从外部系统认证到 Symfony 2.0 [英] Authentication into Symfony 2.0 from an external System
问题描述
我对 Symfony2 比较陌生.我已经使用 Symfony2 的内置安全机制通过对数据库中的用户进行身份验证构建了一个系统.让我们称这个系统为B"
I am relatively new to Symfony2. I have already built a system using the inbuilt security mechanism of Symfony2 by authenticating users from database. Lets call this system "B"
在不同服务器上的 asp.net 中有一个应用程序使用相同的凭据(我从该系统复制了用户表).让我们称这个系统为A".用户是否可以单击 ASP 应用程序中的链接,将他们重定向到 Symfony2 应用程序并自动对其进行身份验证,而无需重新输入其登录凭据?
There is an application in asp.net on a different server that uses the same credentials (I had copied over the users table from that system). Lets call this System "A". Is it possible for users to click on a link in the ASP application that redirects them to the Symfony2 application and automatically authenticate them without them having to re-enter their login credentials?
我对系统A"的编程控制有限.是否有可能有一个单一/静态/预定义的加密用户凭据,可以从系统 A 使用它来验证系统 B 上的用户(当然提供用户类型作为数据参数,以便我可以将系统 B 中的用户限制为他/她的授权任务).一旦通过身份验证,用户应该能够直接与 symfony2 应用程序交互,就像他们使用系统 B 的登录页面登录一样.
I have limited control on programming the system "A". Is it possible to have a single/static/predefined encrypted user credentials that can be used from system A to authenticate the user on System B (of course providing the type of user as a data parameter so I can restrict the user in System B to his/her authorized tasks). Once authenticated, the user should be able to directly interact with the symfony2 application just as if they had logged in using System B's login page.
更明确地说,这里是事件的流程:
In more clear terms, here is the flow of events:
- 用户登录到 ASP.NET 系统.
- 用户单击链接以重定向到 Symfony2 应用程序
- 用户会自动进行身份验证并根据其对 Symfony2 应用程序的角色获得访问权限
请注意,我无法在 Symfony 服务器上维护用户数据库.我将只提供有关可用的不同用户类型的信息.
Please note that I cannot maintain a user database on the Symfony Server. I will only have information about the different user types available.
我查看了 Symfony2 方法的自定义身份验证提供程序,但不确定它是否能解决将客户端/用户完全重定向到 Symfony2 应用程序的目的.它看起来更像是一种 Web 服务身份验证方法,但我可能错了.
I looked into the Custom authentication provider for Symfony2 method but am not sure if it will solve the purpose of redirecting the client/user entirely to the Symfony2 application. It looked more like a web services authentication method but I might be wrong.
SAML 是实现这一目标的更好选择吗?
Is SAML a better option to achieve this?
推荐答案
首先,这是一个已经解决的问题.OAuth 之类的东西存在是有原因的.我建议在尝试制定自己的解决方案(并处理安全后果)之前先调查一下.
First of all, this is sort of a solved problem. Things like OAuth exist for a reason. I would suggest looking in to that before attempting to cook up your own solution (and dealing with the security ramifications).
但是要回答您的问题:
在我看来,如果不能更改系统A"中的某些内容,就没有安全的方法可以做到这一点.不知何故,Symfony 应用程序需要能够从系统A"获得一些高度不可猜测的哈希令牌,以便它可以对其进行身份验证.其他任何事情都是不安全的.
It seems to me that there is no secure way to do this without being able to change something in system "A". Somehow, the Symfony app needs to be able to get some highly un-guessable hash token from system "A" so that it can authenticate with it. Anything else would be insecure.
理想情况下,您可以让将用户发送到系统A"上的 Symfony 应用程序的表单从用户的用户名和会话或其他内容创建一个哈希值,并在将用户重定向到 Symfony 应用程序时将其与用户一起发送(即在 URL 参数中:类似于 http://symfony-app.com/login?token=[真的很长,无法猜测的哈希]).系统B"会将该哈希值存储在数据库中一段有限的时间,您的 Symfony 应用程序将根据该哈希值进行身份验证.
Ideally, you would make the form that sends users to the Symfony app on system "A" create a hash from the user's username and session or something, and send that along with the user when redirecting them to the Symfony app (i.e. in the URL params: something like http://symfony-app.com/login?token=[the really long, un-guessable hash]). System "B" would store that hash in the database for a limited period of time, and your Symfony app would authenticate against that hash.
这篇关于从外部系统认证到 Symfony 2.0的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
