Kerberos 的感知/实际优势是什么? 该技术是否有任何可行的替代方案?
我们计划在我们的架构中使用 kerberos。 我想知道这项技术有哪些感知或实际优势,以及是否有任何替代方案。
请注意,我们有 .net 客户端和 java 服务器端。 通信将通过消息总线和 SOA 进行
We are planning on utilising kerberos in our architecture. I would like to know what perceived or actual advantages this technology has, and if there are any alternatives.
Note that we have a .net client side and java server side. communication will be via messaging bus and SOA
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您在主要是 Windows 的环境中工作(即 Windows Server 2k3、域控制器、Active Directory 等),那么您特别可以使用 模拟通过 .NET 使用分离的 Web 服务器和数据库服务器。 使用旧的 NTLM 方法,您无法执行“双跳”。
让我们看一个示例:
USER1 点击显示订单列表的页面。 您的 WEB1 服务器必须查询 DB1 才能将此信息显示在页面上。 您希望根据用户的凭据和访问权限来限制看到的订单。 因此,您可以设置 Active Directory 组并相应地分配用户。 在数据库中,您为不同的组提供不同的安全性(例如,GROUP1 可能仅具有选择功能,而 GROUP2 可能具有选择、插入和更新功能)。
NTLM 不支持执行此操作所需的双跳。 WEB1 必须将 USER1 的凭据发送到 DB1(否则 WEB1 必须使用硬编码到 web.config 中的已知专用用户 ID 和密码登录 DB1,例如,通常必须具有完全访问权限才能支持所有可能的用户角色)。 您可以想象,如果 WEB1 受到损害,这可能会造成安全隐患,因此您不能这样做,否则任何获得 WEB1 控制权(可能通过 sql 注入)的人都可以执行专用用户帐户可以执行的任何操作,或者冒充任何他们想要的人。 Kerberos 通过 Windows Server 上的委派,通过保持域服务器中的加密凭据密钥完整并传递来支持执行第二跳,并验证是否允许这样做(在两端,请参阅下文以了解在服务器上进行设置的信息)因为它必须明确允许)。
当开发具有数据库后端的 Intranet Web 应用程序(99% 的情况都是这样,对吧?)并且您希望通过 Windows 集成安全性控制授权和身份验证时,这样做非常有用。 Kerberos 实际上是您唯一的选择,除非您的 Web 服务器和数据库服务器位于同一台计算机上,这意味着无需传输凭据,也无需进行模拟。
另请参阅:
If you are working within a mostly Windows environment (i.e. Windows Server 2k3, a domain controller, Active Directory, etc.) one in particular is that you can use impersonation through .NET with a split web server and database server. Using the older NTLM method, you cannot do a "double-hop".
Let's look at an example:
USER1 hits a page that displays a list of orders. Your WEB1 server has to query DB1 for this info to display on the page. You want to constrain what orders are seen based on the user's credentials and access rights. Thus, you set up active directory groups and assign users accordingly. On your database you give the different groups different security (GROUP1 might have select only and GROUP2 might get select, insert, and update, for example).
NTLM doesn't support the double-hop necessary to do this. WEB1 has to send USER1's credentials to DB1 (otherwise WEB1 must log into DB1 with a known dedicated user id and password hardcoded into the web.config for example that usually has to have full access to support all possible user roles). You can imagine this could be a security hazard should WEB1 be compromised, so you can't do it, otherwise anyone who gains control of WEB1 (via sql injection perhaps) could do anything the dedicated user account could or impersonate whomever they want. Kerberos, through delegation on Windows Server, supports doing this second hop by keeping the encrypted credential key from your domain server intact and passed along, as well as verified that this is allowed (on both ends, see below for setting this up on your servers because it MUST be EXPLICITLY allowed).
It's very useful to do this when developing intranet web apps that have a database back-end (which is 99% of the time the case, right?) and you want to control authorization and authentication through Windows Integrated Security. Kerberos is really your only choice unless your web server and database server are on the same machine, which means there is no transferring of credentials and no impersonation necessary.
See also: