简体繁体 English

Apache2，Kerberos，SSI：如何在其他用户下登录

[英]Apache2, Kerberos, SSI: how to login under another user

原文 2012-01-25 17:21:19 2 1 login/ apache2/ kerberos/ single-sign-on

I have web-app with authorization by REMOTE_USER header. 我有由REMOTE_USER标头授权的网络应用。 If apache2 + mod_auth_kerb set REMOTE_USER by some ActiveDirectory username, my web-app know that user with such username is logged in. I have single sign on ( SSI ) and it works perfect, but what should I do when I want to login as another user? 如果Apache2的+ mod_auth_kerb所被一些ActiveDirectory的用户名设置REMOTE_USER，我的web应用程序知道有这样的用户名是用户登录时，我有（单点登录SSI ）和它的作品完美，但我该怎么办时，我想登录为另一用户？ How to force kerberos relogin (via basic auth, for example)? 如何强制kerberos重新登录（例如，通过基本身份验证）？

If it isn't possible by mod_auth_kerb, but possible by some other apache (or nginx) mod, it is totally ok! 如果mod_auth_kerb无法实现，但是其他Apache（或Nginx）mod可以实现，那完全可以！

PS By the way, is it safe to rely on REMOTE_USER HTTP header in authorization process? PS顺便说一句，在授权过程中依靠REMOTE_USER HTTP标头是否安全？

1 个解决方案

There is no way to log a user out if they were authenticated via browser-type basic auth. 如果通过浏览器类型的基本身份验证对用户进行身份验证，则无法注销用户。

Try using Stanford WebAuth . 尝试使用Stanford WebAuth 。 This allows you to present an in-browser login page and still use the user's Kerberos creds (at your option using SPNEGO for a no-password login). 这样，您就可以显示浏览器内的登录页面，并且仍然使用用户的Kerberos凭据（您可以选择使用SPNEGO进行无密码登录）。 It provides comprehensive logout functionality as well - the user's browser won't stop being authenticated Kerberos-wise, but it will stop being WebAuth logged-in. 它还提供了全面的登出功能-用户的浏览器不会停止通过Kerberos身份验证，但是会停止以WebAuth身份登录。

It is safe to rely on the REMOTE_USER server variable . 依靠REMOTE_USER 服务器变量是安全的。 It is not an HTTP header - in PHP, it would be $_SERVER['REMOTE_USER'] , not $_REQUEST['REMOTE_USER'] . 它不是HTTP头-在PHP中，它将是$_SERVER['REMOTE_USER'] ，而不是$_REQUEST['REMOTE_USER'] 。 It's set by server-side code. 它由服务器端代码设置。