在Google App Engine for Java上的子域之间共享当前用户数据
[英]Share Current User Data Between Subdomains on Google App Engine for Java
问题描述
I am Using Google App Engine for Java and I want to be able to share session data between subdomains: 
我正在使用Google App Engine for Java,我希望能够在子域之间共享会话数据:
- www.myapp.com www.myapp.com
- user1.myapp.com user1.myapp.com
- user2.myapp.com user2.myapp.com
The reason I need this is that I need to be able to detect if the user was logged in on www.myapp.com when trying to access user1.myapp.com. 我需要这个的原因是我需要能够在尝试访问user1.myapp.com时检测用户是否登录www.myapp.com。 I want to do this to give them admin abilities on their own subdomains as well as allow them to seamlessly switch between subdomains without having to login again. 我想这样做是为了在他们自己的子域上为他们提供管理员能力,并允许他们在子域之间无缝切换而无需再次登录。
I am willing to share all cookie data between the subdomains and this is possible using Tomcat as seen here: Share session data between 2 subdomains 我愿意在子域之间共享所有cookie数据,这可以使用Tomcat,如下所示: 在2个子域之间共享会话数据
Is this possible with App Engine in Java? 这可以用Java中的App Engine实现吗?
Update 1
更新1
I got a good tip that I could share information using a cookie with the domain set to ".myapp.com". 我得到了一个很好的提示,我可以使用域名设置为“.myapp.com”的cookie来共享信息。 This allows me to set something like the "current_user" to "4" and have access to that on all subdomains. 这允许我将类似“current_user”的内容设置为“4”,并且可以访问所有子域上的内容。 Then my server code can be responsible for checking cookies if the user does not have an active session. 然后,如果用户没有活动会话,我的服务器代码可以负责检查cookie。
This still doesn't allow me to get access to the original session (which seems like it might not be possible). 这仍然不允许我访问原始会话(这似乎可能是不可能的)。
My concern now is security. 我现在关心的是安全问题。 Should I allow a user to be authenticated purely on the fact that the cookie ("current_user" == user_id)? 我是否应该允许用户完全根据cookie(“current_user”== user_id)的事实进行身份验证? This seems very un-secure and I certainly hope I'm missing something. 这似乎非常不安全,我当然希望我错过了一些东西。
1 个解决方案
解决方案1
0 2015-03-16 12:04:00
Shared cookie is most optimal way for your case. 共享cookie是您案例的最佳方式。 But you cannot use it to share a session on appengine. 但你不能用它来共享一个关于appengine的会话。 Except the case when you have a 3rd party service to store sessions, like Redis deployed to Cloud Instances. 除了您有第三方服务来存储会话的情况,例如Redis部署到云实例。
You also need to add some authentication to your cookie. 您还需要为cookie添加一些身份验证。 In cryptography there is a special thing called Message Authentication Code ( MAC ), or most usually HMAC . 在密码学中,有一种称为消息认证码( MAC )的特殊事物,或者最常见的是HMAC 。
Basically you need to store user id + hash of this id and a secret key (known to both servers, but not to the user). 基本上你需要存储这个id和secret key user id + hash(两个服务器都知道,但不是用户)。 So each time you could check if user have provided valid id, like: 因此,每次您可以检查用户是否提供了有效的ID,例如:
String cookie = "6168165_4aee8fb290d94bf4ba382dc01873b5a6";
String[] pair = cookie.split('_');
assert pair.length == 2
String id = pair[0];
String sign = pair[1];
assert DigestUtils.md5Hex(id + "_mysecretkey").equals(sign);
Take a look also at TokenBasedRememberMeServices from Spring Security, you can use it as an example. 另请TokenBasedRememberMeServices Spring Security的TokenBasedRememberMeServices ,您可以使用它作为示例。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.