在多个子域中使用Apache的mod_auth进行单点登录? [英] Using Apache's mod_auth across multiple sub-domains for single sign-on?
问题描述
我有一个域和一组子域,这些域需要进行身份验证才能访问.我目前在domain.tld级别上使用mod_auth对用户进行身份验证(基本为mod_auth).我的目标是在域和所有子域之间进行单点登录.
I have a domain and a group of sub-domains that require authentication to access. I am currently using mod_auth to authenticate users (mod_auth basic) at the domain.tld level. My goal is for single sign-on between the domain and all the sub-domains.
这些凭据会自动或通过简单的vhost配置更改继续进入子域,还是有更好的方法呢?
Will these credentials carry on to the sub-domains automatically, or with a simple vhost config change, or is there a better method to do this?
推荐答案
mod_auth_basic
浏览器通过URL根和身份验证领域的名称来区分需要HTTP身份验证的区域.
mod_auth_basic
Browsers distinguish areas that require HTTP authentication by a combination of the URL root and the name of the authentication realm.
例如,两个域的每个域都具有相同的名称:
Take for example, two domains each with a realm with the same name:
http://one.example.com/ with the realm "Please enter credentials!"
http://two.example.com/ with the realm "Please enter credentials!"
首先,用户访问one
,要求其输入凭据并输入.然后用户访问two
,浏览器发现URL不同,因此再次询问用户她的凭据.
First a user visits one
, is asked for credentials and enters them. Then the user visits two
, the browser recognizes that the URL is different and thus asks again the user for her credentials.
这是一件好事,因为否则www.badguy.com可以对其进行设置,以便您的浏览器发送您的网上银行登录信息.
This is a good thing, because otherwise www.badguy.com could set it up so that your browser sends over your online banking login.
简而言之:使用基本的HTTP身份验证和标准的HTTP客户端,无法解决您的问题.
In short: there is no way to solve your problem with basic HTTP authentication and standard HTTP clients.
您可以改用mod_auth_digest,因为这样您就可以在同一保护空间"中指定多个URI.但是,使用这种身份验证方法存在两个新问题:
You could use mod_auth_digest instead, since with that you can specify more than one URI to be in the same "protection space". However, with this authentication method there are two new problems:
- 它不能很好地扩展,因为您不能使用通配符域.
- 浏览器兼容性不佳. (有关如何使其与IE配合使用,请参见文档. )
- It doesn't scale very well, because you cannot use wildcard domains.
- Browser compatibility is not as good. (See the documentation on how to make it work with IE.)
这篇关于在多个子域中使用Apache的mod_auth进行单点登录?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!