我将跳过PHP $_SERVER配置,因为我确信它有效。我通过检查<VirtualHost localhost:443>
SSLEngine on
SSLCertificateFile /opt/keys/localhost.crt
SSLCertificateKeyFile /opt/keys/private.pem
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPass / ajp://localhost:8009/
<Location / >
SSLRequireSSL
AuthType Kerberos
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbServiceName HTTP/localhost@example.com
KrbAuthRealms example.com
Krb5KeyTab /etc/krb5.keytab
require valid-user
</Location>
</VirtualHost>
变量进行了测试,一切都已设置。
LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_kerb.so
< Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
keystoreFile="/opt/keys/keystore.jks"
keystorePass="changeit" />Tomcat配置
HOOK
使用名为Kerberos-Hook的mvn原型src/main/java设置创建项目,然后在包com.liferay.portal.security.auth.KerberosAutoLogin.java中的public class KerberosAutoLogin implements AutoLogin {
private static Log logger = LogFactoryUtil.getLog(KerberosAutoLogin.class);
public String[] handleException(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Exception e)
throws AutoLoginException {
logger.error("1");
return doHandleException(request, response, e);
}
protected String[] doHandleException(
HttpServletRequest request, HttpServletResponse response,
Exception e)
throws AutoLoginException {
logger.info("2");
if (request.getAttribute(AutoLogin.AUTO_LOGIN_REDIRECT) == null) {
throw new AutoLoginException(e);
}
logger.error("doHandleException: " + e);
return null;
}
public String[] login(HttpServletRequest req, HttpServletResponse res)
throws AutoLoginException {
logger.error("3");
try {
return doLogin(req, res);
}
catch (Exception e) {
return handleException(req, res, e);
}
}
protected String[] doLogin(HttpServletRequest req, HttpServletResponse res)
throws AutoLoginException, Exception {
logger.error("4");
String[] credentials = null;
String userName = (String) req.getAttribute("REMOTE_USER");
logger.info("kerberosUserName = " + userName);
userName = userName.replaceAll("@.*", "").replaceAll("/.*", "");
logger.info("userName = " + userName);
long companyID = PortalUtil.getCompanyId(req);
logger.info("CompanyID = " + companyID);
if (userName == null || userName.length() < 1) {
return credentials;
} else {
credentials = new String[3];
User user = UserLocalServiceUtil.getUserByScreenName(companyID, userName);
long userID = user.getUserId();
String userPassword = user.getPassword();
logger.info("userID = " + userID);
credentials[0] = String.valueOf(userID);
credentials[1] = userPassword;
credentials[2] = Boolean.FALSE.toString();
return credentials;
}
}
}
类中创建:
liferay-hook.xmlsrc/main/resources/ext-portal.properties以指向包含auto.login.hooks=com.liferay.portal.security.auth.KerberosAutoLogin Ext
ext-impl创建项目,并在项目com.liferay.portal.servlet.filters.autologin.AutoLoginFilter.java中创建课程HOOK EXT和KerberosAutoLogin 在logs类中我放了一些debug以查看localhost:443 192.168.24.73 - mithrand1r@example.com [11/Feb/2016:09:56:57 +0100] "POST /poller/receive HTTP/1.1" 200 1011 "https://localhost/group/control_panel/manage/-/server/log-levels/update-categories?refererPlid=20184" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0"的某些内容,因为我在远程服务器上部署应用程序,因此我无法正确调试挂钩。< / p>
然而,日志没有被显示,所以甚至没有使用该类,任何人都可以指出我错过了什么,以便开始将我的liferay与kerberos集成?
在apache日志中,我看到例如:
{{1}}
答案 0 :(得分:1)
好像你缺少liferay-hook.xml文件配置。
请参阅How do I use autologin in liferay?的答案,即“注册自动登录类”部分。
从配置中,您还发现使用ProxyPass / https://localhost:8443/引入了一个安全漏洞。
尝试转到https://yourserver/api/axis,您不应该看到服务列表。如果您看到易受攻击的服务列表。然后请使用AJP连接器ProxyPass / ajp://localhost:8009/。有关详细信息,请参阅http://topolik-at-work.blogspot.cz/2013/02/http-modproxy-liferay-same-server.html
答案 1 :(得分:0)
您是否在auto.login.hook属性中设置了值?必须指出Liferay AutoLogin类必须使用的内容,如下所示:
auto.login.hooks=com.liferay.portal.security.auth.KerberosAutoLogin
无论如何,我使用了像你这样的钩子,它对我来说也没用。所以我尝试在ext-plugin项目中使用该类并且这样做(当然,你必须使用AutoLogin类设置auto.login.hook属性)。
答案 2 :(得分:0)
我不确定通过http / https转发的代理是否包含Apache httpd收到的所有信息。正如@topolik在他使用ajp的回答中所建议的那样,这是一个更好的起点,以确保所有头和请求状态都转发到tomcat。监视httpd和tomcat之间的连接,看看通过该行的内容。
当代理创建自己的http(s)请求时,我并不知道必须转发所有请求状态的命令。实际上,通常tomcat会收到&#34; localhost&#34;作为主机名,除非您将ProxyPreserveHost On添加到配置中。这比所有Kerberos设置都要简单得多。
我怀疑他们会迷失在您的Apache httpd上,前提是您不仅确定他们在那里,而且确保额外的额外额外。
说到额外的额外额外肯定:你提到ext-portal.properties,而Liferay的标准是portal-ext.properties。检查日志以确保您的配置文件被Liferay选中,并确保其名称正确。
答案 3 :(得分:0)
我认为Kerberos SSO liferay在mod_jk.conf中的工作方式是错误的,而我在apache2.conf
[root mod_auth_kerb-5.4]# cd ..
[root opt]# wget http://mirror.switch.ch/mirror/apache/dist/tomcat/tomcat-connectors/jk/tomcat-connectors-1.2.40-src.tar.gz
[root opt]# tar -xvf tomcat-connectors-1.2.40-src.tar.gz
[root opt]# cd tomcat-connectors-1.2.40-src/native
[root native]# ./configure --with-apxs=/usr/local/apache2/bin/apxs --enable-api-compatibility
[root native]# make
[root native]# make install
失踪了
根据http://blog.dbi-services.com/kerberos-sso-with-liferay-61/
[root opt]# vi /opt/liferay-6.1.1/tomcat/conf/mod_jk.conf
LoadModule jk_module /usr/local/apache2/modules/mod_jk.so
JkWorkersFile /opt/liferay-6.1.1/tomcat-7.0.27/conf/workers.properties
JkLogFile /usr/local/apache2/logs/mod_jk.log
JkLogLevel debug
JkLogStampFormat "[%a %b %d %H:%M:%S %Y]"
# JkOptions indicate to send SSL KEY SIZE,
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
# JkRequestLogFormat set the request format
JkRequestLogFormat "%w %V %T"
JkMount / ajp13
JkMount /* ajp13
[root opt]# vi /opt/liferay-6.1.1/tomcat/conf/workers.properties
# Define 1 real worker named ajp13
worker.list=ajp13
worker.ajp13.type=ajp13
worker.ajp13.host=localhost
worker.ajp13.port=8009
worker.ajp13.lbfactor=50
worker.ajp13.cachesize=10
worker.ajp13.cache_timeout=600
worker.ajp13.socket_keepalive=1
和
import re
foo = '/input/directory/'
faa = ['/input/directory/file1.txt', '/input/directory/file2.txt']
# Use a regular expression to match '<foo>someFileName<.fileExtension>'
faa = [re.sub(r'^%s(.*)\.\w+$' % foo, '\g<1>', elem) for elem in faa]
# faa => ['file1', 'file2']