我无法在tomcat-7.0.42上使用Guvnor 5.4.0.Final进行身份验证。我用seam-security-3.2.0.Final替换了seam-security-3.1.0.Final。
以下是我设置基本身份验证器的XML片段:
的Guvnor / WEB-INF / beans.xml中
<security:IdentityImpl>
<s:modifies/>
<security:authenticatorName>jaasAuthenticator</security:authenticatorName>
</security:IdentityImpl>
<security:jaas.JaasAuthenticator>
<s:modifies/>
<security:jaasConfigName>drools-guvnor</security:jaasConfigName>
</security:jaas.JaasAuthenticator>
的jaas.config
drools-guvnor {
com.ndipiazza.JaasGuvnor required debug=true;
};
请参阅此ZIP文件以获取Guvnor JAAS登录信息:https://community.jboss.org/servlet/JiveServlet/download/831268-105978/guvnor-jaas.zip
我没有启用基于角色的权限。只要没有访客用户,我对每个拥有相同角色的人都很好。
但是当我使用这个配置然后去Guvnor时,我看到我已登录欢迎:访客[退出]
我希望它转到基于表单的登录。我怎么设置它?我错过了什么吗?
当我启用基于角色的权限时:
<guvnorSecurity:RoleBasedPermissionResolver>
<s:modifies/>
<guvnorSecurity:enableRoleBasedAuthorization>true</guvnorSecurity:enableRoleBasedAuthorization>
</guvnorSecurity:RoleBasedPermissionResolver>
然后我收到此错误消息(401此用户没有权限设置。)。下面的堆栈跟踪显示:
INFO 03-08 12:53:23,517 (LoggingHelper.java:info:56)
Service method 'public
abstract org.drools.guvnor.client.rpc.UserSecurityContext org.drools.guvnor.clie
nt.rpc.SecurityService.getCurrentUser()' threw an unexpected exception: org.jbos
s.seam.security.AuthorizationException: This user has no permissions setup.
com.google.gwt.user.server.rpc.UnexpectedException: Service method 'public abstr
act org.drools.guvnor.client.rpc.UserSecurityContext org.drools.guvnor.client.rp
c.SecurityService.getCurrentUser()' threw an unexpected exception: org.jboss.sea
m.security.AuthorizationException: This user has no permissions setup.
at com.google.gwt.user.server.rpc.RPC.encodeResponseForFailure(RPC.java:
385)
at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:5
88)
at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(Remot
eServiceServlet.java:208)
at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(Remot
eServiceServlet.java:248)
at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(Ab
stractRemoteServiceServlet.java:62)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:210)
at org.jboss.solder.servlet.exception.CatchExceptionFilter.doFilter(Catc
hExceptionFilter.java:65)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:210)
at org.jboss.solder.servlet.event.ServletEventBridgeFilter.doFilter(Serv
letEventBridgeFilter.java:74)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV
alve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV
alve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
torBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:
953)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
ve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
a:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp
11Processor.java:1023)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(
AbstractProtocol.java:589)
at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoin
t.java:1852)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
.java:615)
at java.lang.Thread.run(Thread.java:722)
Caused by: org.jboss.seam.security.AuthorizationException: This user has no perm
issions setup.
at org.drools.guvnor.server.security.SecurityServiceImpl.getUserCapabili
ties(SecurityServiceImpl.java:128)
at org.drools.guvnor.server.security.SecurityServiceImpl.getCurrentUser(
SecurityServiceImpl.java:101)
at org.drools.guvnor.server.security.SecurityServiceImpl$Proxy$_$$_WeldC
lientProxy.getCurrentUser(SecurityServiceImpl$Proxy$_$$_WeldClientProxy.java)
at org.drools.guvnor.server.SecurityServiceServlet.getCurrentUser(Securi
tyServiceServlet.java:74)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:5
69)
... 27 more
使用调试器,我看到用户ID是“guest”。
我错过了哪一步才能看到登录屏幕?
此票证也在JBoss社区开放:https://community.jboss.org/message/831268#831268
答案 0 :(得分:1)
此解决方案未使用Tomcat进行测试,而是使用JBoss 7.1.1进行测试。不确定是否存在很大差异,但无论如何它都是:
首先,您必须在standalone.xml中创建一个新的安全域:
<security-domain name="your-security-domain-name" cache-type="default">
<authentication>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="your LDAP url/>
<module-option name="baseCtxDN" value="ou=your_OU,dc=yourDC,dc=com"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="rolesCtxDN" value="ou=your_Roles_OU, dc=yourDC,dc=com"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="searchScope" value="ONELEVEL_SCOPE"/>
</login-module>
</authentication>
</security-domain>
接下来,配置guvnor.war beans.xml文件以使用JAAS:
(...)
<security:IdentityImpl> <s:modifies/>
<!-- JAAS based authentication -->
<security:authenticatorName>jaasAuthenticator</security:authenticatorName>
</security:IdentityImpl>
<security:jaas.JaasAuthenticator>
<s:modifies/>
<security:jaasConfigName>your-security-domain-name</security:jaasConfigName>
</security:jaas.JaasAuthenticator>
<!-- SECURITY AUTHORIZATION CONFIGURATION --> <!-- This is used to enable or disable role-based authorization. By default it is disabled. -->
<guvnorSecurity:RoleBasedPermissionResolver>
<s:modifies/>
<guvnorSecurity:enableRoleBasedAuthorization>false</guvnorSecurity:enableRoleBasedAuthorization>
</guvnorSecurity:RoleBasedPermissionResolver>
<weld:scan>
<!-- Disable the seam-security by drools rules
<weld:exclude name="org.jboss.seam.security.permission.RuleBasedPermissionResolver"/>-->
<!-- TODO remove me when GUVNOR-1196 is fixed -->
<weld:exclude name="org.drools.guvnor.gwtutil.**"/>
<weld:exclude name="org.drools.guvnor.client.**"/>
</weld:scan>
</beans>
在此处将此行设置为true之前
<guvnorSecurity:enableRoleBasedAuthorization>false</guvnorSecurity:enableRoleBasedAuthorization>
您必须先没有角色登录,以便将用户映射到他的权限。将管理员权限授予至少一个用户,否则您将无法登录。
另外,不要忘记将WEB-INF / lib下的seam-security jar从版本3.1更新到3.2。这非常重要,否则登录无效。
此解决方案让我登录以在我的LDAP服务器上对Guvnor进行身份验证,而不需要任何操作。如果您有任何问题,请告诉我。
圣拉斐尔