我正在Websphere应用程序服务器BASE 9.0.0.8上运行Web应用程序。 Websphere安全性是通过独立的LDAP注册表(OpenLdap)配置的,该注册表也是应用程序用户的注册表。
服务器启动后,用户登录是正常的,需要几秒钟。
闲置一定时间后,应用程序会话超时,用户必须再次登录,但这一次登录需要几分钟。
我没有注意到服务器日志中有任何记录可以解释这种登录延迟,因此我使用了字符串*=info:com.ibm.ws.security.ltpa.LTPAToken2=all
启用了LTPAToken2跟踪。
在重现登录延迟问题之后,我检查了跟踪日志,在其中找到了大量此记录:
[9/27/18 14:07:28:532 CEST] 0000009c LTPAToken2 3 Returning existing encrypted bytes from token object.
[9/27/18 14:07:28:532 CEST] 0000009c LTPAToken2 3 Expiration returned from expire field in token: Thu Sep 27 14:35:00 CEST 2018*
...
在登录延迟期间,这些日志中的大约1100条记录在跟踪日志中。最初在一秒钟内将近200条记录,后来减少了频率,每几秒钟一次。 大约两分钟的延迟后,用户将使用以下在跟踪日志中的记录登录到应用程序:
[9/27/18 14:09:46:132 CEST] 0000009c LdapRegistryI A SECJ0419I: The user registry is currently connected to the LDAP server ldap://machineX:389.
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2 > new LTPAToken2 from accessID Entry
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2 3 userdata areau:user\:machineX\:389/uid=userX,ou=Users,dc=companyX,dc=xy
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2 3 Expiration returned from expire field in token: Thu Sep 27 16:10:00 CEST 2018
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2 3 Expiration set to: Thu Sep 27 16:10:00 CEST 2018
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2 < new LTPAToken2 from accessID Exit
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2 3 Token was updated thus clearing encrypted bytes to re-encrypt.
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2 3 Token was updated thus clearing encrypted bytes to re-encrypt.
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2 3 Token was updated thus clearing encrypted bytes to re-encrypt.
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2 3 Token was updated thus clearing encrypted bytes to re-encrypt.
[9/27/18 14:09:46:146 CEST] 0000009c LTPAToken2 3 Token was updated thus clearing encrypted bytes to re-encrypt.
[9/27/18 14:09:46:147 CEST] 0000009c LTPAToken2 3 Token was updated thus clearing encrypted bytes to re-encrypt.
[9/27/18 14:09:46:147 CEST] 0000009c LTPAToken2 3 Token was updated thus clearing encrypted bytes to re-encrypt.
答案 0 :(得分:1)
WAS服务器和LDAP服务器位于不同的网络子网中。一段时间后,与LDAP的现有连接将变为“死”状态。通过禁用WAS ldap注册表参数“重新使用连接”解决了该问题。