如何将用户重定向到不同的服务器并包含 HTTP 基本身份验证凭据?
我有一个 Web 应用程序(C# - ASP.net),需要使用 HTTP 基本身份验证将用户传递到远程 Apache 服务器上的页面。我需要能够将用户名和密码传递到该服务器,以允许通过我的应用程序进行身份验证的用户无缝使用其他应用程序,而不会提示输入他没有的凭据。切换应该是安全的,因为只要用户名和密码不在客户端脚本中,两个系统都需要 SSL。有办法做到这一点吗?
I have a web application (C# - ASP.net) that needs to pass a user to a page on a remote Apache server using HTTP Basic Authentication. I need to be able to pass a user name and password to this server to allow users authenticated by my application to seamlessly use the other application without being prompted to enter credentials he doesn't have. The hand-off should be secure since both systems require SSL as long as the user name and password are not in client-side script. Is there a way to do this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
基本身份验证详细信息编码在客户端名为“Authorization”的请求标头中。标头包含“用户名:密码”的base64编码结果。
例如 Aladdin:open sesame =
授权:基本 QWxhZGRpbjpvcGVuIHNlc2FtZQ==有关 基本访问身份验证维基百科页面。
对于基本身份验证,需要将授权标头添加到每个请求中。通常,在用户将其凭据输入浏览器显示的对话框后,浏览器会处理此问题。如果您想避免让用户输入这些凭据,那么您的 ASP.net 服务器将需要位于用户和 Apache 服务器(充当反向代理)之间,将身份验证标头添加到它代表其转发的每个请求中。您的用户。
不可能简单地访问您的服务器一次,然后将“令牌”添加到请求中,然后重定向到 apache 服务器。如果您使用表单/cookie 进行身份验证,并且您的服务器将自己呈现给同一域内的用户(例如 asp.domain.com 和 apache.domain.com),那么可以将身份验证 cookie 设置为父域(例如domain.com)和共享 - 请参阅表单身份验证子域。
假设 Apache 服务器上的基本身份验证方案不是您可以轻松更改的内容,则看起来像
.net 将使用如下方式处理代理请求中的凭据编码:
Basic authentication details are encoded in the request header named "Authorization" from the client. The header contains the base64 encoded result of "username:password".
e.g. Aladdin:open sesame =
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==There are more details on the Basic Access Auth wikipedia page.
For basic authentication, the Authorization header needs to be added to every request. Usually the browser will take care of this after the user has entered their credentials into the dialog presented by the browser. If you want to avoid having your users enter these credentials, then your ASP.net server will need to sit in between the user and the Apache server (acting as a reverse proxy) adding the auth headers to every request that it forwards on behalf of your users.
It is not possible to simply visit your server once and for it to add a "token" to the request then redirect to the apache server. This approach would be possible if you were using forms/cookies for authentication and your servers presented themselves to the user as within the same domain (e.g. asp.domain.com & apache.domain.com) then the auth cookie could be set on the parent domain (e.g. domain.com) and shared - see Forms Authentication across sub-domains.
Assuming that the basic auth scheme on the Apache server is not something you can easily change, it seems like the reverse proxy is the best option. In the reverse proxy code, the HttpWebRequest is the means to create each request to the apache server and add the additional authentication headers to it.
.net will deal with encoding the credentials in the proxied request using something like:
尝试使用网址格式 https://username:[电子邮件受保护]
Try using the url format https://username:[email protected]
我唯一能想到的其他事情 - 如果页面没有强行退出,则在框架中加载其网站的页面,通过 javascript 发送数据+控件,以便发送登录信息等等。也许是可行的。
Only other thing I can think of - if the page doesnt force its way out, load a page of their site in a frame, send it data+ controls, via javascript so it sends the login and so on. Might be feasible.