Java 以编程方式验证TAI中的用户
我正在开发Java 以编程方式验证TAI中的用户,java,websphere,websphere-portal,websphere-6.1,Java,Websphere,Websphere Portal,Websphere 6.1,我正在开发TAI,它必须在websphereportal中授权用户 我的TAI使用OpenIDConnect获取有关用户的所有信息,我想构建一些上下文,将其交给WAS,并告诉WAS他必须信任此上下文,而无需本地帐户 如何在TAI中验证用户,而不使用本地存储库中的用户帐户 更新: 代码: 日志: FFDC: 我发现了这个错误 但我不明白他们想让我这么做 说明: 我有联合存储库,其中只有一个LDAP存储库 更新#2: 我在8.5.5.2上做了这样的测试,没有错误,只有白色屏幕。我尝试使用组“wpsa
TAI
,它必须在websphereportal中授权用户
我的TAI
使用OpenID
Connect获取有关用户的所有信息,我想构建一些上下文,将其交给WAS,并告诉WAS他必须信任此上下文,而无需本地帐户
如何在TAI
中验证用户,而不使用本地存储库中的用户帐户
更新:
代码:
日志:
FFDC:
我发现了这个错误
但我不明白他们想让我这么做
说明:
我有联合存储库,其中只有一个LDAP存储库
更新#2:
我在8.5.5.2上做了这样的测试,没有错误,只有白色屏幕。我尝试使用组“wpsadmins”对用户“bob”进行身份验证。有联合存储库,其中有一个基于文件的内置存储库
更新#3:
我为WAS编写了自定义应用程序,其中有一个按钮,可以向Servlet发出POST请求
部分代码:
if (req.getRemoteUser() == null) {
req
.setAttribute("errorMessage",
"<b>Error: Please log in before accessing PrintUserInfo.<b>");
RequestDispatcher disp = getServletContext().getRequestDispatcher(
"/login.jsp");
disp.forward(req, resp);
return;
}
resp.setContentType("text/html");
PrintWriter out = new PrintWriter(resp.getOutputStream());
String id = WSSubject.getCallerPrincipal();
out.println("The WAS Subject layer thinks you are " + id);
Context ic = new InitialContext();
Object objRef = ic.lookup("UserRegistry");
UserRegistry userReg = (UserRegistry) PortableRemoteObject.narrow(
objRef, UserRegistry.class);
out.println("<BR><BR>The user registry says your display name is: "
+ userReg.getUserDisplayName(req.getUserPrincipal()
.getName()));
Subject subject = WSSubject.getCallerSubject();
Set credSet = subject.getPublicCredentials(WSCredential.class);
//should be impossible.
if (credSet.size() > 1) {
System.out
.println("Expected only one WSCredential in Subject set");
throw new Exception("Expected one WSCredential, found "
+ credSet.size());
}
if (credSet.isEmpty()) {
System.out.println("Credential set is empty");
throw new Exception("Found no credentials");
}
//get one and only one element of Set
Iterator iter = credSet.iterator();
WSCredential creds = (WSCredential) iter.next();
out.println("<BR><BR>Looking into your Subject your userid is "
+ creds.getSecurityName());
out.println("<BR><BR>Looking into your Subject your uniqueid is "
+ creds.getUniqueSecurityName());
out
.println("<BR><BR>Looking into your Subject I see these groups: ");
//List groups = helper.getGroups();
List groups = creds.getGroupIds();
iter = groups.iterator();
while (iter.hasNext()) {
String gid = (String) iter.next();
out.println("<BR>Group ID: " + gid);
}
更新#4
我在TAI中添加了一些组,并且比我在门户中授权的多(我想),但我只看到白色屏幕,没有任何内容。怎么了
更新#5
WPS给了我一个例外:
[26.03.15 18:47:41:006 AMT] 0000004e DefaultLoginF E com.ibm.wps.auth.impl.DefaultLoginFilter doLoginWithExceptions WpsException occured: com.ibm.wps.services.authentication.exceptions.UserRetrieveException: EJPSD0008E: Exception occurred while retrieving the user [null] from the user registry.
您需要创建完整主题,以查看更多详细信息 简而言之,您需要使用类似的代码:
String userid = "bob";//get from request
String uniqueid = "bob";
// stash in hashtable
Hashtable hashtable = new Hashtable();
hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID,uniqueid);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME,userid);
// hashtable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS,groups);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY,uniqueid+"MyCustom");
Subject subject = new Subject();
subject.getPublicCredentials().add(hashtable);
return TAIResult.create(HttpServletResponse.SC_OK, "ignored", subject);
在更新#5中添加的WPS异常上
WebSpherePortal要求uniqueid是完全限定的DN。在你的情况下,你只有一个简短的名字。门户确实使用DN在VMM上查找用户,并希望WSCredential.getUniqueSecurityName()返回DN。此代码需要uniqueId。但是这个唯一的ID是由userId从UserRegistry检索的。因此,我在UserRegistry中没有用户帐户,我不会检索uniqueId。@dikkini否,您可以自己将此用户Id设置为正确的格式,而无需从注册表获取,请在我创建并使用存储库中不存在的用户时选中此项。此用户将被视为经过身份验证的用户,但如果您无法从存储库中获取组,则很难将其映射到其他所有经过身份验证的用户。Stack Dump=com.ibm.websphere.wim.exception.invaliduniquenameeexception:CWWIM1011E“test”唯一名称无效。我认为,这很麻烦,因为我只有LDAP用户存储库。我必须建立联邦存储库。但是我不知道在联邦Repo中LDAP需要哪种存储库类型。@dikkini我在联邦Repo上,只有文件注册表,我没有user
bob
,上面的代码可以正常工作。因此,将主题创建的TAI代码添加到问题中,并在出现错误时进行描述(stacktrace)。您不应使用虚拟用户名调用用户注册表。
if (req.getRemoteUser() == null) {
req
.setAttribute("errorMessage",
"<b>Error: Please log in before accessing PrintUserInfo.<b>");
RequestDispatcher disp = getServletContext().getRequestDispatcher(
"/login.jsp");
disp.forward(req, resp);
return;
}
resp.setContentType("text/html");
PrintWriter out = new PrintWriter(resp.getOutputStream());
String id = WSSubject.getCallerPrincipal();
out.println("The WAS Subject layer thinks you are " + id);
Context ic = new InitialContext();
Object objRef = ic.lookup("UserRegistry");
UserRegistry userReg = (UserRegistry) PortableRemoteObject.narrow(
objRef, UserRegistry.class);
out.println("<BR><BR>The user registry says your display name is: "
+ userReg.getUserDisplayName(req.getUserPrincipal()
.getName()));
Subject subject = WSSubject.getCallerSubject();
Set credSet = subject.getPublicCredentials(WSCredential.class);
//should be impossible.
if (credSet.size() > 1) {
System.out
.println("Expected only one WSCredential in Subject set");
throw new Exception("Expected one WSCredential, found "
+ credSet.size());
}
if (credSet.isEmpty()) {
System.out.println("Credential set is empty");
throw new Exception("Found no credentials");
}
//get one and only one element of Set
Iterator iter = credSet.iterator();
WSCredential creds = (WSCredential) iter.next();
out.println("<BR><BR>Looking into your Subject your userid is "
+ creds.getSecurityName());
out.println("<BR><BR>Looking into your Subject your uniqueid is "
+ creds.getUniqueSecurityName());
out
.println("<BR><BR>Looking into your Subject I see these groups: ");
//List groups = helper.getGroups();
List groups = creds.getGroupIds();
iter = groups.iterator();
while (iter.hasNext()) {
String gid = (String) iter.next();
out.println("<BR>Group ID: " + gid);
}
String userid = "alisa";
String uniqueid = "bob";
// add admin group
// stash in hashtable
Hashtable hashtable = new Hashtable();
try {
InitialContext ctx = new InitialContext();
UserRegistry reg =(UserRegistry)ctx.lookup("UserRegistry");
String wpsadminsGroupUniqueId = reg.getUniqueGroupId("wpsadmins");
List<String> groups = new ArrayList<String>();
groups.add(wpsadminsGroupUniqueId);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS, groups);
} catch (Exception e) {
System.out.println("EXCEPTION IN TAI");
e.printStackTrace();
}
hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID,uniqueid);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME,userid);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY,uniqueid+"MyCustom");
Subject subject = new Subject();
subject.getPublicCredentials().add(hashtable);
return TAIResult.create(HttpServletResponse.SC_OK, "ignored", subject);
The WAS Subject layer thinks you are alisa
The user registry says your display name is:
Looking into your Subject your userid is alisa
Looking into your Subject your uniqueid is bob
Looking into your Subject I see these groups:
Group ID: group:domain:port/cn=wpsadmins,cn=CN,ou=OU,o=O,o=O,c=ru
[26.03.15 18:47:41:006 AMT] 0000004e DefaultLoginF E com.ibm.wps.auth.impl.DefaultLoginFilter doLoginWithExceptions WpsException occured: com.ibm.wps.services.authentication.exceptions.UserRetrieveException: EJPSD0008E: Exception occurred while retrieving the user [null] from the user registry.
String userid = "bob";//get from request
String uniqueid = "bob";
// stash in hashtable
Hashtable hashtable = new Hashtable();
hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID,uniqueid);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME,userid);
// hashtable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS,groups);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY,uniqueid+"MyCustom");
Subject subject = new Subject();
subject.getPublicCredentials().add(hashtable);
return TAIResult.create(HttpServletResponse.SC_OK, "ignored", subject);