[英]Apache2, Kerberos, SSI: how to login under another user
I have web-app with authorization by REMOTE_USER header. 我有由REMOTE_USER标头授权的网络应用。 If apache2 + mod_auth_kerb set REMOTE_USER by some ActiveDirectory username, my web-app know that user with such username is logged in. I have single sign on ( SSI ) and it works perfect, but what should I do when I want to login as another user?
如果Apache2的+ mod_auth_kerb所被一些ActiveDirectory的用户名设置REMOTE_USER,我的web应用程序知道有这样的用户名是用户登录时,我有(单点登录SSI )和它的作品完美,但我该怎么办时,我想登录为另一用户? How to force kerberos relogin (via basic auth, for example)?
如何强制kerberos重新登录(例如,通过基本身份验证)?
If it isn't possible by mod_auth_kerb, but possible by some other apache (or nginx) mod, it is totally ok! 如果mod_auth_kerb无法实现,但是其他Apache(或Nginx)mod可以实现,那完全可以!
PS By the way, is it safe to rely on REMOTE_USER HTTP header in authorization process? PS顺便说一句,在授权过程中依靠REMOTE_USER HTTP标头是否安全?
There is no way to log a user out if they were authenticated via browser-type basic auth. 如果通过浏览器类型的基本身份验证对用户进行身份验证,则无法注销用户。
Try using Stanford WebAuth . 尝试使用Stanford WebAuth 。 This allows you to present an in-browser login page and still use the user's Kerberos creds (at your option using SPNEGO for a no-password login).
这样,您就可以显示浏览器内的登录页面,并且仍然使用用户的Kerberos凭据(您可以选择使用SPNEGO进行无密码登录)。 It provides comprehensive logout functionality as well - the user's browser won't stop being authenticated Kerberos-wise, but it will stop being WebAuth logged-in.
它还提供了全面的登出功能-用户的浏览器不会停止通过Kerberos身份验证,但是会停止以WebAuth身份登录。
It is safe to rely on the REMOTE_USER server variable . 依靠REMOTE_USER 服务器变量是安全的。 It is not an HTTP header - in PHP, it would be
$_SERVER['REMOTE_USER']
, not $_REQUEST['REMOTE_USER']
. 它不是HTTP头-在PHP中,它将是
$_SERVER['REMOTE_USER']
,而不是$_REQUEST['REMOTE_USER']
。 It's set by server-side code. 它由服务器端代码设置。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.