实现令牌认证 [英] Implementing a token authentication

问题描述

哪些步骤我必须遵循以实现我的网页中的令牌认证？

Which are the steps must I follow to implement a token authentication in my web page?

任何摘要或链接将AP preciated。

Any summary or links will be appreciated.

我要实现类似Facebook或谷歌，第一次客户端洛和接收令牌，然后在接下来的行动中使用它。
我也了解OAuth的，但我不希望给访问来自第三方的我的申请。

I want to implement similar to Facebook or Google, first time client loggin and receive token and then use it in next actions. I read also about OAuth but I don't want to give access to my application from 3rd party.

感谢您的长期反应，似乎昭示着我，我需要阅读更多关于这一点。

Thanks for the long response and it seems clear to me I need to read more about this.

我要的是要知道步骤，以实现使用令牌认证一个基本的Web应用程序。这是用户登录一次，然后就可以做一些动作：添加内容，编辑等。

What I want is to know the "steps" to implement a basic web application that uses token authentication. That is user logging once and then can make some actions: add content, edit, etc.

我知道我说的是类似于会话，在服务器上添加HTML标头，后来请求SESSION_ID被识别并与该会话关联。我读会话的方式是不好的规模，所以我想他们去的OAuth之前实施类似的系统，如Gmail或Facebook。也许我说的类似的OAuth的东西（我不这么深层次的阅读），但witj两条腿的，而不是三条腿。

I know what I'm saying is similar to a session, where server adds a SESSION_ID on the HTML header and later request are identified and associated with that session. I read sessions way isn't good to scale so I want to implement a similar system like gmail or facebook before they go to OAuth. Probably I'm talking about something similar to oauth (i don't read in much depth) but witj two-legged instead three-legged.

推荐答案

您应该想想自己的需求，选择一个合适的协议和一些像样的软件实现它。

You should think about your requirements, pick an appropriate protocol and some decent piece of software that implements it.

这真的很难说没有更多的详细信息：

It's really hard to say more without more details:

• 你说的是验证一个或多个Web应用程序？你需要在不同的Web应用程序之间的单点登录？


• 应该所有用户数据存储在服务器上或应用户能够登录如与谷歌帐户？


• 应令牌包含的信息有关用户？


• 在什么平台的应用程序开发？


• 应该用什么身份验证方法？


• 你想实现一个门户网站？

有是一个非常广泛的可能或可能不适合你的要求协议和工具的：

There is a really wide range of protocols and tools which might or might not fit to your requirements:

<一个href=\"http://en.wikipedia.org/wiki/Category:Authentication_methods\">http://en.wikipedia.org/wiki/Category:Authentication_methods

<一个href=\"http://en.wikipedia.org/wiki/Category:Identity_management_systems\">http://en.wikipedia.org/wiki/Category:Identity_management_systems

我个人很喜欢CAS（ http://www.jasig.org/cas ）多个网络之间的令牌基地SSO应用程序。它是基于Java的，但也有PHP和.NET一些支持。

I personally like CAS ( http://www.jasig.org/cas) for token-base SSO between multiple web applications. It's Java based but also has some support for PHP and .Net.

OpenID是好的，如果你想允许用户使用他们的谷歌，雅虎登录，无论帐户（配置...），不要想自己来存储用户信息。

OpenID is fine, if you want to allow users to login with their Google, Yahoo, whatever account (configurable...) and don't want to store user information by yourself.

的Kerberos / SPNEGO是，如果你想去天堂集成了Windows-SSO为您的企业内部网应用程序。

Kerberos/SPNEGO is the way to go if you want to haven integrated windows-sso for your corporate intranet applications.

有关大学申请SAML / Shibboleth的可能是最好的。以外的大学是有点冷门，可能使得它是一个相当复杂的协议。

For university applications SAML/Shibboleth probably is best. Outside universities it's somewhat less popular, probably cause it's a fairly complex protocol.

哦，我差点忘记：大多数web框架/标准，有自己的纯老基于表单的身份验证的版本。当一个用户进入一个登录表单中输入用户名和密码。无论是带或不带SSL运到Web /应用服务器。服务器验证它针对某种数据库，并给出一个cookie给用户，其发送和验证每个用户发送的请求的时间。但是，所有这些闪亮的协议旁边，这似乎是pretty无聊： - ）

Oh and I almost forget: Most of the web frameworks/standards have there own version of plain-old "form based authentication". Where a user goes to a login form enters its username and password. Both are with or without SSL transported to the web/application server. The server validates it against some kind of database and gives a cookie to the user, which is transmitted and validated every time the user sends a request. But beside all this shiny protocols this seems to be pretty boring :-)

和与Web认证做任何事情之前，你可能会认为一个对一般的网络安全时刻（<一个href=\"http://journal.paul.querna.org/articles/2010/04/11/internet-security-is-a-failure/\">http://journal.paul.querna.org/articles/2010/04/11/internet-security-is-a-failure/ <一href=\"http://www.eff.org/files/DefconSSLiverse.pdf\">http://www.eff.org/files/DefconSSLiverse.pdf)你可以做什么，不让它即使在您的网站更差（<一个href=\"http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html\">http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html <一href=\"http://owasptop10.google$c$c.com/files/OWASP%20Top%2010%20-%202010.pdf\">http://owasptop10.google$c$c.com/files/OWASP%20Top%2010%20-%202010.pdf).

And before doing anything with web authentication, you might think for a moment about web security in general ( http://journal.paul.querna.org/articles/2010/04/11/internet-security-is-a-failure/ http://www.eff.org/files/DefconSSLiverse.pdf) and what you can do to not make it even worse on your site ( http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf).

这篇关于实现令牌认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！