1
我試圖用JBoss模塊做LDAP登錄,但我想我錯過了一些明顯的配置。我的用戶已通過身份驗證,但我可以授予他角色。 JBoss的模塊配置是這樣的:JBoss 7 Ldap適當的角色過濾器
<security-domain name="epuBph">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://....."/>
<module-option name="bindDN" value="uid=admin,ou=system"/>
<module-option name="bindCredential" value="secret"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="Context.REFERRAL" value="follow"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="baseCtxDN" value="ou=user,ou=epubph,ou=system"/>
<module-option name="rolesCtxDN" value="ou=group,ou=epubph,ou=system"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="roleFilter" value="(uid={0})"/>
<module-option name="roleAttributeIsDN" value="false"/>
<module-option name="roleAttributeID" value="cn"/>
</login-module>
</authentication>
</security-domain>
和日誌從控制檯:
00:45:51,283 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Calling hasUserDataPermission()
00:45:51,284 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) User data constraint has no restrictions
00:45:51,285 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Calling authenticate()
00:45:51,293 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) Begin isValid, principal:admin, cache entry: null
00:45:51,298 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) defaultLogin, principal=admin
00:45:51,316 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http--127.0.0.1-8080-1) Begin getAppConfigurationEntry(epuBph), size=4
00:45:51,343 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http--127.0.0.1-8080-1) End getAppConfigurationEntry(epuBph), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=baseFilter, value=(uid={0})
name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory
name=roleFilter, value=(uid={0})
name=allowEmptyPasswords, value=false
name=bindCredential, value=****
name=bindDN, value=uid=admin,ou=system
name=java.naming.provider.url, value=ldap://xxxxx
name=rolesCtxDN, value=ou=group,ou=epubph,ou=system
name=roleAttributeIsDN, value=false
name=baseCtxDN, value=ou=user,ou=epubph,ou=system
name=Context.REFERRAL, value=follow
name=roleAttributeID, value=cn
name=throwValidateError, value=true
00:45:51,368 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-1) initialize
00:45:51,369 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-1) Security domain: epuBph
00:45:51,370 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-1) login
00:45:51,375 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-1) Failed to parse: null, disabling recursion: java.lang.NumberFormatException: null
at java.lang.Integer.parseInt(Integer.java:454) [rt.jar:1.7.0_25]
at java.lang.Integer.parseInt(Integer.java:527) [rt.jar:1.7.0_25]
at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:395) [picketbox-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:312) [picketbox-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:267) [picketbox-4.0.7.Final.jar:4.0.7.Final]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_25]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_25]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_25]
at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_25]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) [rt.jar:1.7.0_25]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_25]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [rt.jar:1.7.0_25]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [rt.jar:1.7.0_25]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_25]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) [rt.jar:1.7.0_25]
at javax.security.auth.login.LoginContext.login(LoginContext.java:594) [rt.jar:1.7.0_25]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:180) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.13.Final.jar:]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_25]
00:45:51,420 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-1) Logging into LDAP server, env={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, Context.REFERRAL=follow, java.naming.security.principal=uid=admin,ou=system, baseCtxDN=ou=user,ou=epubph,ou=system, roleAttributeID=cn, roleFilter=(uid={0}), allowEmptyPasswords=false, rolesCtxDN=ou=group,ou=epubph,ou=system, baseFilter=(uid={0}), jboss.security.security_domain=epuBph, throwValidateError=true, java.naming.provider.url=ldap://xxxxxxx, roleAttributeIsDN=false, bindDN=uid=admin,ou=system, bindCredential=***, java.naming.security.authentication=simple, java.naming.security.credentials=***}
00:45:51,608 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-1) Logging into LDAP server, env={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, Context.REFERRAL=follow, java.naming.security.principal=uid=admin,ou=user,ou=epubph,ou=system, baseCtxDN=ou=user,ou=epubph,ou=system, roleAttributeID=cn, roleFilter=(uid={0}), allowEmptyPasswords=false, rolesCtxDN=ou=group,ou=epubph,ou=system, baseFilter=(uid={0}), jboss.security.security_domain=epuBph, throwValidateError=true, java.naming.provider.url=ldap://xxxxxx, roleAttributeIsDN=false, bindDN=uid=admin,ou=system, bindCredential=***, java.naming.security.authentication=simple, java.naming.security.credentials=***}
00:45:51,730 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-1) User 'admin' authenticated, loginOk=true
00:45:51,731 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] (http--127.0.0.1-8080-1) commit, loginOk=true
00:45:51,740 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) defaultLogin, [email protected], subject=Subject(1695095479)[email protected](admin)[email protected](CallerPrincipal(members:admin))[email protected](Roles(members))
00:45:51,746 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) End isValid, true
00:45:51,761 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Authenticated 'admin' with type 'BASIC'
00:45:51,762 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Calling accessControl()
00:45:51,764 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) Checking roles GenericPrincipal[admin()]
00:45:51,765 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) Username admin does NOT have role ADMIN
00:45:51,767 DEBUG [org.apache.catalina.realm.RealmBase] (http--127.0.0.1-8080-1) No role found: ADMIN
00:45:51,768 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--127.0.0.1-8080-1) Failed accessControl() test
00:45:51,769 TRACE [org.jboss.security.SecurityRolesAssociation] (http--127.0.0.1-8080-1) Setting threadlocal:null
最後LDIF:
version: 1
dn: ou=epubph,ou=system
objectClass: organizationalUnit
objectClass: top
ou: epubph
dn: cn=USER,ou=group,ou=epubph,ou=system
objectClass: groupOfNames
objectClass: top
cn: USER
member: uid=radca
dn: ou=user,ou=epubph,ou=system
objectClass: organizationalUnit
objectClass: top
ou: user
dn: uid=radca,ou=user,ou=epubph,ou=system
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
uid: radca
userPassword:: e3NoYTI1Nn1uNGJRZ1loTWZXV2FMK3FneFZyUUZhTy9UeHNyQzRJczBWMXNGY
kR3Q2dnPQ==
dn: ou=group,ou=epubph,ou=system
objectClass: organizationalUnit
objectClass: top
ou: group
dn: uid=admin,ou=user,ou=epubph,ou=system
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
uid: admin
userPassword:: e3NoYTI1Nn1uNGJRZ1loTWZXV2FMK3FneFZyUUZhTy9UeHNyQzRJczBWMXNGY
kR3Q2dnPQ==
dn: cn=ADMIN,ou=group,ou=epubph,ou=system
objectClass: groupOfNames
objectClass: top
cn: ADMIN
member: uid=admin
可能有人點我的方向是正確的?我相信這很簡單,我失蹤