub-domain. Eg: domain.com, app1.domain.com, app2.domain.com, app3.domain.com
I'd love to have a single sign-on solution so they don't have to authenticate themselves for each application. Also, the applications are written in different languages (PHP, Python and Perl) so authenticating users through an Apache module is ideal.
I am new to digest authentication, but it seems like a good solution. I have used htdigest to create my users. I have configured my domain and sub-domains (See below).
If I go to the domain or any of the sub-domains it will prompt for a username and password. If I enter a correct username and password, it will authenticate me and the page will load. However, if I go to another sub-domain, it will ask for me to enter a username and password again. If I enter the same username and password, it will work.
So the password file is OK, and authentication is OK, but the problem seems to lie in the configuration of the AuthDigestDomain.
I have searched all over the net to find an example of using Digest authentication on multiple domains, but I cannot find a specific example that solves my problem.
I am hoping someone here can assist. Do I put the same authentication information in every Directory? Should I be using Directory or Location or Files? Have I missed something all-together?
Thanks in advance!
Below is an example of my Apache config for domain.com:
<Directory /var/www>
AuthType Digest
AuthName "realm"
AuthDigestAlgorithm MD5
AuthDigestDomain / http://domain.com/ http://app1.domain.com/ http://app2.domain.com/ http://app3.domain.com/
AuthDigestNcCheck Off
AuthDigestNonceLifetime 0
AuthDigestQop auth
AuthDigestProvider file
AuthUserFile /etc/apache2/.htpasswd-digest
AuthGroupFile /dev/null
Require valid-user
</Directory>
And here is an example of app1.domain.com:
<Directory /var/lib/app1>
AuthType Digest
AuthName "realm"
AuthDigestAlgorithm MD5
AuthDigestDomain / http://domain.com/ http://app1.domain.com/ http://app2.domain.com/ http://app3.domain.com/
AuthDigestNcCheck Off
AuthDigestNonceLifetime 0
AuthDigestQop auth
AuthDigestProvider file
AuthUserFile /etc/apache2/.htpasswd-digest
AuthGroupFile /dev/null
Require valid-user
</Directory>
To baffle things even further, this works when using IE6, but not Firefox or Chrome. Is it the clients not sending the authentication properly, or is is the server not sending the correct credentials?
I have also been reading up on RFC 2617 and written the authentication headers using PHP to ensure that the request/response challenge is correct. This hasn't helped at all!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
大多数浏览器不遵守摘要“域”指令,并且不会重新发送其他 URI 的凭据。 据我所知,Opera 是唯一支持它的浏览器。
对于 Opera,服务器必须对域列表中的每个 URI 使用相同的“领域”字符串进行响应。 换句话说,如果domain="/test /example",则服务器需要在这两个 URI 的 WWW-Authenticate 标头中发送“Test Realm - example.com”。 我认为 Opera 这样做是因为为了安全起见,它存储 H(A1) 而不是实际密码。 阅读 RFC2617 了解更多相关信息。
这是我针对此问题的跨浏览器解决方案: http://travisce.com/arest/
Most browsers do not respect the Digest "domain" directive and will not resend credentials for other URIs. As far as I know, Opera is the only browser that honors it.
For Opera, the server(s) must respond with the same "realm" string for each URI in the domain list. In other words, if domain="/test /example", the server needs to send "Test Realm - example.com" in the WWW-Authenticate header for both of those URIs. I assume Opera does this because it stores H(A1) instead of the actual password for security. Read into RFC2617 for more on this.
Here's my cross-browser solution to this problem: http://travisce.com/arest/
我自己没有类似的经验。 但我刚刚查看了 Apache 文档 并发现了这一点:
所以在我看来 0 秒(您正在使用的值)要么是非法的,要么确实告诉 Apache 在 0 秒后使随机数过期,这将准确地解释您所得到的行为。
I have no experience with something like this myself. But I just took a look at the Apache documentation and found this:
So it seems to me that 0 seconds (the value you are using) is either illegal or really tells Apache to expire the nonce after 0 seconds which would exactly explain the behavior you are geting.
AuthDigestDomain 上的通配符有帮助吗?
Could a wildcard on the AuthDigestDomain help?