OC4J到WebLogic 12c的迁移和安全性配置问题 [英] OC4J to WebLogic 12c migration and security configuration questions

问题描述

在OC4J中，我们使用了自定义的JAAS LoginModule.我创建了一个SqlAuthenticator，它复制了相同的逻辑，并且似乎可以正常工作.对于我们的应用程序，当我进入登录页面并输入错误的密码时，它会将我发送到登录失败页面.那部分很好.

In OC4J, we were using a custom JAAS LoginModule. I've created a SqlAuthenticator that replicates that same logic, and that seems to work. For our app, when I go to the login page and enter the wrong password, it sends me to the login failed page. That part's fine.

但是，当我输入正确的密码时，WebLogic只会将我发送回欢迎页面，而不会显示任何消息.我在日志文件中找不到任何可以帮助我的东西.我猜这是一个授权问题，而不是身份验证问题.我以为SqlAuthenticator可以解决这个问题，因为它能够从数据库中获取应用程序的组和用户.

However, when I enter the correct password, WebLogic just sends me back to the welcome page, with no message. I can't find anything in the log files to help me out. I'm guessing that it's an authorization problem, as opposed to authentication problem. I had assumed that the SqlAuthenticator would take care of that since it's able to fetch both groups and users of our app from the database.

我以前从未处理过角色".我不确定它们与组"有何不同，而这正是我们真正需要的.我需要定义角色吗?他们与团体"绑在一起吗?是否需要配置角色和策略?我想念什么?

I've never dealt with "roles" before. I'm not sure how they differ from "groups", which is all we really need. Do I need to define roles? Do they get tied to "groups" ? Is it the roles and policies that need to be configured? What am I missing?

这是日志文件的片段

<SecurityAtz> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <  Roles:Admin,Anonymous> 
<SecurityAtz> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <  Resource: type=<url>, application=ifactory-security, contextPath=/ifactory-security, uri=/secure/index.jsp, httpMethod=GET> 
<SecurityAtz> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <  Direction: ONCE> 
<SecurityAtz> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <  Context Handler: > 
<SecurityEEngine> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <evaluate([Users: gkephart|Groups: Final Quality Control Release,users,EDA Failover,Enroll Administrators,Read Only,QA Documentation,Etrack2 Administrators|Roles: not null], type=<url>, application=ifactory-security, contextPath=/ifactory-security, uri=/secure/index.jsp, httpMethod=GET)> 
<SecurityEEngine> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <Evaluating resource weblogic.entitlement.data.EResource@3557103 with expression: {Rol(Etrack2 Administrators,Etrack2 Administrators)}> 
<SecurityEEngine> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <Evaluation result: false> 
<SecurityAtz> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <Default Authorization isAccessAllowed(): returning DENY> 
<SecurityAtz> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned DENY> 
<SecurityAdjudicator> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Results=[ DENY ]> 
<SecurityAdjudicator> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Resource=type=<url>, application=ifactory-security, contextPath=/ifactory-security, uri=/secure/index.jsp, httpMethod=GET> 
<SecurityAdjudicator> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <DefaultAdjudicatorImpl.adjudicate results: DENY > 
<SecurityAdjudicator> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Adjudictor returned false, returning that value> 
<SecurityAtz> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: false> 

这是web.xml的相关部分

Here's the pertinent part of the web.xml

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>SecurePages</web-resource-name>
      <description>All secure pages</description>
      <url-pattern>/secure/*</url-pattern>
      <http-method>POST</http-method>
      <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>Etrack2 Administrators</role-name>
    </auth-constraint>
    <user-data-constraint>
      <description>SSL not required</description>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/login_failed.jsp</form-error-page>
    </form-login-config>
  </login-config>

  <security-role>
    <role-name>Etrack2 Administrators</role-name>
  </security-role>

这是我的weblogic.xml.请注意，我已经添加了一个组和一个用户作为主体.

Here's my weblogic.xml. Note that I've added a group and a user as principals.

<weblogic-web-app xmlns="http://xmlns.oracle.com/weblogic/weblogic-web-app">
  <description><![CDATA[Generated by XDoclet. Use weblogicwebxml's description attribute to modify this value.]]></description>
  <weblogic-version>12</weblogic-version>
  <!-- 
    If you do not define a security-role-assignment element and its sub-elements, the Web application container implicitly 
    maps the role name as a principal name and logs a warning. 
    The EJB container does not deploy the module if mappings are not defined.

    Consider the following usage scenarios for the role name is "role_xyz"
    * If you map "role_xyz" to user "joe" in weblogic.xml, role_xyz becomes a local role.
    * If you specify role_xyz as an externally defined role, it becomes global (it refers to the role defined at the realm level).
    * If you do not define a security-role-assignment element, role_xyz becomes a local role, 
      and the Web application container creates an implicit mapping to it and logs a warning.
  -->
  <security-role-assignment>
    <role-name>Etrack2 Administrators</role-name>
    <principal-name>Etrack2 Administrators</principal-name>
    <principal-name>gkephart</principal-name>
  </security-role-assignment>
  <context-root>/ifactory-security</context-root>
</weblogic-web-app>

推荐答案

有了日志文件和web.xml，我看到您确实需要设置用户/组可以参与的安全角色.现在，您的用户没有关联的角色，因此您被拒绝了.

With the log file and the web.xml, I can see that you do need to set up security roles that your users/groups can be a part of. Right now, your user has no associated roles, so you are denied.

在您的web.xml中，您需要在</login-config>之后创建一个安全角色，例如:

In your web.xml you need to create a security-role after </login-config> like:

<security-role>
   <role-name>Etrack2 Administrators</role-name>
</security-role>

然后在您的weblogic.xml文件中，定义谁有权访问该角色.根据您的错误消息，您似乎已经设置了Etrack2 Administrators组，该组位于gkephart中.该组是下面的principal-name.如果需要，您还可以指定单个用户名，但一个组就足够了:

Then in your weblogic.xml file, you need to define who has access to that role. Based on your error message it looks like you already have an Etrack2 Administrators group set up, which gkephart is in. That group is the principal-name below. You could also specify individual user names if need be but a group should be sufficient:

<security-role-assignment>
   <role-name>Etrack2 Administrators</role-name>
   <principal-name>Etrack2 Administrators</principal-name>
</security-role-assignment>

在此处查看Oracle文档有关更多信息.

这是一个不错的示例以及如何通过weblogic控制台和部署描述符进行操作.

This is a decent example as well on how to do it via the weblogic console and deployment descriptors.

关于隐式角色映射的说明摘自 Oracle文档这里:

Notes on implicit role mapping taken from the Oracle docs here:

如果要对角色进行硬编码，请使用隐式角色分配 在部署时映射到已知的主体名称.

Use implicit role assignment if you want to hard-code your role mapping at deployment time to a known principal name.

具有隐式角色分配(在 weblogic.xml)，WebLogic将安全角色名称分配给 完全相同的名称.请注意，发生隐式角色映射 不管定义的角色名称是否实际上可用于 安全领域.例如，如果您在 web.xml，但您没有在weblogic.xml中明确分配角色， 服务器显示警告:

With implicit role assignment (omitting security-role-assignment in weblogic.xml), WebLogic assigns a security-role name to a role of the exact same name. Note that implicit role mapping takes place regardless of whether the role name defined is actually available in the security realm. For example, if you use the "everyone" role in web.xml but you do not explicitly assign the role in weblogic.xml, the server displays the warning:

<Webapp: ServletContext(id=id,name=application,context-path=/context), the 
role: everyone defined in web.xml has not been mapped to principals in 
security-role-assignment in weblogic.xml. Will use the rolename itself 
as the principal-name.>

您可以关闭该消息.有关更多信息，请参见此处的文档

You can turn that message off. See the docs here for more info

这篇关于OC4J到WebLogic 12c的迁移和安全性配置问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！