基于基于令牌的身份验证的 SSO 的安全性如何?
How secured is SSO based on token based authentication?
我计划将 jasper 服务器与我的 Web 应用程序集成为单点登录。我经历了 Jasper Authentication cookbook
和碧玉
建议将基于令牌的身份验证作为解决方案之一(因为身份验证已经由我的 Web 应用程序完成)
Jasper 建议的是这个
you pass the token in specific format (as defined below under tokenFormatMapping) to jasper server
, jasper will authenticate the request.
所以有效的令牌可以是
u=user|r=role1|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601
无效的令牌可以是
u1=user|r=role1|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601
r=role1|u=user|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601
我的问题是这真的是一个安全的过程,因为一旦黑客知道了模式,他就可以简单地登录到 jasper 服务器?
在我看来,这里的安全性可能会受到损害。我错过了什么吗?
<bean class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.preauth.JSPreAuthenticatedAuthenticationProvider">
....................
<property name="tokenPairSeparator" value="|" />
<property name="tokenFormatMapping">
<map>
<entry key="username" value="u" />
<entry key="roles" value="r" />
<entry key="orgId" value="o" />
<entry key="expireTime" value="exp" />
<entry key="profile.attribs">
<map>
<entry key="profileAttrib1" value="pa1" />
<entry key="profileAttrib2" value="pa2" />
</map>
</entry>
</map>
</property>
<property name="tokenExpireTimestampFormat" value="yyyyMMddHHmmssZ" />
</bean>
</property>
</bean>
根据Jasper Reports Authentication cookbook,使用基于令牌的身份验证用户不会直接登录,这意味着使用此方法只能完成某些操作。
此外,它指定了以下内容:
JasperReports Server will accept any properly formatted token;
therefore, you need to protect the integrity of the token using
measures such as the following:
- Connect to JasperReports Server using SSL to protect against token interception.
- Encrypt the token to protect against tampering.
- Configure the token to use a timestamp to protect against replay attacks. Without a timestamp, when you include the token in a web page or REST web service URL, the URL can be copied and used by unauthorized people or systems. Setting the expire time for the token will stop tokens/URLs from being used to authenticate beyond the indicated time. You can set the expiry time depending on your use case. For a user who is logged into the application/portal and is requesting access to JasperReports Server, expiry time of a minute or less from the request time is appropriate.
所有通信都需要通过 SSL 隧道进行。否则,任何人都可以与您的 JR 服务器建立连接、发送令牌并从中获取信息。
我也想用 Jasper Server 实现基于令牌的 SSO,但遇到了完全相同的问题。这种方法对我来说似乎并不安全,因为如果请求格式正确,身份验证永远不会被拒绝,这是一件简单的事情。
另一种选择(如果您不使用 CAS 或 LDAP 提供程序)是根据请求进行身份验证,如身份验证手册中第 7.4 "Authentication Based on Request" 节所述。创建您自己的自定义身份验证提供程序并在 applicationContext-externalAuth.xml 中配置它:
<bean id="customAuthenticationManager" class="org.springframework.security.
providers.ProviderManager">
<property name="providers">
<list>
<ref bean="${bean.myCustomProvider}"/>
<ref bean="${bean.daoAuthenticationProvider}"/>
</list>
</property>
</bean>
我计划将 jasper 服务器与我的 Web 应用程序集成为单点登录。我经历了 Jasper Authentication cookbook 和碧玉 建议将基于令牌的身份验证作为解决方案之一(因为身份验证已经由我的 Web 应用程序完成)
Jasper 建议的是这个
you pass the token in specific format (as defined below under tokenFormatMapping) to jasper server , jasper will authenticate the request.
所以有效的令牌可以是
u=user|r=role1|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601
无效的令牌可以是
u1=user|r=role1|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601
r=role1|u=user|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601
我的问题是这真的是一个安全的过程,因为一旦黑客知道了模式,他就可以简单地登录到 jasper 服务器? 在我看来,这里的安全性可能会受到损害。我错过了什么吗?
<bean class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.preauth.JSPreAuthenticatedAuthenticationProvider">
....................
<property name="tokenPairSeparator" value="|" />
<property name="tokenFormatMapping">
<map>
<entry key="username" value="u" />
<entry key="roles" value="r" />
<entry key="orgId" value="o" />
<entry key="expireTime" value="exp" />
<entry key="profile.attribs">
<map>
<entry key="profileAttrib1" value="pa1" />
<entry key="profileAttrib2" value="pa2" />
</map>
</entry>
</map>
</property>
<property name="tokenExpireTimestampFormat" value="yyyyMMddHHmmssZ" />
</bean>
</property>
</bean>
根据Jasper Reports Authentication cookbook,使用基于令牌的身份验证用户不会直接登录,这意味着使用此方法只能完成某些操作。
此外,它指定了以下内容:
JasperReports Server will accept any properly formatted token; therefore, you need to protect the integrity of the token using measures such as the following:
- Connect to JasperReports Server using SSL to protect against token interception.
- Encrypt the token to protect against tampering.
- Configure the token to use a timestamp to protect against replay attacks. Without a timestamp, when you include the token in a web page or REST web service URL, the URL can be copied and used by unauthorized people or systems. Setting the expire time for the token will stop tokens/URLs from being used to authenticate beyond the indicated time. You can set the expiry time depending on your use case. For a user who is logged into the application/portal and is requesting access to JasperReports Server, expiry time of a minute or less from the request time is appropriate.
所有通信都需要通过 SSL 隧道进行。否则,任何人都可以与您的 JR 服务器建立连接、发送令牌并从中获取信息。
我也想用 Jasper Server 实现基于令牌的 SSO,但遇到了完全相同的问题。这种方法对我来说似乎并不安全,因为如果请求格式正确,身份验证永远不会被拒绝,这是一件简单的事情。
另一种选择(如果您不使用 CAS 或 LDAP 提供程序)是根据请求进行身份验证,如身份验证手册中第 7.4 "Authentication Based on Request" 节所述。创建您自己的自定义身份验证提供程序并在 applicationContext-externalAuth.xml 中配置它:
<bean id="customAuthenticationManager" class="org.springframework.security.
providers.ProviderManager">
<property name="providers">
<list>
<ref bean="${bean.myCustomProvider}"/>
<ref bean="${bean.daoAuthenticationProvider}"/>
</list>
</property>
</bean>