Spring Security Kerberos链接基本 [英] Spring Security Kerberos chained with basic
问题描述
我有一个关于Spring Security的快速问题。
I have a hopefully quick question about Spring Security.
我正在寻找一种解决方案,将安全性集成到我们的应用程序中,该应用程序提供SSO但HTTP基本也是如此。
I am looking for a solution to integrate security into our application which provides SSO but HTTP basic as well.
我们系统的一个自动化部分只能支持基本身份验证,我们非常关注它。目前我们的目标是将Kerberos用于我们的SSO解决方案,然后还支持基本(非常有限的使用)。所有这些都将保护通过resteasy运行的RESTful Web服务。
One of the automated pieces of our system can only support basic authentication and we are pretty locked into it. Currently we are targeting to use Kerberos for our SSO solution and then also support basic (for very restricted usage). All of this will protect RESTful web services that run through resteasy.
有没有人看到这个解决方案中任何固有的不可能性将Kerberos和BASIC链接在一起?我们遇到了WildFly的问题,并且无法支持多种不同的身份验证方法,这些方法在握手时使用HTTP响应代码。
Does anyone see any inherent impossibilities in this solution of both Kerberos and BASIC chained together in spring security? We had problems with WildFly and undertow not being able to support multiple different authentication methods, that use HTTP response codes in their handshakes.
感谢输入
推荐答案
由于这个问题有点难度,我假设你已经熟悉 Spring Security Kerberos示例,展示了如何使用表单配置kerberos auth作为后备的auth。
我没有证据证明它会起作用,但我认为你应该能够用基本的auth链接你的kerberos auth而没有任何问题。我分享了我对此的想法......
Since this question is a bit tough, I assume you are already familiar with the Spring Security Kerberos samples that show how to configure kerberos auth with a form auth as fallback. I have no evidence that it'll work but I think you should be able to chain your kerberos auth with basic auth without any problems. I share my thoughts on this...
思想1:FilterChains
支持多种身份验证方法的技巧是正确设置身份验证筛选器的顺序。
如果订单错误,客户端可能会挂起基本身份验证,并且可能永远不会到达kerberos身份验证过滤器,因为会弹出浏览器的基本身份验证对话框。这可能取决于如何在Spring中实现基本身份验证提供程序和过滤器。无论如何,如果订单是正确的,那么在kerberos过滤器(基本认证过滤器)之后的链接中的下一个过滤器将开始工作。
The trick to support mulitple authentication methods is to set the order of the authentication filters correctly. If the order is wrong, the client could hang in the basic auth and might never reach the kerberos authentication filter, because the browser's basic auth dialog would pop up. This might depend a bit on how the basic auth provider and filters are implemented in Spring. Anyway, if the order is correct, the filter next in chain after the kerberos filter (the basic auth filter) will start its work.
思想2:Kerberos身份验证不应该破坏基本身份验证
浏览器应该将与kerberos服务提供商的通信视为与基本auth提供商的通信不同,因为协议是不同的。
SAML通信在它自己的命名空间,因此在我看来它不应该影响基于HTTP头中的授权元素的基本身份验证通信。
The browser should treat the communication with the kerberos service provider different to the communication with the basic auth provider, since the protocols are different. The SAML communication runs in it's own namespace, thus in my opinion it shouldn't affect the basic auth communication which is based on authorization element in the HTTP header.
编辑: 即使关于命名空间的假设在浏览器行为中没有任何作用,<步骤6中的< a href =http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-kerberos-browser-sso.html\"rel =noreferrer>序列图将是关键点。当过滤器链接正确时,Spring应返回401响应,如 401 - 拒绝访问 - WWW-身份验证 - 基本域=您的域名 这将强制您的浏览器进入基本身份验证。
Even if the assumption about the namespace doesn't play any role in the browsers behavior, step 6 in the sequence diagram will be a crucial point. When the filter chaining is correct, Spring should return a 401 response like 401 - Access denied - WWW-authenticate - Basic realm = "your domain" which will force your browser into basic auth.
思想3:Spnego在Spring Security Kerberos中协商
Spnego配置是基于这些想法的。这也可以在样本中看到,在此WebSecurityConfig.java
The Spnego configuration in the Spring Security Kerberos documentation is acutally build upon those thoughts. This can be seen in the samples, too, in line 49 and 50 of this WebSecurityConfig.java
如果遇到麻烦,我会感到惊讶。
I would be surprised if you experience troubles.
最后一个想法
如果没有要求强制您进行基本身份验证,我建议不要使用它。更好地保持基于令牌的身份验证。即使我不完全同意这个博客的所有细节,它也解释了为什么不应该使用基本身份验证,如果你可以避免它。
If no requirements force you to do a basic auth, I would recommend to not use it. Better stay with a token based authentication. Even if I don't fully agree on all details of this blog it explains why basic auth shouldn't be used, if you can avoid it.
这篇关于Spring Security Kerberos链接基本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
