问题
I am relatively new to Symfony2. I have already built a system using the inbuilt security mechanism of Symfony2 by authenticating users from database. Lets call this system "B"
There is an application in asp.net on a different server that uses the same credentials (I had copied over the users table from that system). Lets call this System "A". Is it possible for users to click on a link in the ASP application that redirects them to the Symfony2 application and automatically authenticate them without them having to re-enter their login credentials?
I have limited control on programming the system "A". Is it possible to have a single/static/predefined encrypted user credentials that can be used from system A to authenticate the user on System B (of course providing the type of user as a data parameter so I can restrict the user in System B to his/her authorized tasks). Once authenticated, the user should be able to directly interact with the symfony2 application just as if they had logged in using System B's login page.
In more clear terms, here is the flow of events:
- User logs in to the ASP.NET system.
- User clicks on a link to get redirected to the Symfony2 Application
- User is automatically authenticated and gets access based on his role to the Symfony2 Application
Please note that I cannot maintain a user database on the Symfony Server. I will only have information about the different user types available.
I looked into the Custom authentication provider for Symfony2 method but am not sure if it will solve the purpose of redirecting the client/user entirely to the Symfony2 application. It looked more like a web services authentication method but I might be wrong.
Is SAML a better option to achieve this?
回答1:
First of all, this is sort of a solved problem. Things like OAuth exist for a reason. I would suggest looking in to that before attempting to cook up your own solution (and dealing with the security ramifications).
But to answer your question:
It seems to me that there is no secure way to do this without being able to change something in system "A". Somehow, the Symfony app needs to be able to get some highly un-guessable hash token from system "A" so that it can authenticate with it. Anything else would be insecure.
Ideally, you would make the form that sends users to the Symfony app on system "A" create a hash from the user's username and session or something, and send that along with the user when redirecting them to the Symfony app (i.e. in the URL params: something like http://symfony-app.com/login?token=[the really long, un-guessable hash]). System "B" would store that hash in the database for a limited period of time, and your Symfony app would authenticate against that hash.
来源:https://stackoverflow.com/questions/11441570/authentication-into-symfony-2-0-from-an-external-system