gpt4 book ai didi

security - 基于 token 的身份验证的 SSO 安全性如何?

转载 作者:行者123 更新时间:2023-12-01 05:06:30 26 4
gpt4 key购买 nike

我计划将 jasper 服务器与我的 Web 应用程序集成为单点登录。我经历了Jasper Authentication cookbook
和碧 Jade
建议将基于 token 的身份验证作为解决方案之一(因为身份验证已由我的 Web 应用程序完成)

Jasper 建议的是这个

you pass the token in specific format (as defined below under tokenFormatMapping) to jasper server , jasper will authenticate the request.



所以有效的 token 可以是
   u=user|r=role1|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601

无效 token 可以是
   u1=user|r=role1|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601
r=role1|u=user|o=org1|pa1=PA11|pa2=PA21|exp=2001404150601

我的问题是这真的是一个安全的过程,因为一旦黑客知道模式,他就可以简单地登录到 jasper 服务器?
在我看来,这里的安全性可能会受到影响。我在这里错过了什么吗?

<bean class="com.jaspersoft.jasperserver.api.security.externalAuth.wrappers.spring.preauth.JSPreAuthenticatedAuthenticationProvider">
....................
<property name="tokenPairSeparator" value="|" />
<property name="tokenFormatMapping">
<map>
<entry key="username" value="u" />
<entry key="roles" value="r" />
<entry key="orgId" value="o" />
<entry key="expireTime" value="exp" />
<entry key="profile.attribs">
<map>
<entry key="profileAttrib1" value="pa1" />
<entry key="profileAttrib2" value="pa2" />
</map>
</entry>
</map>
</property>
<property name="tokenExpireTimestampFormat" value="yyyyMMddHHmmssZ" />
</bean>
</property>
</bean>

最佳答案

根据Jasper Reports Authentication cookbook ,使用基于 token 的身份验证,用户不会直接登录,这意味着使用此方法只能完成某些操作。

此外,它还规定了以下内容:

JasperReports Server will accept any properly formatted token; therefore, you need to protect the integrity of the token using measures such as the following:

  • Connect to JasperReports Server using SSL to protect against token interception.
  • Encrypt the token to protect against tampering.
  • Configure the token to use a timestamp to protect against replay attacks. Without a timestamp, when you include the token in a web page or REST web service URL, the URL can be copied and used by unauthorized people or systems. Setting the expire time for the token will stop tokens/URLs from being used to authenticate beyond the indicated time. You can set the expiry time depending on your use case. For a user who is logged into the application/portal and is requesting access to JasperReports Server, expiry time of a minute or less from the request time is appropriate.


所有通信都需要通过 SSL 隧道进行。否则,任何人都可以与您的 JR 服务器建立连接、发送 token 并从中获取信息。

关于security - 基于 token 的身份验证的 SSO 安全性如何?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/28092613/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com