在站点之间传递凭据 [英] Passing credentials between sites
问题描述
我正在具有两个不同域的两个不同服务器上运行两个不同站点.一个站点正在运行Joomla,另一个站点正在运行Moodle.我已经将Moodle服务器配置为基于Joomla站点上的users表进行身份验证,因此我们拥有权威的用户信息来源.
I am running two different sites on two different servers with two different domains. One site is running Joomla, the other Moodle. I have configured the Moodle server to base its authentication on the users table on the Joomla site, so we have an authoritative source of user information.
我想做的是:在某人登录Joomla网站后,提供指向Moodle网站的链接,该链接将以无提示方式登录他们,这是在伪造单点登录解决方案. Joomla中的密码是MD5密码,每个密码都有其自己的秘密密码.
What I'd like to do is this: after someone signs in to the Joomla site, provide a link to the Moodle site which will silently log them in, kind of faking a single-sign-on solution. The passwords in Joomla are MD5'd and each has its own secret salt.
如何解决此问题的第一个想法是告诉Moodle,密码以纯文本格式存储,然后通过隐藏的表单输入,在单击链接时发送加密的密码.除了明显的安全问题外,这还意味着他们应该尝试通过Moodle界面登录,他们需要输入一个巨大的MD5字符串,因为这就是Moodle认为他们的密码.
The first thought at how to tackle this was to tell Moodle that the passwords were being stored in plain text, then via a hidden form input, send the encrypted password when they click the link. Aside from the obvious security issues with that, it also meant that should they try to log in via the Moodle interface, they'd need to enter a giant MD5 string, since that's what Moodle thinks their password is.
我一直在考虑更改Moodle中的身份验证模块,以便如果提交的密码符合某些条件(例如:它是32个十六进制字符),那么在与Joomla版本进行比较之前,请勿使用MD5密码-问题在于任何人都可以(一旦发现了加密的密码)然后使用该密码登录.我需要一种特殊的方法,将加密的密码从Joomla发送到Moodle并发信号给Moodle,以不同的方式对待该登录请求.
I've been considering changing the authentication module in Moodle so that if the submitted password matches certain criteria (eg: it's 32 hex characters), then don't MD5 it before comparing to the Joomla version - the problem with that is that anyone could (upon discovering the encrypted password) then use that to log in. What I need is some special way to send the encrypted password from Joomla to Moodle and to signal to Moodle to treat that login request differently.
有什么想法吗?
推荐答案
对于安全的单点登录解决方案,您可以执行以下操作:
You can do the following for a Secure single-sign-one solution :
- 为Joomla用户生成随机(带有PRNG)令牌(存储)
- 在内部将此令牌发送(通过Web服务等,通过HTTPS或本地数据源将其保留)到Moodle
- 在发送此令牌的同时,您还应告知Moodle有关该令牌所属的用户ID(因此,发送令牌+用户ID)
- 将此令牌+用户ID存储在Moodle中
- 在Joomla中使用此令牌创建与此令牌的链接(您可以在首次使用令牌后使令牌过期后立即使用querystring,但最好使用POST)
- 当您在Moodle中看到此令牌时,请登录关联的用户并使该令牌失效(这样就可以安全地应对攻击等)
这篇关于在站点之间传递凭据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
