WSO2 ESB 的自动 NTLM 身份验证 [英] Automatic NTLM Authentication for WSO2 ESB
问题描述
我在使用 NTLM 身份验证保护的客户端 IIS 服务器上有一个 WCF Web 服务 - 我无法控制该服务器上的身份验证配置.
I have a WCF Web Service sitting on a client's IIS server secured with NTLM authentication - I have no control over the authentication configuration on that server.
我需要将我的 WSO2 ESB 服务器与此服务集成,但我找不到让 ESB 自动进行身份验证的方法.我已成功通过 ESB 将请求推送到带有 Web 应用程序的服务,但在此过程中提示我提供我的 Windows 凭据 - 我不希望这种情况发生.
I need to integrate my WSO2 ESB server with this service, but I can't find a way to get the ESB to authenticate automatically. I have successfully pushed requests through the ESB to the service with web applications, but I was prompted to provide my Windows credentials during that process - I would like for this to not happen.
我曾尝试在我的服务器上设置 NTLM 代理,但也无法弄清楚.
I have attempted to set up an NTLM proxy on my server, but couldn't figure this out either.
任何指导将不胜感激.
紧张
推荐答案
有几个组件可以使其正常工作.很难找到所有内容都写在一个地方,因此我将尝试在此处提供端到端的概述.
There were a few components to getting this working correctly. It's hard to find it all written down in one place, so I'll attempt to provide an end-to-end overview here.
我首先必须在我的 WSO2 ESB 中按顺序使用类中介来处理发送和 NTLM 身份验证.类中介器引用一个自定义类,该类从中介流中获取消息上下文(称为 Synapse 消息上下文)并提取 SOAP 信封.然后我将 Synapse SOAP 信封加载到 Axis2 消息上下文对象中.然后,我使用 Axis2 客户端和消息上下文将经过身份验证的请求提交给服务器.NTLM 通过 Axis2 的身份验证来自 JCIFS_NTLMScheme 类,您可以参考 这里.
I first had to use a class mediator within my WSO2 ESB in-sequence to handle the sending and the NTLM authentication. The class mediator references a custom class which takes the message context from the mediation flow (called the Synapse message context) and extracts the SOAP envelope. I then loaded the Synapse SOAP envelope into an Axis2 message context object. I then used an Axis2 client along with the message context to submit my authenticated request to the server. The authentication for NTLM through Axis2 comes from the JCIFS_NTLMScheme class, which you can reference here.
注意:您必须使用该类中的日志配置才能使其与 WSO2 一起使用.我刚刚删除了"org.sac.crosspather.common.util* "库并更改了我看到的任何日志记录以使用 Apache Commons 日志记录功能
在 Developer studio 中创建一个新项目.右键单击项目资源管理器中的项目节点,然后选择新建 > 中介项目".
Create a new project in Developer studio. Right click the project node in the project explorer and select "New > Mediator Project".
这将为您生成一些样板代码 - 即,一个扩展 AbstractMediator 的类,它实现了 Synapse 在执行逻辑时将调用的mediate()"方法在您的序列中定义.
This will generate a bit of boilerplate code for you - that is, a class which extends AbstractMediator and which implements an "mediate()" method which Synapse will call when it comes to executing the logic defined within your sequence.
public class NTLMAuthorisation extends AbstractMediator {
public boolean mediate(MessageContext context){
//Mediation Logic
return true;
}
}
类中介器会查找可公开访问的变量,并将它们暴露在 WSO2 配置中.这在您创建可重用的中介器之前很有帮助,该中介器使自身适应 WSO2 Carbon Web UI 中定义的属性或值.这里我们需要暴露七个变量:soapAction、SoapEndpoint、域、主机、端口、用户名和密码.通过定义实例变量及其访问器和修改器来公开变量.
The class mediator looks for variables which are publicly accessible and exposes them in the WSO2 configuration. This is helpful before you can create a re-usable mediator which adapts itself to properties or values defined in the WSO2 Carbon Web UI. Here we need to expose seven variables: soapAction, SoapEndpoint, domain, host, port, username, and password. Expose the variables by defining your instance variables, along with their accessors and mutators.
这对于使用 WSO2 Secure Vault 来存储您的 NTLM 密码和从具有属性的系统注册表中获取其他配置非常有用.
This is all really quite useful for using the WSO2 Secure Vault to store your NTLM password and fetching other configuration from a system registry with properties.
public class NTLMAuthorisation extends AbstractMediator {
private String soapAction;
private String soapEndpoint;
private String domain;
private String host;
private int port;
private String username;
private String password;
public boolean mediate(MessageContext context) {
//Mediation Logic
return true;
}
public void setSoapAction(String _soapAction){
soapAction = _soapAction;
}
public String getSoapAction(){
return soapAction;
}
public void setSoapEndpoint(String _soapEndpoint){
soapEndpoint = _soapEndpoint;
}
public String getSoapEndpoint(){
return soapEndpoint;
}
public void setDomain(String _domain){
domain = _domain;
}
public String getDomain(){
return domain;
}
public void setHost(String _host){
host = _host;
}
public String getHost(){
return host;
}
public void setPort(int _port){
port = _port;
}
public int getPort(){
return port;
}
public void setUsername(String _username){
username = _username;
}
public String getUsername(){
return username;
}
public void setPassword(String _password){
password = _password;
}
public String getPassword(){
return password;
}
}
确保您从 创建了一个 JCIFS_NTLMScheme 类在这里 并已将 org.samba.jcifs 依赖项添加到您的 Maven 依赖项中,如下所示:
Make sure you created an JCIFS_NTLMScheme class from here and have added the org.samba.jcifs dependency to your Maven dependencies like so:
<dependency>
<groupId>org.samba.jcifs</groupId>
<artifactId>jcifs</artifactId>
<version>1.3.17</version>
</dependency>
现在您可以在自定义中介类中使用以下中介方法:
Now you can use the following mediate method in your custom mediator class:
public boolean mediate(MessageContext context) {
//Build NTLM Authentication Scheme
AuthPolicy.registerAuthScheme(AuthPolicy.NTLM, JCIFS_NTLMScheme.class);
HttpTransportProperties.Authenticator auth = new HttpTransportProperties.Authenticator();
auth.setUsername(username);
auth.setPassword(password);
auth.setDomain(domain);
auth.setHost(host);
auth.setPort(port);
ArrayList<String> authPrefs = new ArrayList<String>();
authPrefs.add(AuthPolicy.NTLM);
auth.setAuthSchemes(authPrefs);
//Force Authentication - failures will get caught in the catch block
try {
//Build ServiceClient and set Authorization Options
ServiceClient serviceClient = new ServiceClient();
Options options = new Options();
options.setProperty(org.apache.axis2.transport.http.HTTPConstants.AUTHENTICATE, auth);
options.setTransportInProtocol(Constants.TRANSPORT_HTTP);
options.setTo(new EndpointReference(soapEndpoint));
options.setAction(soapAction);
serviceClient.setOptions(options);
//Generate an OperationClient from the ServiceClient to execute the request
OperationClient opClient = serviceClient.createClient(ServiceClient.ANON_OUT_IN_OP);
//Have to translate MsgCtx from Synapse to Axis2
org.apache.axis2.context.MessageContext axisMsgCtx = new org.apache.axis2.context.MessageContext();
axisMsgCtx.setEnvelope(context.getEnvelope());
opClient.addMessageContext(axisMsgCtx);
//Send the request to the server
opClient.execute(true);
//Retrieve Result and replace mediation (synapse) context
SOAPEnvelope result = opClient.getMessageContext(WSDLConstants.MESSAGE_LABEL_IN_VALUE).getEnvelope();
context.setEnvelope(result);
} catch (AxisFault e) {
context.setProperty("ResponseCode", e.getFaultCodeElement().getText());
return false; //This stops the mediation flow, so I think it executes the fault sequence?
}
return true;
}
在此阶段,您应该能够在 WSO2 Developer Studio 的项目浏览器中访问您的自定义中介项目,并从上下文菜单中选择将项目导出为可部署存档.按照提示将 JAR 文件保存在系统上的某个位置.生成 JAR 文件后,找到它并将其传输到 [ESB_HOME]/repository/components/dropins 目录.您可能需要重新启动服务器才能检测到新的外部库.
At this stage you should be able to your custom mediator project within the project explorer in WSO2 Developer Studio and from the context menu select Export Project as Deployable Archive. Follow the prompts to save the JAR file somewhere on your system. After generating the JAR file, locate it and transfer it to the [ESB_HOME]/repository/components/dropins directory. You may need to restart the server for it to detect the new external library.
在您的序列中,您现在应该能够添加一个类中介并使用包名和类名一起引用您的自定义类,例如:org.strainy.ntlmauthorisation.
In your sequence, you should now be able to add a class mediator and reference your custom class using the package name and class name together, for example: org.strainy.ntlmauthorisation.
这篇关于WSO2 ESB 的自动 NTLM 身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
