如何使用 Windows 身份验证在中间层对用户进行身份验证
我们有一个用 Delphi 编写的服务器,它使用 RemObjects DataAbstract/SDK。我们希望使用 Windows 身份验证来验证用户身份,以允许他们访问我们的服务器。
目前我们执行以下操作:
1) 客户端应用程序将 Windows 用户名和密码以明文形式发送到服务器。 2) 服务器使用以下函数检查凭据:
function ValidateUserLogonAPI(const UserName: string; const Domain: string;
const PassWord: string) : boolean;
var
Retvar: boolean;
LHandle: THandle;
begin
Retvar := LogonUser(PWideChar(UserName),
PWideChar(Domain),
PWideChar(PassWord),
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
LHandle);
if Retvar then
CloseHandle(LHandle);
Result := Retvar;
end;
当然,此方法的缺点是用户凭据以明文形式通过网络传递。我们可以对它们进行加密,但加密/解密密钥必须在应用程序内提供。
我确信一定有更好的方法来实现我们的目标。我读过一些有关令牌的内容,但并不真正了解它们在这种情况下如何工作。
请注意,她的解决方案必须同时适用于 Delphi Windows 客户端和 Delphi Prism ASP.NET 客户端。
感谢您提供的任何帮助。
We have a server written in Delphi that uses RemObjects DataAbstract/SDK. We would like to use Windows authentication to authenticate users to allow them access to our server.
Currently we do the following:
1) Client application sends the Windows username and password in clear text to the server.
2) The server checks the credentials using the following function:
function ValidateUserLogonAPI(const UserName: string; const Domain: string;
const PassWord: string) : boolean;
var
Retvar: boolean;
LHandle: THandle;
begin
Retvar := LogonUser(PWideChar(UserName),
PWideChar(Domain),
PWideChar(PassWord),
LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
LHandle);
if Retvar then
CloseHandle(LHandle);
Result := Retvar;
end;
Of course, this method has the disadvantage that the user credentials are passed over the network in clear text. We could encrypt them, but the encryption/decryption keys would have to be shipped within the application.
I'm sure there must be a better way of achieving our goal. I've read a bit about tokens, but don't really understand how they would work in this situation.
Note that she solution must work for both a Delphi Windows client and a Delphi Prism ASP.NET client.
Thanks for any help you can give.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这是 DataAbstract 应该自行处理的事情,如果不能,它就是一个像 Datasnap 一样的半支持库:) 在远程处理方面,对端点进行身份验证/授权和保护数据交换非常重要。
基本上,您不必发送用户凭据,而是交换客户端和服务器都知道如何进行身份验证的“令牌”。完整的解释可能很复杂。您可以从 MSDN 开始(查找 AcceptSecurityContext() 和 InitializeSecurityContext())。一个可能的问题是 DataAbastract 是否有适当的钩子来实现身份验证阶段,这可能需要多次往返。
作为权宜之计,您可以启用 IPSec 来保护通信通道,并且不要让整个用户帐户轻易被“嗅探”。
That's something DataAbstract should handle itself, and if it doesn't it's a half backed library as Datasnap is :) When it comes to remoting, authenticating/authorizing endpoints and protecting the data exchange is really critical.
Basically, you have to send not the user credentials, but exchange a "token" which both the client and the server know how to authenticate. A full explanation can be complex. You can start from MSDN (look for AcceptSecurityContext() and InitializeSecurityContext()). A possibile issue is if DataAbastract has the proper hooks to implement the authentication phase, which may require more than one roundtrip.
As a stopgap measure you can enable IPSec to protect the communication channel and don't let whole user account be "sniffed" easily.