CAS 是否支持应用程序级模拟?
我有一个 PHP 应用程序,已成功针对 CAS 服务器进行身份验证。应用程序支持的功能之一是模拟;具有适当权限的用户可以模拟另一个应用程序。一般来说,这不是问题,因为应用程序本身可以跟踪用户正在模仿的人并管理权限(基于用户名)。
不过,出现了一项新要求,即要求原始应用程序通过 iframe 包含来自同样支持 CAS 的第二个 PHP 应用程序的内容。不知何故,我需要第二个应用程序知道第一个应用程序是否发生了模仿。出于安全原因,我不想传递用户名,所以我想知道是否可以将处理模拟的责任转移给两个应用程序共享的 CAS 服务器。
谢谢。
I have a PHP application that is successfully authenticating against a CAS server. One of the features supported by the application is impersonation; a user with the appropriate privileges can impersonate another of the application. Generally, this isn't a problem because the app itself can keep track of who the user is impersonating and manage privileges (which are based on username).
A new requirement has come up, though, that requires the original app to include, via an iframe, content from a second PHP app that is also CAS-enabled. Somehow, I need for the second app to know whether impersonation is happening in the first. I don't want to pass usernames around for security reasons, so I'm wondering whether I can offload the responsibility for handling impersonation to the CAS server which is shared by both apps.
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我意识到这是一个非常古老的问题,但是,从 v5.1 开始,CAS 确实支持模拟。它被称为代理身份验证:
https://apereo.github .io/cas/5.1.x/installation/Surrogate-Authentication.html
I realise this is a very old question, however, CAS as of v5.1 does support impersonation. It's referred to as surrogate authentication:
https://apereo.github.io/cas/5.1.x/installation/Surrogate-Authentication.html
我们越是考虑这一点并试图解决一些问题,就越发现这在 CAS 中不可用,也许不应该可用。如果我们承认 CAS 的唯一目的是识别用户并确保用户就是他们所说的那个人,那么成为其他人就没有多大意义。
这只是我对潜在理由的推测,但我很乐意说 CAS 不提供模拟功能。
The more we considered this and tried to get something worked out, it seemed more and more likely that this just isn't available in CAS and perhaps shouldn't be. If we accept that CAS's sole purpose is to identify a user and ensure that the user is who they say they are, then it doesn't make much sense to be someone else.
This is just me speculating about the underlying justification, but I feel pretty comfortable saying that CAS doesn't offer impersonation functionality.