OC4J到WebLogic 12c迁移和安全配置问题

时间:2014-11-21 22:11:18

标签: security weblogic12c oc4j

在OC4J中,我们使用的是自定义JAAS LoginModule。我创建了一个复制相同逻辑的SqlAuthenticator,这似乎有效。对于我们的应用程序,当我进入登录页面并输入错误的密码时,它会将我发送到登录失败页面。那部分没事。

但是,当我输入正确的密码时,WebLogic只是将我发回欢迎页面,没有任何消息。我在日志文件中找不到任何东西来帮助我。我猜这是一个授权问题,而不是身份验证问题。我假设SqlAuthenticator会处理这个问题,因为它能够从数据库中获取我们应用程序的组和用户。

我以前从未处理过“角色”。我不确定他们与“团体”的区别,这是我们真正需要的。我需要定义角色吗?他们是否与“团体”联系在一起?是需要配置的角色和策略吗?我错过了什么?

这是日志文件的片段

<SecurityAtz> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <  Roles:Admin,Anonymous> 
<SecurityAtz> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <  Resource: type=<url>, application=ifactory-security, contextPath=/ifactory-security, uri=/secure/index.jsp, httpMethod=GET> 
<SecurityAtz> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <  Direction: ONCE> 
<SecurityAtz> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <  Context Handler: > 
<SecurityEEngine> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <evaluate([Users: gkephart|Groups: Final Quality Control Release,users,EDA Failover,Enroll Administrators,Read Only,QA Documentation,Etrack2 Administrators|Roles: not null], type=<url>, application=ifactory-security, contextPath=/ifactory-security, uri=/secure/index.jsp, httpMethod=GET)> 
<SecurityEEngine> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <Evaluating resource weblogic.entitlement.data.EResource@3557103 with expression: {Rol(Etrack2 Administrators,Etrack2 Administrators)}> 
<SecurityEEngine> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <Evaluation result: false> 
<SecurityAtz> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <Default Authorization isAccessAllowed(): returning DENY> 
<SecurityAtz> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned DENY> 
<SecurityAdjudicator> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Results=[ DENY ]> 
<SecurityAdjudicator> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Resource=type=<url>, application=ifactory-security, contextPath=/ifactory-security, uri=/secure/index.jsp, httpMethod=GET> 
<SecurityAdjudicator> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <DefaultAdjudicatorImpl.adjudicate results: DENY > 
<SecurityAdjudicator> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Adjudictor returned false, returning that value> 
<SecurityAtz> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: false>

这是web.xml的相关部分

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>SecurePages</web-resource-name>
      <description>All secure pages</description>
      <url-pattern>/secure/*</url-pattern>
      <http-method>POST</http-method>
      <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>Etrack2 Administrators</role-name>
    </auth-constraint>
    <user-data-constraint>
      <description>SSL not required</description>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/login_failed.jsp</form-error-page>
    </form-login-config>
  </login-config>

  <security-role>
    <role-name>Etrack2 Administrators</role-name>
  </security-role>

这是我的weblogic.xml。请注意,我已添加了一个组和一个用户作为主体。

<weblogic-web-app xmlns="http://xmlns.oracle.com/weblogic/weblogic-web-app">
  <description><![CDATA[Generated by XDoclet. Use weblogicwebxml's description attribute to modify this value.]]></description>
  <weblogic-version>12</weblogic-version>
  <!-- 
    If you do not define a security-role-assignment element and its sub-elements, the Web application container implicitly 
    maps the role name as a principal name and logs a warning. 
    The EJB container does not deploy the module if mappings are not defined.

    Consider the following usage scenarios for the role name is "role_xyz"
    * If you map "role_xyz" to user "joe" in weblogic.xml, role_xyz becomes a local role.
    * If you specify role_xyz as an externally defined role, it becomes global (it refers to the role defined at the realm level).
    * If you do not define a security-role-assignment element, role_xyz becomes a local role, 
      and the Web application container creates an implicit mapping to it and logs a warning.
  -->
  <security-role-assignment>
    <role-name>Etrack2 Administrators</role-name>
    <principal-name>Etrack2 Administrators</principal-name>
    <principal-name>gkephart</principal-name>
  </security-role-assignment>
  <context-root>/ifactory-security</context-root>
</weblogic-web-app>

1 个答案:

答案 0 :(得分:2)

使用日志文件和web.xml,我可以看到您确实需要设置用户/组可以参与的安全角色。目前,您的用户没有关联角色,因此您被拒绝。

在您的web.xml中,您需要在</login-config>之后创建一个安全角色:

<security-role>
   <role-name>Etrack2 Administrators</role-name>
</security-role>

然后在您的weblogic.xml文件中,您需要定义谁有权访问该角色。根据您的错误消息,您似乎已经设置了Etrack2 Administratorsgkephart所在的组。该组是principal-name下面的<security-role-assignment> <role-name>Etrack2 Administrators</role-name> <principal-name>Etrack2 Administrators</principal-name> </security-role-assignment> 。如果需要,您还可以指定单个用户名,但组应该足够:

security-role-assignment

有关详细信息,请查看Oracle docs here

This is a decent example以及如何通过weblogic控制台和部署描述符来完成它。

关于从Oracle docs here获取的隐式角色映射的注释:

  

如果要对角色进行硬编码,请使用隐式角色分配   在部署时映射到已知的主体名称。

     

使用隐式角色分配(省略<Webapp: ServletContext(id=id,name=application,context-path=/context), the role: everyone defined in web.xml has not been mapped to principals in security-role-assignment in weblogic.xml. Will use the rolename itself as the principal-name.>   weblogic.xml),WebLogic为该角色分配安全角色名称   完全相同的名字。请注意,隐式角色映射会发生   无论定义的角色名称是否实际可用   安全领域。例如,如果您使用“everyone”角色   web.xml但你没有在weblogic.xml中明确地分配角色   服务器显示警告:

{{1}}

您可以关闭该信息。有关详细信息,请参阅此处的文档

相关问题
最新问题