支持Jetty上JSESSIONID会话cookie域的单点登录更改域

时间:2021-12-25 17:35:28

I'm trying to support single sign-on with JETTY and we have 2 subdomains running webservers that will support single sign-on through Jetty's SSO support.

我正在尝试使用JETTY支持单点登录,并且我们有2个运行Web服务器的子域,这些子域将通过Jetty的SSO支持支持单点登录。

account.test.com app.test.com

We have a SSOSession cookie that is set to *.test.com, but to support sign-off I need to ensure that my Jetty server running at app.test.com has it's JSESSIONID cookie reset.

我们有一个设置为* .test.com的SSOSession cookie,但是为了支持签名,我需要确保在app.test.com上运行的Jetty服务器有JSESSIONID cookie重置。

I'm currently using the Jetty JAAS FormAuthenticator and overriding SSORealm to support validation of the SSOSession cookie when the FormAuthenticator is called.

我正在使用Jetty JAAS FormAuthenticator并覆盖SSORealm以支持在调用FormAuthenticator时验证SSOSession cookie。

I want to be able to have the account.test.com allow users to sign in there which will cause it to invalidate the JSESSIONID cookie being used at app.test.com.

我希望能够让account.test.com允许用户在那里登录,这将导致它使app.test.com上使用的JSESSIONID cookie无效。

One solution I could do that would probably be more correct is to detect a change in teh SSOSession cookie and invalidate the JSESSIONID on my server.

我可以做的一个可能更正确的解决方案是检测SSOSession cookie的更改并使我的服务器上的JSESSIONID无效。

1 个解决方案

#1


I do not know anything about Jetty or how JSESSIONIDs work but it sounds like you want to tie the validity of JSESSIONID to a specific SSOSession cookie.

我对Jetty或JSESSIONIDs的工作原理一无所知,但听起来你想将JSESSIONID的有效性与特定的SSOSession cookie联系起来。

One possibility - when creating a new session on app.test.com, apart from new JSESSIONID, set a new cookie say SSOSig = MD5(JSESSIONID + SSOSessionCookie + secret) in domain app.test.com.

一种可能性 - 在app.test.com上创建新会话时,除了新的JSESSIONID之外,在域app.test.com中设置一个新的cookie,即SSOSig = MD5(JSESSIONID + SSOSessionCookie + secret)。

When user interacts with app.test.com, the server will receive JSESSIONID, SSOSig, and SSOSessionID. If SSOSessionID changed because of sign in on account.test.com, then you will receive JSESSIONID, SSOSig, and SSOSessionID'. Now your attempt to verify SSOSig will fail since MD5(JSESSIONID + SSOSessioID' + secret) != SSOSig and at this point you can invalidate JSESSIONID.

当用户与app.test.com交互时,服务器将接收JSESSIONID,SSOSig和SSOSessionID。如果SSOSessionID因在account.test.com上登录而更改,那么您将收到JSESSIONID,SSOSig和SSOSessionID'。现在,您尝试验证SSOSig将失败,因为MD5(JSESSIONID + SSOSessioID'+ secret)!= SSOSig,此时您可以使JSESSIONID无效。

#1


I do not know anything about Jetty or how JSESSIONIDs work but it sounds like you want to tie the validity of JSESSIONID to a specific SSOSession cookie.

我对Jetty或JSESSIONIDs的工作原理一无所知,但听起来你想将JSESSIONID的有效性与特定的SSOSession cookie联系起来。

One possibility - when creating a new session on app.test.com, apart from new JSESSIONID, set a new cookie say SSOSig = MD5(JSESSIONID + SSOSessionCookie + secret) in domain app.test.com.

一种可能性 - 在app.test.com上创建新会话时,除了新的JSESSIONID之外,在域app.test.com中设置一个新的cookie,即SSOSig = MD5(JSESSIONID + SSOSessionCookie + secret)。

When user interacts with app.test.com, the server will receive JSESSIONID, SSOSig, and SSOSessionID. If SSOSessionID changed because of sign in on account.test.com, then you will receive JSESSIONID, SSOSig, and SSOSessionID'. Now your attempt to verify SSOSig will fail since MD5(JSESSIONID + SSOSessioID' + secret) != SSOSig and at this point you can invalidate JSESSIONID.

当用户与app.test.com交互时,服务器将接收JSESSIONID,SSOSig和SSOSessionID。如果SSOSessionID因在account.test.com上登录而更改,那么您将收到JSESSIONID,SSOSig和SSOSessionID'。现在,您尝试验证SSOSig将失败,因为MD5(JSESSIONID + SSOSessioID'+ secret)!= SSOSig,此时您可以使JSESSIONID无效。