Introduction to the implementation of full SSL protection at the post office

Currently, most post office service providers are limited to HTTPS logon for security protection. After Successful Logon, all user requests adopt the normal HTTP mode. The post office performs major upgrades on post office products from users' security considerations. It provides the SSL protection mode for users starting from the login service to the end of the access service.

Currently, most post office service providers are limited to HTTPS logon for security protection. After Successful Logon, all user requests adopt the normal HTTP mode. The post office performs major upgrades on post office products from users' security considerations. It provides the SSL protection mode for users starting from the login service to the end of the access service.

Currently, most post office service providers are limited to HTTPS logon for security protection. After Successful Logon, all user requests adopt the normal HTTP mode. In terms of user security, the post office has undergone major upgrades to the post office products to provide users with the SSL protection mode from the login service to the end of the access service. Next we will share with you the full SSL protection solution for the post office products.

?? I. As we all know, to achieve full HTTPS access, we must first solve the problem of SSL certificates. For a common application service, a domain name corresponds to a service. Therefore, it is not complicated to purchase and configure an SSL certificate to complete full HTTPS access. For companies like our company that focus on SAAS services, most customers use their own domain names to log on to the services they bought. Therefore, multiple domain names must share an SSL Certificate (a domain name user cannot purchase a certificate ). Therefore, according to the login mode similar to the multi-domain single SSL Certificate, We Use HTTPS for full access through the Unified Address.

For example: mail.a.com to access webmail, mail. B .com to access webmail, then the two domain names after login unified access using https://mail.serverhost.com.

2. CAS-based Single Sign-on for all our product lines. So when the whole process of HTTPS access to post office products is achieved, what is the main need for Jasig? CAS? Perform some business processing. First, let's briefly introduce the implementation principles of CAS (for details about CAS, please google ).

1. the core idea of CAS is based on the client Cookie service sharing mechanism.

2. CAS two core objects: TGT and ST. TGT is a Cookie object encapsulated by CAS and written to the browser client. ST is a ticket created by the CAS server for each CAS client.

3. logon authentication for all client services is redirected to the CAS server. The CAS server uses TGT to determine whether the user has completed logon verification. If TGT is not available, you are required to enter the information verification form on the login page. After the verification is successful, the CAS server generates a TGT object and writes it to the browser client. At the same time, the ST is created for the corresponding service, and the request is redirected back to the authentication service as a parameter. The corresponding service obtains the ST, and then goes to the CAS server to verify the validity of the ST. If the ST is valid, access to the service is allowed.

The above briefly introduces the implementation principle and process of CAS, so we need to work hard on ST when we need HTTPS full access.

By analyzing the CAS source code, it can be found that after CAS is successfully verified, the request parameter Service is redirected to the corresponding Service, and the target Service parameter is preferentially supported internally, therefore, if you select full SSL protection during login authentication, the targetService parameter will be carried to guide the CAS server to jump to the targetService (after verification is successful) and generate the ST using targetService. The targetService parameter is the key to configuring serverHost for HTTPS on each server.

After the above targetService (HTTPS) Guidance is completed, the user is successfully guided to Use HTTPS to access the post office service.

3. After switching between multiple services, switch to the post office system to maintain HTTPS access.

We mainly adopt the Cookie mechanism. Of course, you can also use the Session mechanism to communicate with Rome. When verifying the request on the CAS server, we will record whether HTTPS is fully accessed to the Cookie based on the user's choice. Pay attention to the Cookie at this time, we will record it to the post office service (rather than the CAS service), and it is the root directory. The validity period is set to the browser's session validity period. In this way, after switching to different services and switching back to the post office, we can remember the current user's SSL protection status.

4. Finally, let's talk about some problems arising during HTTPS access to the post office service. Browser security restrictions: In IE8 or earlier versions, if an HTTPS application accesses HTTP resources, the browser will prompt security restrictions. This really affects user interaction. What do you think? Must be removed.

Because the Post Office is already a very large and mature system, of course, it is inevitable that some internal resources are configured with HTTP, which determines our next job is, eliminate all the HTTP requests in the system. First, we try to normalize all resource request paths and adopt relative paths. Second, we try to replace requests that cannot be classified with ServerName on the client. Of course, there are also some external systems nested, so we need to ensure that it also supports HTTPS. If there is no way, we can only accept it.

The above is my humble opinion on SSL protection.

Original article address: Let's talk about the implementation of SSL protection throughout the post office. Thank you for sharing it with me.