堆栈内存溢出
  简体   繁体   English

如何编写java web服务来进行远程登录?

[英]How to write a java web service to do remote login?

 原文  2008-12-06 12:32:13       java/ web-services

问题描述

I have two application. 我有两个申请。 I need to do a single signon from application a to application b. 我需要从应用程序a到应用程序b进行单点登录。

I thinking of using web service. 我想使用网络服务。 I wonder how do i go about that approach. 我想知道我该如何处理这种方法。

Can anyone advise? 任何人都可以建议吗?

6 个解决方案

解决方案1
 3  2008-12-07 23:54:15

Assuming these are web applications - you must implement some type of shared trust model between the applications. 假设这些是Web应用程序 - 您必须在应用程序之间实现某种类型的共享信任模型。

Under no circumstance should you write your own. 在任何情况下你都不应该自己写。 That is too easy to screw up and there are plenty of existing (both open and commercial) to choose from. 这太容易搞砸了,有很多现有的(开放的和商业的)可供选择。

Here are following options: 1 - If everyone is running Windows - you could just Windows Native Authentication (aka SPNEGO) 2 - You could implement some type of SSO system. 以下是以下选项:1 - 如果每个人都在运行Windows - 您可以只使用Windows本地身份验证(也称为SPNEGO)2 - 您可以实现某种类型的SSO系统。 Popular systems are CAS, Oracle Access Manager, CA SiteMinder, Sun SSO and IBM Tivoli Access Manager. 常用系统包括CAS,Oracle Access Manager,CA SiteMinder,Sun SSO和IBM Tivoli Access Manager。 While CAS is open-source, the others will also allow you to implement authorization as well, while CAS only does authentication. 虽然CAS是开源的,但其他的也允许您实现授权,而CAS只进行身份验证。

Finally - make sure whatever option you choose - that it integrates with your language's native authentication & authorization framework. 最后 - 确保您选择的任何选项 - 它与您的语言的本机身份验证和授权框架集成。 In Java this would be JAAS. 在Java中,这将是JAAS。 In .NET it would be the .NET security framework. 在.NET中,它将是.NET安全框架。 For PHP/Perl - you can leverage Apache modules. 对于PHP / Perl - 您可以利用Apache模块。 The benefit is that you don't have to become a security expert and it will make it easier to use external systems for authentication & authorization without having to re-code your app. 这样做的好处是,您无需成为安全专家即可轻松使用外部系统进行身份验证和授权,而无需重新编写应用程序代码。

解决方案2
 2  2008-12-08 22:06:25

You could use a public key authentication scheme. 您可以使用公钥身份验证方案。

Create a keypair with a public and private key (using Java's keytool, GNU GPG or a similiar tool). 使用公钥和私钥创建密钥对(使用Java的keytool,GNU GPG或类似的工具)。 Use the private key to sign a piece of information (for example a username) on application A and create a link to application B that is accessible from application A and contains the signed data. 使用私钥对应用程序A上的一条信息(例如用户名)进行签名,并创建一个指向应用程序B的链接,该应用程序可从应用程序A访问并包含签名数据。 Application B can then log the user on after verifying with the public key that the request indeed came from application A (which it must have if it is able to decrypt the string). 然后,应用程序B可以在使用公钥验证请求确实来自应用程序A(如果它能够解密字符串时必须具有该请求)之后登录用户。

You could of course create a opposite keypair for navigating the other way as well, or you could just use the public key and keep it secret (effectively making it a shared-secret system). 你当然可以创建一个相反的密钥对来导航另一种方式,或者你可以只使用公钥并保密(有效地使它成为一个共享秘密系统)。

If the user tries to access application B directly you could also redirect him to application A with a parameter that says he came from application B (or do a referrer check). 如果用户尝试直接访问应用程序B,您还可以将其重定向到应用程序A,其参数表明他来自应用程序B(或执行引荐来源检查)。 If he is already logged on to application A create the link with the signed data and redirect to it, otherwise present him with a logon screen and redirect after logon. 如果他已经登录到应用程序A,则使用签名数据创建链接并重定向到该链接,否则在登录后向他显示登录屏幕并重定向。

Hope that helps! 希望有所帮助!

解决方案3
 0  2008-12-06 13:19:55

You could use an existing open source product, CAS and just implement it instead of develop your own. 您可以使用现有的开源产品CAS ,只需实现它而不是开发自己的产品。 That way you'll be able to integrate with other applications that support the same protocol. 这样,您就可以与支持相同协议的其他应用程序集成。 Even if you decide to implement your own instead of using their code, there are a lot of ideas presented at the web site that would be useful for you to consider. 即使您决定实施自己的代码而不是使用他们的代码,网站上提供的许多想法对您来说都很有用。

解决方案4
 0  2008-12-06 14:07:03

If the applications are hosted in the same server, then you could configure it to use single sign on. 如果应用程序托管在同一服务器中,则可以将其配置为使用单点登录。 For example, in Tomcat this is achieved with a Valve . 例如,在Tomcat中,这是通过Valve实现的。

If the applications are in different environments, then a secured Web Service is a good idea. 如果应用程序位于不同的环境中,那么安全的Web服务是个好主意。 You could for example create a public - private key pair and have application b (server) authenticating application a (client) on the client certificate. 例如,您可以创建公钥 - 私钥对,并在客户端证书上使应用程序b(服务器)对应用程序(客户端)进行身份验证。 This means that application a will sign all requests to application b with the client certificate. 这意味着应用程序a将使用客户端证书对应用程序b的所有请求进行签名。 More details about the architecture are needed for a full solution. 完整解决方案需要有关架构的更多详细信息。

解决方案5
 0  2008-12-06 14:16:05

Are you using an application server? 您使用的是应用服务器吗? What is the environment for your applications? 您的应用程序的环境是什么?

There is a standard for propagating identity using web services called Web Service Security UsernameToken Profile. 有一种使用名为Web Service Security UsernameToken Profile的Web服务传播身份的标准。 Here's a quick overview . 这是一个快速概述 You can send username/password or various tokens such as X.509 certificate or a SAML assertion. 您可以发送用户名/密码或各种令牌,例如X.509证书或SAML断言。 Some application servers web services stacks will handle WSS UsernameToken Profile, JBoss, Websphere, and WebLogic. 一些应用程序服务器Web服务堆栈将处理WSS UsernameToken Profile,JBoss,Websphere和WebLogic。 Otherwise the web service code has to handle it. 否则,Web服务代码必须处理它。 This approach may be too cumbersome depending on your environment. 根据您的环境,这种方法可能过于繁琐。

There is a standard for single sign-on, called SAML . 有一个单点登录标准,称为SAML Again, this may be too heavy weight for your use-case. 同样,这可能对您的用例来说太重了。

解决方案6
 0  2008-12-06 19:28:12

In Oracle land I know there is the concept of a trusted application. 在Oracle土地上,我知道有一个受信任的应用程序的概念。 Basically if you have control of both applications you can set it up like so: 基本上如果您可以控制两个应用程序,您可以这样设置:

Application A sends Application B, 1) Application A's username and password and 2) the current user's username. 应用程序A发送应用程序B,1)应用程序A的用户名和密码,以及2)当前用户的用户名。 Since B knows and trusts Application A it doesn't need to verify the user's credentials, since it knows application A has already done that for it. 由于B知道并信任应用程序A,因此它不需要验证用户的凭据,因为它知道应用程序A已经为它执行了此操作。

I assume that if you have a custom application B you might be able to do something like this. 我假设如果你有一个自定义应用程序B,你可能会做这样的事情。 If your SSO implementation supports this then you probably don't have to do a whole lot except design your web services. 如果您的SSO实现支持这一点,那么除了设计您的Web服务之外,您可能不需要做很多事情。

Good Luck 祝好运

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在使用Web服务的Java中实现登录? - How to achieve login in java consuming a web service? 如何使用Java和JSON Web服务创建登录名 - how to create a login with java and json web service 如何在java中编写用于用户注册的Web服务 - how to write web service for User registration in java 如何在java应用程序中进行自托管Web服务 - how to do selfhosting web service in java application 如何创建java Web服务以将数据写入Firebase? - How to create java web service to write data to Firebase? 如何编写基于Java RESTful的Axis2 Web服务 - How to write Java RESTful Based Axis2 Web Service 如何在远程Java Web应用程序上进行内存分析 - How to do memory profiling on remote java web application Java Restful Web服务登录凭证失败 - Java Restful Web Service Login Credential Failure 如何用肥皂写Web服务 - how to write a web service with soap 如何在Web应用程序中设置登录模块? 在Java中? - How do i setup Login module in my web application? in Java?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM