单点登录(SSO)字preSS和CakePHP之间 [英] Single Sign On (SSO) between Wordpress and CakePHP
问题描述
我有一个现有的Word preSS站点。该计划是重建使用CakePHP的框架站点。由于时间的限制,我想在一个需要更换的话preSS站点一个单独部分。这将意味着,这两个应用程序将对于在一定时间内可以运行的并排。我需要控制访问使用的Word preSS提供的授权CakePHP的应用程序。我不知道去这样做是最好的方法。我见过类似的问题问了很多,但我还没有找到一个明确的解决方案。
I have an existing Wordpress site. The plan is to rebuild the site using the cakePHP framework. Due to time restrictions, I want to replace individual sections of the Wordpress site one at a time. This will mean that both apps will be running side by side for a certain period of time. I need to control access to the cakePHP app using the authorization provided by Wordpress. I'm not sure the best way to go about doing this. I've seen similar questions asked a lot, but I have not yet found a clear solution.
我正在考虑两种方法:
A计划:
- 配置蛋糕找字preSS的授权饼干。
- 配置蛋糕看字preSS的数据库中。
- 借用一些字preSS的授权逻辑教Cake的验证组件如何WP用户进行身份验证的。
B计划:
- 设置了一个授权API对我的Word preSS站点。
- 设置了独立的身份验证组件的蛋糕。
- 平,当用户点击一个受保护的页面在蛋糕的应用程序,然后手动登录用户的WP终端。 (这将创建第二组AUTH饼干)
做这两种声音的是一个正确的方法呢?有没有更好的方式来做到这一点?
Do either of these sound like the right approach? Is there a better way to do this?
有用的参考资料:<一href=\"http://bakery.cakephp.org/articles/admad/2009/09/02/how-to-bend-cakephp-s-session-handling-to-your-needs\"相对=nofollow>文章有关蛋糕会话处理,的蛋糕验证组件文档,的蛋糕验证教程, WP授权的简要概述,<一个href=\"http://$c$cseekah.com/2012/04/09/why-word$p$pss-authentication-unique-keys-and-salts-are-important/\"相对=nofollow>更深入看字preSS授权
Helpful references: Article about Cake session handling, Cake Auth component documentation, Cake Auth tutorial, brief overview of WP authorization, a more in depth look at wordpress authorization
更新
我们已经开始这方面的工作,而且它看起来像它会工作,但没有涉及到的密码哈希权证<一个非常棘手的方面href=\"http://stackoverflow.com/questions/15774265/password-hashing-for-sso-between-word$p$pss-and-cakephp\">its自己的问题。如果你按照此线程,你可能想看看。
UPDATE We've started working on this, and it seems like it will work, but there is a very tricky aspect involving password hashing that warrants its own question. If you're following this thread, you may want to have a look.
推荐答案
我曾经有过类似的情况:<一href=\"http://stackoverflow.com/questions/11839812/cross-framework-authentication-zend-$c$cigniter\">Cross框架Zend的认证+ codeigniter 这是几个月前...
I once had a similar situation: Cross framework authentication zend + codeigniter which was few months ago...
不管怎么说,这就是我将preFER:
Anyways, this is what I will prefer:
- 设置了一个授权API对我的Word preSS站点。
- 设置了独立的身份验证组件的蛋糕。
- 平,当用户点击一个受保护的页面在蛋糕的应用程序,然后手动登录用户的WP终端。 (这将创建第二组AUTH饼干)
在这里,我建议轻微的变化,这是做,能。
Here, I would suggest a slight change which is do-able.
请确保您有SSO的象征体系。正如,当人被记录在Word中preSS,置另一cookie,将有一个令牌:令牌将用户名+密码(哈希)+密钥,这将是字preSS和CakePHP的一样。在任一站点,查找针对Cookie和手动登录用户或只是执行数据库抬头。散列是该cookie重要!
但是,如果网站使用不同的域,则可能需要重新制定战略:
Make sure, you have a token system of SSO. As in, when person is logged in on Wordpress, set another cookie which will have a token: Token will be username + password (hashed) + secret key, which will be same between Wordpress and CakePHP. On either site, look up for cookie and manually log the user in or just perform a database look up. Hashing is important for that cookie! However, if the site is using different domains, you might need to re-strategize:
我有不同的域一次。在登录或未经授权的网页,我会ping到其他网站,并把他们的登录框。在另一网站,如果用户登录,他们得到后登录页面,如果请求的URI已派出一个道理,我们进行正常运行和授权令牌返回到这个(电流)域。
I had different domains once. At the login or unauthorized page, I would ping the other website and bring up their login box. On the other website if the user is logged in, they get post login page and if request URI has sent a token, we perform normal operation and return the authorized token to this (current) domain.
在简单的话:
站点A =字preSS和放大器;站点B = CakePHP的
Site A = WordPress & Site B = CakePHP
站点B击中一个页面,需要授权的话,平站点A的登录(因为它发生当U不登录,与Facebook的排序),这将通过一个令牌(私钥)请求并REQUEST_URI这将是在站点A SSO验证表的一部分,如果人在随后已经登录,站点A将返回(通过POST)站点B的象征,这将进一步通过(私钥)进行解密,并记录用户在作者私钥B和A将是一样的。
Site B hits a page where authorization is required then, ping Site A for a login (as it happens when u do Login-with-Facebook sort), which will request via a Token (private key) and REQUEST_URI which will be part of SSO verification table on Site A, if person is already logged in then, Site A will return (via POST) a token, which further will be decrypted via (private key) of Site B and log the user in. Private key of B and A will be same.
希望这是可以理解的。
问题吗? :)
回答您的问题在注释:
在理想情况下,我们为什么使用SSO?我们使用它,因为很多限制。例如:你有发言权的一个数据库...一百万行有超过一千表,则需要通过乌尔巨大的应用程序添加一个模块已经......所以,相反,你会使用其他数据库... SSO将返回用户的信息,其可进一步被复制。例如,当你点击登录与Facebook',它返回请求的信息,如电子邮件地址或用户名,甚至个人资料图片。这可以进一步加入到我们的数据库......保持不同数据库,则强烈建议:)
Ideally, why we use SSO? We use it because of many constraints. For example: You have a database of say... a million row with more than thousand tables, you need to add a module over ur huge app already... so, instead, you will use another database... SSO will return user information, which can further be replicated. For example, when you click on 'Login with Facebook', it returns requested information, like email address, or user's name or even profile picture. Which can further be added to our database... Keeping different databases is strongly recommended :)
要你的第二和第三个问题:若两个站点引用同一个用户表不同的数据库中建议,除非您使用的是相同的数据的数据库?或者说改变了软件平台。
To your 2nd and 3rd question: Should both sites reference the same users table in the database? different databases is recommended unless, you are using the same data. Or say changing the software platform.
我应该在特定站点用户的行复制到每个应用单独的用户表?是,这应该自动发生。一旦你在一个主站点注册的,什么也没有发生,一旦你登录已经然后去站点B的事情应该发生......一旦登录,用户信息可以随时要求:)这样,新网站将有活跃用户! 2鸟?
Should I copy the site-specific user rows into separate user tables for each app? Yes, that should happen automatically. Once you are registered on a main site, nothing happens, things should happen once you are logged in already and then go to site B... Once logged in, user info can always be requested :) That way, new site will have active users ! 2 birds?
不要复杂化(烦)自己与怎么样工作的,但是,专注于如何,什么是短期内可以实现的。 SSO - 已登录 - 限制页 - 当心日志插件 - 无论是登录 - 获取用户信息 - - 如果用户信息存在 - 通过二级站点登录或设置新的用户信息,如果已经登录。完成!
Don't complicate (bother) yourself with how what works but, concentrate on how, what is achievable in short period. SSO - Logged in - Restricted page - Look out for log ins - Either login - If already logged in - fetch user info - If user info exists - login via secondary site OR set the new user info . Done!
我们的开发人员喜欢流程图!难道不是吗?我刚刚创建了一个:
We developers love flow charts! Don't we? I just created one:
另外的答案:
是否获取用户信息阶段,意味着我们需要从中登录该网站的用户信息,并在其他网站会自动创建一个新用户(行)?
在理想情况下,你会问许可用户,他们允许之前他们的信息被使用,但它改变你的隐私政策如何。
Ideally, you will ask permission from the user before they 'allow' their info to be used but, it varies how your privacy policies are.
换句话说,一个网站处理所有的注册/用户创作和其他网站只是等待用户来显示出来,并触发自动创建。或在此刻对一个网站用户登记,这两个数据库获取用户插入行?
一个网站处理所有的注册/用户创作和其他网站只是等待用户露面并触发自动创建。的您可以兼得。注册您的网站上,并触发基于自动创建。取决于你的战略。 或在此刻对一个网站用户登记,这两个数据库获取用户插入行?的这将是一个可怕的做法!它会杀死SSO的动机。 SSO的动机是为了建立一个权威性的家庭可以由用户使用,使他们不必再到现在每隔注册不同的网站。在同一时间更新只有一个数据库和其他需要时:)
one site handles all the registration/user-creation and the other site just waits for that user to show up and trigger automatic creation. You can have both. Sign up on your website and also a trigger based automatic creation. Depends on your strategy. OR at the moment a user registers on the one site, BOTH databases get a user row inserted? That would be a horrible practice! It will kill the motive of SSO. Motive of SSO is to create an auth family which can be used by users so that they do not have to register every now and then for different websites. update only one database at a time and other when required :)
问题吗? :)
这篇关于单点登录(SSO)字preSS和CakePHP之间的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
