如何在两个Web应用程序,PHP和Java EE之间进行单点登录(SSO)? [英] how to do single-sign-on (SSO) between two web apps, PHP and Java EE?
问题描述
我在GlassFish 3.1上运行了一个现有的Java EE Web应用程序。通过在GlassFish 3.1中配置的jdbcRealm登录工作正常。
I have an existing Java EE web application running on GlassFish 3.1. Sign in works fine through the jdbcRealm configured in GlassFish 3.1.
另一个团队中的某个人正在用PHP开发一个单独的Web应用程序,老板不希望用户应用必须登录两次。也就是说,当他们登录Java Web应用程序并点击链接将他们带到PHP应用程序时,他们也应该已经登录到该应用程序。 (反之亦然。)
Someone on another team is developing a separate web application in PHP, the boss doesn't want the user of the apps to have to sign in twice. That is, when they are signed in to the Java web app and they click a link that takes them to the PHP app, they should already be signed in to that app as well. (And vice-versa.)
不确定如何实现这一点。我想我可以生成一个长的随机密钥(一个令牌),它在任一应用程序的登录时生成,并在每个Web请求中传递给任一应用程序以识别登录用户,但这似乎并不安全。
Not sure how to implement this. I was thinking that I could generate a long random key (a token) that gets generated on log in of either app, and passed around in every web request for either app to identify a logged in user, but that doesn't seem safe.
我需要指向正确的方向。
I need pointers in the right direction.
推荐答案
你说
我原以为我可以生成一个长随机密钥(一个令牌),在任一应用程序登录时生成
,并在每个网络
请求中传递任一应用程序以识别登录用户,但不是
似乎是安全的。
I was thinking that I could generate a long random key (a token) that gets generated on log in of either app, and passed around in every web request for either app to identify a logged in user, but that doesn't seem safe.
但这基本上是会话的工作方式。
But that's essentially how sessions work.
您最好的办法是生成一个唯一的登录标识符(如您所说)将其存储在数据库中或两个应用程序都可以访问内存缓存,并找到一种方法来保存它,这样两个Web应用程序都可以检索它。
Your best bet is to generate a unique login identifier (as you said) store it in a database or memory cache accessible by both apps and find a way to save it such that both web apps can retrieve it.
如果两个应用程序都在同一个根域,你可以使用曲奇饼路径设置为 / ,以便两个应用程序都可以访问它。
If both apps are on same root domain, you can use a cookie with path set to / so both apps can access it.
如果两个应用程序都在不同的根目录下然后它会有点棘手。
If both apps are going to be on different root domain then it will be a little more tricky.
至于传递标识符令牌的安全性,你可以在每个请求上重新生成标识符,以防止cookie中断。
As for security regarding the identifier token being passed around, you could regenerate the identifier on each request, which guards against cookie jacking.
这篇关于如何在两个Web应用程序,PHP和Java EE之间进行单点登录(SSO)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
