用JS反向代理访问SSO下的REST服务

Posted 信息安全club

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了用JS反向代理访问SSO下的REST服务相关的知识,希望对你有一定的参考价值。

            “一花独放不是春,百花齐放春满园”——《古今贤文》


周日是《百花齐放》栏目,接收team内同学的原创文章,比如incident 成功案例的总结等。也会有不定期的代码道场,小型编程比赛等活动。


第一期的文章来自Michael song,大家鼓掌


 

Coordinate SSOand backend restful request with javascript reverse proxy

 

Problem(s)solved

1)      A desktopapplication communicates with remote server through restful API. All http(s)request are protected by SSO (single sign-on) server. In other words, eachrequest should be authenticated by SSO server (SSO server generates identitycookie), if not, it will redirect to SSO’s login URL. However, a desktopapplication cannot popup browser get SSO authentication.

2)     Normally, user accesses website viabrowser.  In some special cases, he (she)need to open local desktop application. It’s bad experience to ask him (her) tologin again in application.

3)     Sometimes, the same user login website andapplication at same time, it’s helpful if the both connections share samesession.

 

Priorsolutions

Currently, an applet application can inherit IE’s session/cookieand append them to its restful request. Till now, only IE support applet.Firefox and Chrome do not support applet in recent version. If your applicationis written in Java, there is no way to inherit web session.

Another one is a very tricky way that server encrypts cookieswith private key and show it on page. User copy it and input it on application,then application decrypt it with public key. Honestly, it’s not strongaccording security policy.

For the second solution, a same SSO authentication is activein two places. To gain high security, the SSO server would renew the cookievalue. In that case, the client will get non-authentication exception.

 

 

Description

Our solution is to setup a reverse proxy on browser withJavaScript. We call it JsProxy . Localhost application listens to a localhostport after starting up. JsProxy keep a long connection with server to handleserver’s initiative data. In the meantime, it setups another long connection tolocal application. via JsProxy, local application and server can communicate eachother.

 


Advantages

1)     This solution resolve the requirement how tocommunicate each other through SSO protection.

2)     Share unique session between website and localapplication.

 

Title

Coordinate SSO and backend restful request with JavaScriptreverse proxy

 

Abstract

We setup reverse proxy (JsProxy) with JavaScript in browserafter user login. Through JsProxy, local application bypass SSO authenticationto communicate with server.  The webpageand local application share the same user session.


以上是关于用JS反向代理访问SSO下的REST服务的主要内容,如果未能解决你的问题,请参考以下文章

nginx反向代理多个tomcat服务

Nginx反向代理+Tomcat服务

NGINX 反向代理背后的 Spring Boot API REST

web 部署专题:Nginx 反向代理中cookie相关问题

经过反向代理Server如何优雅的获取用户IP

反向代理服务器:为什么用,怎么用,如何用?