在多个子域中使用Apache的mod_auth进行单点登录? [英] Using Apache's mod_auth across multiple sub-domains for single sign-on?
问题描述
我有一个域和一组子域,这些域需要进行身份验证才能访问.我目前在domain.tld级别上使用mod_auth对用户进行身份验证(基本为mod_auth).我的目标是在域和所有子域之间进行单点登录.
I have a domain and a group of sub-domains that require authentication to access. I am currently using mod_auth to authenticate users (mod_auth basic) at the domain.tld level. My goal is for single sign-on between the domain and all the sub-domains.
这些凭据会自动或通过简单的vhost配置更改继续进入子域,还是有更好的方法呢?
Will these credentials carry on to the sub-domains automatically, or with a simple vhost config change, or is there a better method to do this?
推荐答案
mod_auth_basic
浏览器通过URL根和身份验证领域的名称来区分需要HTTP身份验证的区域.
mod_auth_basic
Browsers distinguish areas that require HTTP authentication by a combination of the URL root and the name of the authentication realm.
例如,两个域的每个域都具有相同的名称:
Take for example, two domains each with a realm with the same name:
http://one.example.com/ with the realm "Please enter credentials!"
http://two.example.com/ with the realm "Please enter credentials!"
首先,用户访问one,要求其输入凭据并输入.然后用户访问two,浏览器发现URL不同,因此再次询问用户她的凭据.
First a user visits one, is asked for credentials and enters them. Then the user visits two, the browser recognizes that the URL is different and thus asks again the user for her credentials.
这是一件好事,因为否则www.badguy.com可以对其进行设置,以便您的浏览器发送您的网上银行登录信息.
This is a good thing, because otherwise www.badguy.com could set it up so that your browser sends over your online banking login.
简而言之:使用基本的HTTP身份验证和标准的HTTP客户端,无法解决您的问题.
In short: there is no way to solve your problem with basic HTTP authentication and standard HTTP clients.
您可以改用mod_auth_digest,因为这样您就可以在同一保护空间"中指定多个URI.但是,使用这种身份验证方法存在两个新问题:
You could use mod_auth_digest instead, since with that you can specify more than one URI to be in the same "protection space". However, with this authentication method there are two new problems:
- 它不能很好地扩展,因为您不能使用通配符域.
- 浏览器兼容性不佳. (有关如何使其与IE配合使用,请参见文档. )
- It doesn't scale very well, because you cannot use wildcard domains.
- Browser compatibility is not as good. (See the documentation on how to make it work with IE.)
这篇关于在多个子域中使用Apache的mod_auth进行单点登录?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
