跨多个子域使用 Apache 的 mod_auth 进行单点登录?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/339244/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Using Apache's mod_auth across multiple sub-domains for single sign-on?
提问by
I have a domain and a group of sub-domains that require authentication to access. I am currently using mod_auth to authenticate users (mod_auth basic) at the domain.tld level. My goal is for single sign-on between the domain and all the sub-domains.
我有一个域和一组需要身份验证才能访问的子域。我目前正在使用 mod_auth 在 domain.tld 级别验证用户(mod_auth basic)。我的目标是在域和所有子域之间进行单点登录。
Will these credentials carry on to the sub-domains automatically, or with a simple vhost config change, or is there a better method to do this?
这些凭据会自动传递到子域,还是通过简单的 vhost 配置更改,或者是否有更好的方法来执行此操作?
回答by
mod_auth_basic
mod_auth_basic
Browsers distinguish areas that require HTTP authentication by a combination of the URL root and the name of the authentication realm.
浏览器通过 URL 根和身份验证领域的名称的组合来区分需要 HTTP 身份验证的区域。
Take for example, two domains each with a realm with the same name:
以两个域为例,每个域都有一个同名的领域:
http://one.example.com/ with the realm "Please enter credentials!"
http://two.example.com/ with the realm "Please enter credentials!"
First a user visits one, is asked for credentials and enters them. Then the user visits two, the browser recognizes that the URL is different and thus asks again the user for her credentials.
首先,用户访问one,被要求提供凭据并输入它们。然后用户访问two,浏览器识别出 URL 不同,因此再次向用户询问她的凭据。
This is a good thing, because otherwise www.badguy.com could set it up so that your browser sends over your online banking login.
这是一件好事,否则 www.badguy.com 可以设置它,以便您的浏览器发送您的网上银行登录信息。
In short: there is no way to solve your problem with basic HTTP authenticationand standard HTTP clients.
简而言之:使用基本 HTTP 身份验证和标准 HTTP 客户端无法解决您的问题。
mod_auth_digest
mod_auth_digest
You could use mod_auth_digest instead, since with that you can specify more than one URI to be in the same "protection space". However, with this authentication method there are two new problems:
您可以改用 mod_auth_digest,因为这样您可以指定多个 URI 位于同一“保护空间”中。但是,这种身份验证方法存在两个新问题:
- It doesn't scale very well, because you cannot use wildcard domains.
- Browser compatibility is not as good. (See the documentationon how to make it work with IE.)
- 它不能很好地扩展,因为您不能使用通配符域。
- 浏览器兼容性不是很好。(请参阅有关如何使其与 IE 配合使用的文档。)
