Bluemix SSO with Liberty:卡在 AuthFailed (CWWKS9104A)
Bluemix SSO with Liberty: Stuck with AuthFailed (CWWKS9104A)
我正在试验 Bluemix 并尝试将单点登录添加到我的 WebSphere Liberty WebApp。因此,我遵循了指南。添加了具有云目录身份提供程序的 SSO 服务,将我的 WebApp 绑定到它,并修改了 XML 配置。
我从演示应用开始,并从那里对其进行了定制。
src/main/webapp/WEB-INF/web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="3.0"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<display-name>MyApp</display-name>
<security-constraint>
<display-name>MyApp</display-name>
<web-resource-collection>
<web-resource-name>chat-web</web-resource-name>
<url-pattern>/</url-pattern>
<url-pattern>/*</url-pattern>
<url-pattern>/chat-web/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>any-authenticated</role-name>
</auth-constraint>
</security-constraint>
src/main/wlp/server.xml
<featureManager>
<feature>servlet-3.1</feature>
</featureManager>
<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080">
<tcpOptions soReuseAddr="true" />
</httpEndpoint>
<application name="chat-web" context-root="chat-web"
location="${appLocation}" type="war">
<application-bnd>
<security-role name="any-authenticated">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
</application>
我在链接到我的 SSO 服务的 Cloud Directory 中创建了一个测试用户 "tobi"。当我部署应用程序时,我可以看到 SSO dependencies/code 是 composed/assembled 到应用程序包中。然而,如果我尝试登录该应用程序,它会失败,并且我总是会看到以下错误:
1/2/2016 5:31:10 PM OUT App [INFO ] JSPG8502I: The value of the JSP attribute jdkSourceLevel is "15".
1/2/2016 5:31:10 PM OUT App [INFO ] CWWKS9122I: For URL /redirect/* in application com.ibm.ws.security.openidconnect.client, the following HTTP methods are uncovered, and accessible: GET POST PUT DELETE HEAD OPTIONS TRACE
1/2/2016 5:31:11 PM OUT App [INFO ] SRVE0242I: [com.ibm.ws.security.openidconnect.client] [/oidcclient] [OpenIdConnectClientRedirectServlet]: Initialization successful.
1/2/2016 5:31:11 PM OUT RTR chat.bluemix.byte23.net - [02/01/2016:17:31:10 +0000] "GET /oidcclient/redirect/qbZkQ73jmu?scope=openid&code=tXTJ80u1D69dCHPIhCQrahyBcCS51G&state=ok8OQCSJKnAQX324drvI HTTP/1.1" 302 0 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.7 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.7" 108.168.250.151:58431 x_forwarded_for:"94.114.26.231" x_forwarded_proto:"https" vcap_request_id:aa1dc020-8cbf-4338-7b1a-7b079d189a60 response_time:0.222157618 app_id:4c20dc63-d050-49f7-bb10-6e5cccab965d x_global_transaction_id:"3540714463"
1/2/2016 5:31:12 PM OUT App [AUDIT ] CWWKS9104A: Authorization failed for user chat-p6ydtq2fkr-cp16.iam.ibmcloud.com/www.ibm.com/tobi while invoking myapp on /. The user is not granted access to any of the required roles: [any-authenticated].
"The user is not granted access to any of the required roles" 如何授予用户访问所需角色的权限 "any-authenticated"? Cloud Directory 似乎没有 user/role 映射功能。我的错误在哪里?
感谢您的支持,
托拜厄斯
liberty webapps 的启动包在 wlp/ 子文件夹中提供了一个 server.xml。这一段显然没有被 Bluemix 运行时环境获取,因此基本上根本没有解释这一部分。
<application-bnd>
<security-role name="any-authenticated">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
如果您删除 server.xml 文件,您会得到相同的结果。因此,我正在研究如何解释 application-bnd 参数。
因此我偶然发现了这篇文章:https://developer.ibm.com/bluemix/2015/04/14/easy-single-sign-bluemix-web-applications-using-company-credentials/
创建以下文件即可:
src/main/webapp/META-INF/ibm-application-bnd.xml
<?xml version="1.0" encoding="UTF-8"?>
<application-bnd xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://websphere.ibm.com/xml/ns/javaee"
xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee
http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_0.xsd"
version="1.0">
<security-role name="any-authenticated">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
这将由 bluemix 运行时获取,瞧,403/身份验证失败消失了。可能可以用 server.xml 以某种方式修复它,但在它起作用后就停止研究了。如果有人有建议/更清洁的解决方案,请分享。
谢谢:-)
我正在试验 Bluemix 并尝试将单点登录添加到我的 WebSphere Liberty WebApp。因此,我遵循了指南。添加了具有云目录身份提供程序的 SSO 服务,将我的 WebApp 绑定到它,并修改了 XML 配置。
我从演示应用开始,并从那里对其进行了定制。
src/main/webapp/WEB-INF/web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="3.0"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<display-name>MyApp</display-name>
<security-constraint>
<display-name>MyApp</display-name>
<web-resource-collection>
<web-resource-name>chat-web</web-resource-name>
<url-pattern>/</url-pattern>
<url-pattern>/*</url-pattern>
<url-pattern>/chat-web/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>any-authenticated</role-name>
</auth-constraint>
</security-constraint>
src/main/wlp/server.xml
<featureManager>
<feature>servlet-3.1</feature>
</featureManager>
<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080">
<tcpOptions soReuseAddr="true" />
</httpEndpoint>
<application name="chat-web" context-root="chat-web"
location="${appLocation}" type="war">
<application-bnd>
<security-role name="any-authenticated">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
</application>
我在链接到我的 SSO 服务的 Cloud Directory 中创建了一个测试用户 "tobi"。当我部署应用程序时,我可以看到 SSO dependencies/code 是 composed/assembled 到应用程序包中。然而,如果我尝试登录该应用程序,它会失败,并且我总是会看到以下错误:
1/2/2016 5:31:10 PM OUT App [INFO ] JSPG8502I: The value of the JSP attribute jdkSourceLevel is "15".
1/2/2016 5:31:10 PM OUT App [INFO ] CWWKS9122I: For URL /redirect/* in application com.ibm.ws.security.openidconnect.client, the following HTTP methods are uncovered, and accessible: GET POST PUT DELETE HEAD OPTIONS TRACE
1/2/2016 5:31:11 PM OUT App [INFO ] SRVE0242I: [com.ibm.ws.security.openidconnect.client] [/oidcclient] [OpenIdConnectClientRedirectServlet]: Initialization successful.
1/2/2016 5:31:11 PM OUT RTR chat.bluemix.byte23.net - [02/01/2016:17:31:10 +0000] "GET /oidcclient/redirect/qbZkQ73jmu?scope=openid&code=tXTJ80u1D69dCHPIhCQrahyBcCS51G&state=ok8OQCSJKnAQX324drvI HTTP/1.1" 302 0 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.7 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.7" 108.168.250.151:58431 x_forwarded_for:"94.114.26.231" x_forwarded_proto:"https" vcap_request_id:aa1dc020-8cbf-4338-7b1a-7b079d189a60 response_time:0.222157618 app_id:4c20dc63-d050-49f7-bb10-6e5cccab965d x_global_transaction_id:"3540714463"
1/2/2016 5:31:12 PM OUT App [AUDIT ] CWWKS9104A: Authorization failed for user chat-p6ydtq2fkr-cp16.iam.ibmcloud.com/www.ibm.com/tobi while invoking myapp on /. The user is not granted access to any of the required roles: [any-authenticated].
"The user is not granted access to any of the required roles" 如何授予用户访问所需角色的权限 "any-authenticated"? Cloud Directory 似乎没有 user/role 映射功能。我的错误在哪里?
感谢您的支持, 托拜厄斯
liberty webapps 的启动包在 wlp/ 子文件夹中提供了一个 server.xml。这一段显然没有被 Bluemix 运行时环境获取,因此基本上根本没有解释这一部分。
<application-bnd>
<security-role name="any-authenticated">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
如果您删除 server.xml 文件,您会得到相同的结果。因此,我正在研究如何解释 application-bnd 参数。
因此我偶然发现了这篇文章:https://developer.ibm.com/bluemix/2015/04/14/easy-single-sign-bluemix-web-applications-using-company-credentials/
创建以下文件即可:
src/main/webapp/META-INF/ibm-application-bnd.xml
<?xml version="1.0" encoding="UTF-8"?>
<application-bnd xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://websphere.ibm.com/xml/ns/javaee"
xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee
http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_0.xsd"
version="1.0">
<security-role name="any-authenticated">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
这将由 bluemix 运行时获取,瞧,403/身份验证失败消失了。可能可以用 server.xml 以某种方式修复它,但在它起作用后就停止研究了。如果有人有建议/更清洁的解决方案,请分享。
谢谢:-)