apache 使用 AuthType Digest 跨子域对用户进行一次身份验证的示例?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/357939/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Example of using AuthType Digest to authenticate a user once across sub-domains?
提问by
I have a domain that will be accessed by a small, private group of people. So I want to control access via authentication.
我有一个域,可供一小群私人访问。所以我想通过身份验证来控制访问。
The domain has a collection of applications installed that each have their own sub-domain. Eg: domain.com, app1.domain.com, app2.domain.com, app3.domain.com
该域安装了一组应用程序,每个应用程序都有自己的子域。例如:domain.com、app1.domain.com、app2.domain.com、app3.domain.com
I'd love to have a single sign-on solution so they don't have to authenticate themselves for each application. Also, the applications are written in different languages (PHP, Python and Perl) so authenticating users through an Apache module is ideal.
我很想有一个单点登录解决方案,这样他们就不必为每个应用程序进行身份验证。此外,应用程序是用不同的语言(PHP、Python 和 Perl)编写的,因此通过 Apache 模块对用户进行身份验证是理想的。
I am new to digest authentication, but it seems like a good solution. I have used htdigestto create my users. I have configured my domain and sub-domains (See below).
我是消化身份验证的新手,但这似乎是一个很好的解决方案。我曾经htdigest创建过我的用户。我已经配置了我的域和子域(见下文)。
If I go to the domain or any of the sub-domains it will prompt for a username and password. If I enter a correct username and password, it will authenticate me and the page will load. However, if I go to another sub-domain, it will ask for me to enter a username and password again. If I enter the same username and password, it will work.
如果我转到域或任何子域,它会提示输入用户名和密码。如果我输入正确的用户名和密码,它将对我进行身份验证并加载页面。但是,如果我转到另一个子域,它会要求我再次输入用户名和密码。如果我输入相同的用户名和密码,它将起作用。
So the password file is OK, and authentication is OK, but the problem seems to lie in the configuration of the AuthDigestDomain.
所以密码文件没问题,认证也没问题,但问题好像出在AuthDigestDomain.
I have searched all over the net to find an example of using Digest authentication on multiple domains, but I cannot find a specific example that solves my problem.
我在网上搜索了一个在多个域上使用摘要式身份验证的示例,但找不到解决我问题的具体示例。
I am hoping someone here can assist. Do I put the same authentication information in every Directory? Should I be using Directoryor Locationor Files? Have I missed something all-together?
我希望这里有人可以提供帮助。我是否将相同的身份验证信息放入每个Directory? 我应该使用Directory或Location或Files?我错过了什么吗?
Thanks in advance!
提前致谢!
Below is an example of my Apache config for domain.com:
下面是我的 domain.com 的 Apache 配置示例:
<Directory /var/www>
AuthType Digest
AuthName "realm"
AuthDigestAlgorithm MD5
AuthDigestDomain / http://domain.com/ http://app1.domain.com/ http://app2.domain.com/ http://app3.domain.com/
AuthDigestNcCheck Off
AuthDigestNonceLifetime 0
AuthDigestQop auth
AuthDigestProvider file
AuthUserFile /etc/apache2/.htpasswd-digest
AuthGroupFile /dev/null
Require valid-user
</Directory>
And here is an example of app1.domain.com:
这是 app1.domain.com 的示例:
<Directory /var/lib/app1>
AuthType Digest
AuthName "realm"
AuthDigestAlgorithm MD5
AuthDigestDomain / http://domain.com/ http://app1.domain.com/ http://app2.domain.com/ http://app3.domain.com/
AuthDigestNcCheck Off
AuthDigestNonceLifetime 0
AuthDigestQop auth
AuthDigestProvider file
AuthUserFile /etc/apache2/.htpasswd-digest
AuthGroupFile /dev/null
Require valid-user
</Directory>
To baffle things even further, this works when using IE6, but not Firefox or Chrome. Is it the clients not sending the authentication properly, or is is the server not sending the correct credentials?
更令人困惑的是,这在使用 IE6 时有效,但不适用于 Firefox 或 Chrome。是客户端没有正确发送身份验证,还是服务器没有发送正确的凭据?
I have also been reading up on RFC 2617and written the authentication headers using PHP to ensure that the request/response challenge is correct. This hasn't helped at all!
我也一直在阅读RFC 2617并使用 PHP 编写身份验证标头以确保请求/响应质询是正确的。这根本没有帮助!
采纳答案by Travis Estill
Most browsers do not respect the Digest "domain" directive and will not resend credentials for other URIs. As far as I know, Opera is the only browser that honors it.
大多数浏览器不遵守摘要“域”指令,并且不会为其他 URI 重新发送凭据。据我所知,Opera 是唯一支持它的浏览器。
For Opera, the server(s) must respond with the same "realm" string for each URI in the domain list. In other words, if domain="/test /example", the server needs to send "Test Realm - example.com" in the WWW-Authenticate header for both of those URIs. I assume Opera does this because it stores H(A1) instead of the actual password for security. Read into RFC2617 for more on this.
对于 Opera,服务器必须对域列表中的每个 URI 使用相同的“领域”字符串进行响应。换句话说,如果 domain="/test /example",服务器需要在 WWW-Authenticate 标头中为这两个 URI 发送“Test Realm - example.com”。我认为 Opera 这样做是因为它存储 H(A1) 而不是实际的密码以确保安全。阅读 RFC2617 以了解更多信息。
Here's my cross-browser solution to this problem: http://travisce.com/arest/
这是我针对此问题的跨浏览器解决方案:http: //travisce.com/arest/
回答by innaM
I have no experience with something like this myself. But I just took a look at the Apache documentationand found this:
我自己没有这样的经验。但我只是看了看Apache 文档,发现了这个:
The AuthDigestNonceLifetime directive controls how long the server nonce is valid. [...] If seconds is less than 0 then the nonce never expires.
AuthDigestNonceLifetime 指令控制服务器随机数的有效时间。[...] 如果秒数小于 0,则随机数永远不会过期。
So it seems to me that 0 seconds (the value you are using) is either illegal or really tells Apache to expire the nonce after 0 seconds which would exactly explain the behavior you are geting.
因此,在我看来,0 秒(您使用的值)要么是非法的,要么是真的告诉 Apache 在 0 秒后使随机数过期,这将准确地解释您所获得的行为。
回答by jsnfwlr
Could a wildcard on the AuthDigestDomain help?
AuthDigestDomain 上的通配符有帮助吗?
*.domain.com
