如何使用DatabaseCertificate登录模块

时间:2015-05-19 06:57:53

标签: authentication jboss authorization wildfly

我想使用DatabaseCertificate登录模块从DB加载组。

当前配置:

> <security-domain name="LDAPAuth">
>       <authentication>
>           <login-module code="LdapExtended" flag="required">
>               <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
>               <module-option name="java.naming.provider.url" value="***************"/>
>               <module-option name="java.naming.security.authentication" value="simple"/>
>               <module-option name="bindDN" value="*************"/>
>               <module-option name="bindCredential" value="*********"/>
>               <module-option name="baseCtxDN" value="**************"/>
>               <module-option name="baseFilter" value="(samAccountName={0})"/>
>               <module-option name="rolesCtxDN" value="********************"/>
>               <module-option name="roleFilter" value="(member={1})"/>
>               <module-option name="roleAttributeID" value="cn"/>
>               <module-option name="searchScope" value="ONELEVEL_SCOPE"/>
>               <module-option name="allowEmptyPasswords" value="true"/>
>               <module-option name="roleRecursion" value="1"/>
>           </login-module>
>           <login-module code="DatabaseCertificate" flag="sufficient">
>               <module-option name="dsJndiName" value="java:jboss/jdbc/mmDS"/>
>               <module-option name="rolesQuery" value="select Roles from users where username=?"/>
>           </login-module>
>       </authentication>
>     </security-domain>

日志:

2015-05-19 08:27:13,275 TRACE [org.jboss.security] (default task-2) PBOX000200: Begin isValid, principal:   org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@dca033e0, cache entry: null
2015-05-19 08:27:13,276 TRACE [org.jboss.security] (default task-2) PBOX000209: defaultLogin, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@dca033e0
2015-05-19 08:27:13,278 TRACE [org.jboss.security] (default task-2) PBOX000221: Begin getAppConfigurationEntry(LDAPAuth), size: 4
2015-05-19 08:27:13,282 TRACE [org.jboss.security] (default task-2) PBOX000224: End getAppConfigurationEntry(LDAPAuth), AuthInfo: AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=searchScope, value=ONELEVEL_SCOPE
name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory
name=java.naming.provider.url, value=****************
name=rolesCtxDN, value=************************
name=roleFilter, value=(member={1})
name=roleAttributeID, value=cn
name=java.naming.security.authentication, value=simple
name=roleRecursion, value=1
name=bindDN, value=*****************************
name=bindCredential, value=****
name=baseCtxDN, value=*****************************
name=allowEmptyPasswords, value=true
name=baseFilter, value=(samAccountName={0})
[1]
LoginModule Class: org.jboss.security.auth.spi.DatabaseCertLoginModule
ControlFlag: LoginModuleControlFlag: sufficient
Options:
name=dsJndiName, value=java:jboss/jdbc/mmDS
name=rolesQuery, value=select Roles from users where username=?

2015-05-19 08:27:13,288 TRACE [org.jboss.security] (default task-2) PBOX000236: Begin initialize method
2015-05-19 08:27:13,289 TRACE [org.jboss.security] (default task-2) PBOX000240: Begin login method
2015-05-19 08:27:13,297 TRACE [org.jboss.security] (default task-2) PBOX000220: Logging into LDAP server with env {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, searchScope=ONELEVEL_SCOPE, ...........
2015-05-19 08:27:13,452 TRACE [org.jboss.security] (default task-2) PBOX000220: Logging into LDAP server with env {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, searchScope=ONELEVEL_SCOPE, ...........
2015-05-19 08:27:14,081 TRACE [org.jboss.security] (default task-2) PBOX000268: Assigning user to role **LDAPRole**
2015-05-19 08:27:14,125 TRACE [org.jboss.security] (default task-2) PBOX000241: End login method, isValid: true
2015-05-19 08:27:14,127 TRACE [org.jboss.security] (default task-2) PBOX000236: Begin initialize method
2015-05-19 08:27:14,135 ERROR [org.jboss.security] (default task-2) PBOX000246: The JSSE security domain other is not valid. All authentication using this login module will fail!
2015-05-19 08:27:14,136 TRACE [org.jboss.security] (default task-2) PBOX000239: End initialize method
2015-05-19 08:27:14,136 TRACE [org.jboss.security] (default task-2) PBOX000262: Module options [dsJndiName: java:jboss/jdbc/mmDS, principalsQuery: , rolesQuery: select Roles from users where username=?, suspendResume: true]
2015-05-19 08:27:14,136 TRACE [org.jboss.security] (default task-2) PBOX000240: Begin login method
2015-05-19 08:27:14,136 TRACE [org.jboss.security] (default task-2) PBOX000240: Begin login method
2015-05-19 08:27:14,136 TRACE [org.jboss.security] (default task-2) PBOX000252: Begin getAliasAndCert method
2015-05-19 08:27:14,138 TRACE [org.jboss.security] (default task-2) PBOX000242: Begin commit method, overall result: true
2015-05-19 08:27:14,140 TRACE [org.jboss.security] (default task-2) PBOX000242: Begin commit method, overall result: false
2015-05-19 08:27:14,140 TRACE [org.jboss.security] (default task-2) PBOX000210: defaultLogin, login context: javax.security.auth.login.LoginContext@57a0ce24, subject: Subject(33333333333).principals=org.jboss.security.SimplePrincipal@1734384605(user)org.jboss.security.SimpleGroup@1167694681(Roles(members:**LDAPRole**))org.jboss.security.SimpleGroup@1167694681(CallerPrincipal(members:user))
2015-05-19 08:27:14,142 TRACE [org.jboss.security] (default task-2) PBOX000201: End isValid, result = true
2015-05-19 08:27:14,151 TRACE [org.jboss.security] (default task-2) PBOX000354: Setting security roles ThreadLocal: null

正如您所见,LDAP登录模块可以正常工作。我发现DatabaseCertificate没有错误,但是没有覆盖/添加组。你能帮我吗?我不知道该怎么做。

1 个答案:

答案 0 :(得分:1)

我在这里看到了2个问题。

  1. 如果您只想使用数据库加载角色,请在两个登录模块中使用 password-stacking 。它告诉后续登录模块不要检查凭据,只能加载角色。

  2. DatabaseCertificate登录模块应与SSL / TLS和CLIENT-CERT身份验证一起使用,如果我理解正确,则不是您的情况。

    只需使用简单的 Database login module

    3. 您的配置可能如下所示:

    <security-domain name="LDAPAuth">
  <authentication>
    <login-module code="LdapExtended" flag="required">
      <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
      <module-option name="java.naming.provider.url" value="***************" />
      <module-option name="java.naming.security.authentication" value="simple" />
      <module-option name="bindDN" value="*************" />
      <module-option name="bindCredential" value="*********" />
      <module-option name="baseCtxDN" value="**************" />
      <module-option name="baseFilter" value="(samAccountName={0})" />
      <module-option name="rolesCtxDN" value="********************" />
      <module-option name="roleFilter" value="(member={1})" />
      <module-option name="roleAttributeID" value="cn" />
      <module-option name="searchScope" value="ONELEVEL_SCOPE" />
      <module-option name="allowEmptyPasswords" value="true" />
      <module-option name="roleRecursion" value="1" />
      <module-option name="password-stacking" value="useFirstPass" />
    </login-module>
    <login-module code="Database" flag="required">
      <module-option name="password-stacking" value="useFirstPass" />
      <module-option name="dsJndiName" value="java:jboss/datasources/mmDS" />
      <module-option name="rolesQuery" value="select Roles, 'Roles' from users where username=?"/>
    </login-module>
  </authentication>
</security-domain>
相关问题
最新问题