SSO,未知 [英] SSO, the unknown
问题描述
我开始为我们制作的3个不同的网络应用程序开发 SSO 解决方案,并且仍然为同一个客户端维护。
I'm starting to work on a SSO solution for 3 different webapps we've produced and still maintain for the same client.
事实上,所有3个人通过第四个单独的应用程序将他们的用户和登录信息存储在同一个地方,这提供了基本的restful api服务。
这基本上意味着当一个人试图登录时,我们实际上会调用其他服务来询问这个用户名和密码是否正确。
Thing is, all 3 store their users and login information in the same place through a fourth separate application which provides just basic restful api services. Which basically means that when one tries to log into, we actually call the rest service asking whether this username and password are correct.
在某种程度上这第四个restful thingie已经至少我们需要的工作的一半。
In a way this fourth restful thingie already does at least half of the job we need.
我们现在需要的是一种让用户登录webapp A的方法,然后按照链接(或简单地键入其URL)到webapp B(或只是输入其网址)并已经记录(或反之亦然)。
What we need now is a way to let users log into webapp A, then follow a link (or simply type its url) to webapp B (or simply type its url) and get there already logged (or viceversa).
我一直在阅读很多关于 CAS 和 openID 甚至 oauth 的内容,但我无法真正对此作出决定。
这个模式是集中的吗?分散?
I've been reading a lot about CAS and openID or even oauth but can't really make up my mind about it. Is this pattern centralized? Decentralized?
我的一万英尺的视图表明我只是需要将这个缺失的功能添加到我们的restful api服务器中。
My ten-thousand foot view suggests I would somehow just need to add this "missing feature" to our restful api server.
但是如何?
ps:这3个完全分开。部署在不同的机器上(其中2台在glassfish上运行,另一台在tomcat上运行)。不同的域名。
ps: these 3 are completely separated. deployed on different machines (2 of them run on glassfish, the other one runs on tomcat). different domains too.
pps:它们都是弹簧驱动的webapps(因此它们使用 spring-security )
pps: they're all spring-driven webapps (hence they use spring-security)
ppps:截至今天,还有其他使用我们的restul api的webapp(非spring,非java)。
这个sso解决方案可能必须准备好处理它们。
ppps: as of today, there are other webapps using our restul api (non spring, non java). this sso solution might have to be ready to handle those too.
推荐答案
是的,听起来你需要一个真正的单点登录系统而不仅仅是集中的凭证存储库。正如您所提到的,有几种选择:
Yeah it sounds like you need a "true" single sign on system rather than just a centralized credential repository. As you mentioned there are several options:
-
OpenId - 更适合您需要
的互联网类型应用程序允许用户使用
由第三方维护的凭据登录您的系统。 Stackoverflow是一个典型的例子。
您可以使用Google帐户登录等。
OpenId - more suited to an internet type application in which you want to allow users to log into your systems with credentials that are maintained by a third party. Stackoverflow is a classic example. You can sign in with your google account etc.
Oauth提供伪身份验证和sso - 而OpenId说
这是用户xoauth说这个用户可以访问x的
信息...所以你可以假设用户是x。
Oauth provides Pseudo authentication and sso - whereas OpenId says "this is user x" oauth says "this user has access to x's information" ... so you can assume that the user is x.
CAS , Cloudseal , OpenAM 等都提供真正的单
登录,适用于内联网或外联网环境。
CAS和Cloudseal有特别好的Spring支持。
CAS, Cloudseal, OpenAM etc all provide true single sign on and are suitable for an intranet or extranet environment. CAS and Cloudseal have especially good Spring support.
这篇关于SSO,未知的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
