java Weblogic 10.3:在 WLS 控制台中使用 web.xml 和 DB 角色的 Webapp 安全性
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5716204/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Weblogic 10.3: Webapp security using web.xml and DB roles inside WLS console
提问by Axel Knauf
Scenario
设想
We are using Weblogic Server 10.3.4 to run our webapp which has security constraints enabled in order to require a user to sign in before he/she can use the application. The user and group information shall reside in the application database, the authentication shall be handled by WLS (the container).
我们正在使用 Weblogic Server 10.3.4 来运行我们的 webapp,它启用了安全约束,以便要求用户在他/她可以使用应用程序之前登录。用户和组信息应驻留在应用程序数据库中,身份验证应由 WLS(容器)处理。
I have set up a database schema as described in this blog article, set up a new Security Realm "app.realm" in WLS console and defined a SQLAuthenticatorinside it.
我已经按照这篇博客文章中的描述设置了一个数据库架构,在 WLS 控制台中设置了一个新的安全领域“app.realm”并SQLAuthenticator在其中定义了一个。
After having restarted WLS I can see my user and group definitons from the database in "app.realm" in the WLS web console. The user I am trying to authenticate is member of the WEBAPP_USERgroup (I see the group membership on the user's detail page in WLS console).
重新启动 WLS 后,我可以在 WLS Web 控制台的“app.realm”中的数据库中看到我的用户和组定义。我尝试验证的用户是WEBAPP_USER该组的成员(我在 WLS 控制台的用户详细信息页面上看到了组成员身份)。
When I deploy the application (using standard settings, no adjustments in the WLS web console) and call a protected URL, I am redirected to the login.htmlform as expected. However, no matter what I try, entering the (right) password always yields authentication failure sending me to the login_error.htmlpage. For debugging purposes, I have enabled plain text passwords in my SQLAuthenticator, so I am pretty sure having used proper credentials.
当我部署应用程序(使用标准设置,在 WLS Web 控制台中没有调整)并调用受保护的 URL 时,我login.html按预期重定向到表单。但是,无论我尝试什么,输入(正确的)密码总是会导致身份验证失败,将我发送到该login_error.html页面。出于调试目的,我在我的 中启用了纯文本密码SQLAuthenticator,所以我很确定使用了正确的凭据。
I already saw thesetwothreads, but neither seems to help with my problem.
Update 1
更新 1
Thanks to emzy's comment I now see that WLS is checking the credentials against the default realm "myrealm" and tries to resolve the login username against the embedded LDAP:
感谢 emzy 的评论,我现在看到 WLS 正在根据默认领域“myrealm”检查凭据,并尝试针对嵌入式 LDAP 解析登录用户名:
...
####<20.04.2011 09:29 Uhr MESZ> <Debug> <SecurityAtn> <hostname> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1303284573150> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=nvs_dev", "(&(uid=app.user)(objectclass=person))", base DN & below)>
####<20.04.2011 09:29 Uhr MESZ> <Debug> <SecurityAtn> <hostname> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1303284573150> <BEA-000000> <DN for user app.user: null>
####<20.04.2011 09:29 Uhr MESZ> <Debug> <SecurityAtn> <hostname> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1303284573150> <BEA-000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
####<20.04.2011 09:29 Uhr MESZ> <Debug> <SecurityAtn> <hostname> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1303284573151> <BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User app.user denied
at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
at com.bea.common.security.internal.service.LoginModuleWrapper.run(LoginModuleWrapper.java:110)
at java.security.AccessController.doPrivileged(Native Method)
...
Update 2
更新 2
I now performed these steps and get the authentication to work:
我现在执行了这些步骤并使身份验证工作:
- Add the
SQLAuthenticatorto the default realm "myrealm" in WLS console - Set both Weblogic's
DefaultAuthenticatorand the newSQLAuthenticatorasSUFFICIENTin the respective provider settings (the "JAAS control flag" how they call it) - Restart WLS
- 添加
SQLAuthenticator到 WLS 控制台中的默认领域“myrealm” - 同时设置Weblogic的
DefaultAuthenticator和新的SQLAuthenticator作为SUFFICIENT在各自的供应商设置(“JAAS控制标志”他们怎么称呼它) - 重启 WLS
One questions remains, though:
不过,还有一个问题:
Questions
问题
Does WLS have some additional logging besides the standard log files in the<domain>/server/AdminServer/logsfolder where I can see what happens?What am I doing wrong / What part in the puzzle am I missing to get my form-based authentication to work with my application?- Why does WLS use "myrealm" for authentication when I am giving "app.realm" explicitly in my
web.xml?
除了文件<domain>/server/AdminServer/logs夹中的标准日志文件之外,WLS 是否还有一些额外的日志记录,我可以在其中查看会发生什么?我做错了什么/我错过了让基于表单的身份验证与我的应用程序一起使用的难题的哪一部分?- 为什么 WLS 在我的
web.xml.
Here are my configuration details:
这是我的配置详细信息:
web.xml
网页.xml
...
<security-constraint>
<web-resource-collection>
<web-resource-name>Webapp Platform</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>USER</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>app-realm</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/login_error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Standard user</description>
<role-name>USER</role-name>
</security-role>
...
weblogic.xml
网络逻辑文件
<wls:weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:wls="http://www.bea.com/ns/weblogic/weblogic-web-app"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd http://www.bea.com/ns/weblogic/weblogic-web-app http://www.bea.com/ns/weblogic/weblogic-web-app.xsd">
...
<security-role-assignment>
<role-name>USER</role-name>
<principal-name>WEBAPP_USER</principal-name>
</security-role-assignment>
</wls:weblogic-web-app>
login.html
登录.html
<html>
<head>
<title>Login</title>
</head>
<body>
<form method="POST" action="j_security_check">
<table>
<tr><td>Username:</td><td><input type="text" name="j_username"></td></tr>
<tr><td>Password:</td><td><input type="password" name="j_password"></td></tr>
<tr><td colspan=2 align=right><input type=submit value="Submit"></td></tr>
</table>
</form>
</body>
</html>
回答by Markus Eisele
that's a tricky concept with the auth realms. Regarding your last open question: - Why does WLS use "myrealm" for authentication when I am giving "app.realm" explicitly in my web.xml?
对于身份验证领域,这是一个棘手的概念。关于您最后一个悬而未决的问题: - 当我在 web.xml 中明确提供“app.realm”时,为什么 WLS 使用“myrealm”进行身份验证?
You can configure multiple security realms in WebLogic, however only ONE can be active ( in this case the default myrealm). That is one of the annoying limitiations unofrtunately Inactive ones are not used at all. Referencing an inactive realm in web.xml have no effect.
您可以在 WebLogic 中配置多个安全领域,但是只有一个可以处于活动状态(在本例中为默认 myrealm)。这是令人讨厌的限制之一,不幸的是,根本不使用不活动的限制。在 web.xml 中引用非活动领域没有任何效果。
look here http://docs.oracle.com/cd/E24329_01/web.1211/e24422/overview.htm#i1093279
看这里http://docs.oracle.com/cd/E24329_01/web.1211/e24422/overview.htm#i1093279
回答by Musannif Zahir
Under the Server -> Debug tab on the console, you can enable debug/trace level logging. I would try enabling all of the security related logs to see if shows any warnings or exceptions.
在控制台的 Server -> Debug 选项卡下,您可以启用调试/跟踪级别日志记录。我会尝试启用所有与安全相关的日志,以查看是否显示任何警告或异常。
