集中验证和授权多个Web服务 [英] Centralized Authentication and Authorization for several Web Services
问题描述
有几种不同的web服务 - 各种技术使用,如Java,.NET,Python和Perl中,以及可能在未来更多 - 属于不同的组织,并且访问这些Web服务,必须限制
There are several different web services -- various technologies used, such as Java, .NET, Python, Perl, and possibly more in the future -- belonging to different organizations, and the access to those web services has to be restricted.
这个想法是有一个中央认证授权服务器,只负责批准获取每个WS。
The idea is to have a central authentication and authorization server, only responsible for granting access to each WS.
我在寻找一个单点登录系统中,用户与认证服务器认证一次,并授予访问Web服务在有限的时间跨度。
I'm looking for a Single Sign On system in which the user authenticates once with the auth server and is granted access to the web services for a limited timespan.
安全性要求越来越高,因此用户名/密码设置是不够的。
The security requirements are high, so a username/password set isn't enough.
在快速搜索我发现很多不同的解决方案和方法的问题,但我不知道这种情况下,最好的一个 - 一个独立的技术,安全和可靠的解决方案。
In a quick search I found many different solutions and approaches to the problem, but I don't know the best one for this case -- a technology independent, secure and reliable solution.
推荐答案
这个问题已经很大程度上是由WS-信托解决,至少基于SOAP的Web服务反正。 WS-信任是用于验证和交换认证令牌一个良好定义的协议,并且可以在跨企业场景与协议,如那些基于它WS联合使用。
This problem has been largely solved by WS-Trust, at least for SOAP-based web services anyway. WS-Trust is a well-defined protocol for validating and exchanging "authentication tokens", and can be used in cross-enterprise scenarios with protocols such as WS-Federation that are built on it.
一个例子方案是为客户从WS-信托服务器请求一个令牌,则包括SOAP头到Web服务主机令牌。另一面是,包括一些简单的像<&的UsernameToken GT;在请求到主机,并让服务器端委派身份验证以WS-信托服务器。
One example scenario is to have the clients request a token from the WS-Trust server, then include that token in the SOAP header to the web service host. The flip side is to include something simple like <UsernameToken> in the request to the host, and have the server-side delegate authentication to the WS-Trust server.
有对WS-信托pretty良好的客户支持 - WCF具有开箱即用支持,以及各个厂商对JAX-RPC和JAX-WS Web服务J2EE拦截
There's pretty good client support for WS-Trust -- WCF has support out of the box, and various vendors have J2EE interceptors for JAX-RPC and JAX-WS web services.
虽然WS-Trust的重点是身份验证,则可以使用约时发出或确认收到的令牌逻辑做粗粒度的授权。不要发出/验证令牌,并获得有效地拒绝。用于Web服务的细粒度授权通常需要一些自定义拦截,这是供应商特定的。
While WS-Trust's focus is on authentication, you can do coarse-grained authorization by using logic about when to issue or validate a received token. Don't issue/validate the token, and access is effectively denied. Fine-grained authorization for web services will usually require some custom interceptors, which are vendor-specific.
我的IBM Tivoli安全工作,我们在这个空间中的一些产品。首先是Tivoli联合身份管理器(TFIM)。一位同事和我自己写的这篇文章与整合TFIM WSE基于网络的服务,并包括WS-信任协议本身的概述。第二个产品是Tivoli安全策略管理器(TSPM),它实现细粒度的授权用于Web服务。
I work for IBM Tivoli Security, and we have a few products in this space. The first is Tivoli Federated Identity Manager (TFIM). A colleague and myself wrote this article on integrating TFIM with WSE-based web services, and includes an overview of the WS-Trust protocol itself. The second product is Tivoli Security Policy Manager (TSPM), which implements fine-grained authorization for web services.
有这些相同的协议,这是使用基于标准的解决方案的上侧的开放源码实现。我相信,JBoss和WSO都实现,可能是有用的。
There are open source implementations of these same protocols, which is the upside of using a standards-based solution. I believe JBoss and WSO have implementations that might be useful.
这篇关于集中验证和授权多个Web服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
