对LDAP服务器的代理HTTP摘要认证请求
[英]Proxy HTTP digest authentication request to LDAP server
问题描述
Recently we've been working on a project that integrates our Tomcat web server with a couple specific services on a mobile device. 
最近,我们一直致力于一个项目,该项目将我们的Tomcat Web服务器与移动设备上的一些特定服务集成在一起。 One of the things we can do during our interaction with the device (which is over HTTP) is get the device to prompt the user for credentials. 在我们与设备交互(通过HTTP)期间我们可以做的事情之一是让设备提示用户提供凭据。 After the user has entered their credentials, our server receives an HTTP post that contains the standard HTTP digest authentication headers (Authorization header with nonce, realm, response, etc). 用户输入凭据后,我们的服务器会收到一个HTTP帖子,其中包含标准HTTP摘要认证标头(带有nonce,realm,response等的授权标头)。 No big surprises there. 没有什么大惊喜。
Our server (by design) doesn't actually contain the passwords for any users. 我们的服务器(按设计)实际上并不包含任何用户的密码。 We keep a SHA512 hash of their password. 我们保留了密码的SHA512哈希值。 For local users we can start to store the MD5 of the "username:realm:password" when the log in to the application. 对于本地用户,我们可以在登录到应用程序时开始存储“用户名:realm:password”的MD5。 Is that a common way of dealing with digest auth when you don't store the password? 当您不存储密码时,这是处理摘要身份验证的常用方法吗?
More importantly we interact with LDAP servers via some JNDI code we've written for authentication. 更重要的是,我们通过我们为验证编写的一些JNDI代码与LDAP服务器进行交互。 Because the device is forced to authenticate with our server via http and digest is the only supported authorization method, we can't really seem to find a way to use the digest response to authenticate the user via LDAP. 由于设备被强制通过http与我们的服务器进行身份验证,而digest是唯一受支持的授权方法,我们似乎无法找到使用摘要响应通过LDAP对用户进行身份验证的方法。 Conceptually it doesn't really seem right that you would be able to "proxy" a digest request either. 从概念上讲,你能够“代理”摘要请求似乎并不正确。 Is there a workflow out there that would allow for this type of "pass through" authentication and if so is it even a good idea? 是否有工作流程允许这种类型的“通过”身份验证,如果是这样,它甚至是一个好主意?
Thanks! 谢谢!
1 个解决方案
解决方案1
3 2014-01-16 11:05:28
One approach could be using simple authentication over HTTPS between the client and your server, then using the password against the LDAP server. 一种方法是在客户端和服务器之间使用HTTPS进行简单身份验证,然后对LDAP服务器使用密码。 You don't need to store the password, as it will be provided by the client on each login. 您无需存储密码,因为它将在每次登录时由客户端提供。 For instance, you may verify the password against the stored SHA512(password) , and then pass the clear password to the LDAP server. 例如,您可以根据存储的SHA512(password)验证密码,然后将清除密码传递给LDAP服务器。
If you cannot use HTTPS, or the server is not trusted for knowing the password, things are more complicated, because you cannot compute the SASL response from the provided MD5 digest (unless the LDAP server uses the DIGEST-MD5 mechanism, which is obsolete). 如果你不能使用HTTPS,或者服务器因为知道密码而不受信任,那就更复杂了,因为你无法从提供的MD5摘要中计算SASL响应(除非LDAP服务器使用DIGEST-MD5机制,这是过时的) 。 In that case, you could proxy the whole SASL authentication exchange between the LDAP server and your client, and have the client send the responses via AJAX. 在这种情况下,您可以代理LDAP服务器和客户端之间的整个SASL身份验证交换,并让客户端通过AJAX发送响应。 Then, knowledge of the password will be restricted to the client. 然后,密码的知识将仅限于客户端。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.