我们正在将旧的应用程序从WebSphere 8.5.5迁移到Apache Tomcat服务器。为此,我正在尝试在本地Tomcat中设置LDAP,因为这就是我们对用户进行身份验证/授权的方式。
当我部署Web应用程序时,容器确实说日志显示它能够认证用户并获取与该用户相关联的所有LDAP用户组,但最终它给出了
org.apache.catalina.authenticator.AuthenticatorBase.invoke失败 authenticate()测试
这是在具有Apache Tomcat 9.0.7并采用OpenJDK 8.0.212.04-hotspot的Windows 10服务器中
login.jsp
<form action="/client/j_security_check" method=post>
<table>
<tr>
<td>
<input type="text" name="j_username" size="32" value="">
</td>
<td>
<input type="password" name="j_password" size="32" value="">
<input type="submit" name="" value="Login" class="StandardButton">
</td>
</tr>
</table>
</form>
server.xml 我删除了现有领域,并添加了以下领域
<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldaps://dev-ldap.ap.test.com:636" userPattern="uid={0},ou=people,dc=au,dc=test,dc=com" roleBase="ou=groups,dc=au,dc=test,dc=com" roleName="cn" roleSearch="(uniqueMember={0})"/>
h2。 web.xml(应用程序)
<servlet>
<servlet-name>Controller Servlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
<security-role-ref>
<role-name>webapps-client-users</role-name>
<role-link>authorised</role-link>
</security-role-ref>
<security-role-ref>
<role-name>webapps-client-test-users</role-name>
<role-link>test</role-link>
</security-role-ref>
<security-role-ref>
<role-name>webapps-client-approver-users</role-name>
<role-link>approver</role-link>
</security-role-ref>
</servlet>
<security-constraint>
<web-resource-collection>
<web-resource-name>secured-urls</web-resource-name>
<url-pattern>/**/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>authorised</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>unsecured-urls</web-resource-name>
<url-pattern>/client/html/*</url-pattern>
<url-pattern>/client/css/*</url-pattern>
<url-pattern>/client/img/*</url-pattern>
<url-pattern>/client/js/*</url-pattern>
<url-pattern>/j_security_check</url-pattern>
<url-pattern>/loginPage.do</url-pattern>
<url-pattern>/index.html</url-pattern>
<url-pattern>/clientTimeOut.do</url-pattern>
<url-pattern>/errorPage_403.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted-urls</web-resource-name>
<url-pattern>*.do</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>authorised</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>authenticated</description>
<role-name>authenticated</role-name>
</security-role>
<security-role>
<description>authorised</description>
<role-name>authorised</role-name>
</security-role>
<security-role>
<description>test</description>
<role-name>test</role-name>
</security-role>
<security-role>
<description>approver</description>
<role-name>approver</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>User Authentication</realm-name>
<form-login-config>
<form-login-page>/loginPage.do</form-login-page>
<form-error-page>/loginPage.do?method=fail</form-error-page>
</form-login-config>
</login-config>
日志
17-Sep-2019 23:39:55.463 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request POST /client/j_security_check ..... ..... 17-Sep-2019 23:39:55.464 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate() 17-Sep-2019 23:39:55.464 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.FormAuthenticator.doAuthenticate Authenticating username 'test' .... 17-Sep-2019 23:39:55.464 FINER [http-nio-8080-exec-4] org.apache.catalina.realm.JNDIRealm.bindAsUser binding as uid=test,ou=people,dc=au,dc=test,dc=com 17-Sep-2019 23:39:55.518 FINER [http-nio-8080-exec-4] org.apache.catalina.realm.JNDIRealm.checkCredentials Username [test] successfully authenticated 17-Sep-2019 23:39:55.518 FINER [http-nio-8080-exec-4] org.apache.catalina.realm.JNDIRealm.getRoles .......... ........ 17-Sep-2019 23:39:55.575 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.FormAuthenticator.doAuthenticate Authentication of 'test' was successful 17-Sep-2019 23:39:55.575 FINE [http-nio-8080-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed authenticate() test