[英]Single Sign on with 2 subdomains, one Java, one .NET
I'm currently looking for a nice solution for the problem above. 我目前正在为上述问题寻找一个很好的解决方案。 We'll probably run form authentication on the .NET one. 我们可能会在.NET上运行表单身份验证。
I have an ASP.NET MVC app running on a.mydomain.com
and a Java based app running on b.mydomain.com
. 我有一个在a.mydomain.com
运行的ASP.NET MVC应用程序和一个在b.mydomain.com
运行的基于Java的应用程序。
What is the best approach so that I don't have to log in to each app. 什么是最好的方法,这样我就不必登录每个应用程序。 Say, when I log into the a.mydomain.com
and then open the Java b.mydomain.com
, and it will check and see that I'm already logged in? 比如说,当我登录a.mydomain.com
然后打开Java b.mydomain.com
,它会检查并看到我已经登录了?
Would the WCF AuthenticationService class work for this? WCF AuthenticationService类是否适用于此? Could I do an AJAX request from the JavaScript of b.mydomain.com
to check if I'm logged in already in the .NET app? 我可以从b.mydomain.com
的JavaScript做一个AJAX请求来检查我是否已经在.NET应用程序中登录了吗?
As long as mydomain.com
is not in the public suffix list ( http://publicsuffix.org/list/ ), a.mydomain.com
can put a domain cookie for .mydomain.com
只要mydomain.com
是不是在公共后缀列表( http://publicsuffix.org/list/ ), a.mydomain.com
可以把一个域cookie为.mydomain.com
( note that you can only go down one level in putting cookie : abmydomain.com
can not put a .mydomain.com
cookie ) (请注意,在放置cookie时只能降低一级: abmydomain.com
不能放置.mydomain.com
cookie)
The cookie will be sent to b.mydomain.com
(as well as *.mydomain.com
and mydomain.com
) and can be used as a token to open a session. 该cookie将被发送到b.mydomain.com
(以及*.mydomain.com
和mydomain.com
),并可用作令牌来打开会话。 So be sure to control the whole *.myDomain.com subdomain and make it httpOnly and secured (https) 因此,请务必控制整个* .myDomain.com子域并使其成为httpOnly和安全(https)
Response.SetCookie(new HttpCookie("myCookieName", "myCookieValue") { HttpOnly = true, Domain = ".myDomain.com", Secure=true });
Some parts of the Atlassian Crowd solution http://www.atlassian.com/software/crowd/overview are based on this cookie mechanism Atlassian Crowd解决方案http://www.atlassian.com/software/crowd/overview的某些部分基于此cookie机制
So you might : 所以你可能会:
myToken
cookie which value contains userId and hashed userId with hashing key known by a.myDomain.com and b.myDomain.com 成功登录后,构建一个myToken
cookie,其值包含userId,并使用has.keyDomain.com和b.myDomain.com已知的散列密钥散列userId Note that you won't be able to access the cookie client side (so no js cookie handling, except if it is server side js, for example nodejs) 请注意,您将无法访问cookie客户端(因此没有js cookie处理,除非它是服务器端js,例如nodejs)
Using a Java or .NET existing solution is not likely to function on the other platform. 使用Java或.NET现有解决方案不太可能在其他平台上运行。 You need several capabilities: 您需要几种功能:
How can you do these? 你怎么能这样做?
If you have both those pieces of information, you can do the authentication on each system. 如果您同时拥有这两条信息,则可以在每个系统上进行身份验证。
I recommend using one of enterprise sso protocols, Oauth2 or ws-federation. 我建议使用企业sso协议之一,Oauth2或ws-federation。 This gives you maximum flexibility in composing your services, you can not only federate these two but then, later, easily expand your application environment. 这为您提供了组合服务的最大灵活性,您不仅可以联合这两种服务,还可以在以后轻松扩展您的应用程序环境。 Both protocols do not need apps to be on the same domain. 两种协议都不需要应用程序位于同一个域中。
Although this could sound overcomplicated for your simple needs, you do it once and have the sso problem solved forever, no matter what happens in future to your applications. 虽然这对于您的简单需求来说听起来过于复杂,但是无论将来您的应用程序发生了什么,您都可以执行一次并彻底解决sso问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.