如何为JBoss EAP 6.4.0.GA(AS 7.5.0)设置Active Directory
我们从WAS迁移到JBoss EAP 6.4.0.GA(AS 7.5.0),我无法设置Active Directory来保护我们的web应用程序。我的配置灵感来自于,但它不适用于7.5.0 以下是standalone.xml中的安全域片段如何为JBoss EAP 6.4.0.GA(AS 7.5.0)设置Active Directory,jboss,active-directory,Jboss,Active Directory,我们从WAS迁移到JBoss EAP 6.4.0.GA(AS 7.5.0),我无法设置Active Directory来保护我们的web应用程序。我的配置灵感来自于,但它不适用于7.5.0 以下是standalone.xml中的安全域片段 <security-domain name="ad_security_domain" cache-type="default"> <authentication>
<security-domain name="ad_security_domain" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://10.175.35.60:389"/>
<module-option name="bindDN" value="CN=AD Reader,OU=Users,OU=XXX Group,DC=ferradev,DC=fe"/>
<module-option name="bindCredential" value="secret"/>
<module-option name="baseCtxDN" value="OU=Users,OU=XXX Company,OU=XXX Group,DC=ferradev,DC=fe"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="OU=Groups,OU=XXX Company,OU=XXX Group,DC=ferradev,DC=fe"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="Context.REFERRAL" value="follow"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
</login-module>
<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
<module-option name="rolesProperties" value="${jboss.server.config.dir}/fop-roles.properties"/>
</login-module>
</authentication>
</security-domain>
<?xml version="1.0"?>
<jboss-web>
<security-domain>ad_security_domain</security-domain>
</jboss-web>
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Resources</web-resource-name>
<url-pattern>/configuration/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Administrators</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
....
<security-role>
<description>Administrators Role</description>
<role-name>Administrators</role-name>
</security-role>
<security-domain name="ad_security_domain" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://10.175.35.60:389"/>
<module-option name="bindDN" value="CN=AD Reader,OU=Users,OU=XXX Group,DC=ferradev,DC=fe"/>
<module-option name="bindCredential" value="secret"/>
<module-option name="baseCtxDN" value="OU=Users,OU=XXX Company,OU=XXX Group,DC=ferradev,DC=fe"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="OU=Groups,OU=XXX Company,OU=XXX Group,DC=ferradev,DC=fe"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="Context.REFERRAL" value="follow"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
</login-module>
<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
<module-option name="rolesProperties" value="${jboss.server.config.dir}/fop-roles.properties"/>
</login-module>
</authentication>
</security-domain>
<?xml version="1.0"?>
<jboss-web>
<security-domain>ad_security_domain</security-domain>
</jboss-web>
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Resources</web-resource-name>
<url-pattern>/configuration/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Administrators</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
....
<security-role>
<description>Administrators Role</description>
<role-name>Administrators</role-name>
</security-role>
管理资源
/配置/*
用户:
在将web应用程序成功部署到JBoss后,将显示登录页面,但在填写凭据后,我始终会收到错误:
TRACE[org.jboss.security](ServerService线程池--100)PBOX000354:设置安全角色ThreadLocal:null角色映射模块在jboss AS7+(EAP 6+)中无法正常工作。它可能会导致您的场景中出现问题
<security-domain name="ad_security_domain" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://10.175.35.60:389"/>
<module-option name="bindDN" value="CN=AD Reader,OU=Users,OU=XXX Group,DC=ferradev,DC=fe"/>
<module-option name="bindCredential" value="secret"/>
<module-option name="baseCtxDN" value="OU=Users,OU=XXX Company,OU=XXX Group,DC=ferradev,DC=fe"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="OU=Groups,OU=XXX Company,OU=XXX Group,DC=ferradev,DC=fe"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="Context.REFERRAL" value="follow"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
</login-module>
<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
<module-option name="rolesProperties" value="${jboss.server.config.dir}/fop-roles.properties"/>
</login-module>
</authentication>
</security-domain>
<?xml version="1.0"?>
<jboss-web>
<security-domain>ad_security_domain</security-domain>
</jboss-web>
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Resources</web-resource-name>
<url-pattern>/configuration/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Administrators</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
....
<security-role>
<description>Administrators Role</description>
<role-name>Administrators</role-name>
</security-role>
使用(选项1)和UsersRoles
login模块或(选项2)直接使用角色映射功能
选项1:
选项2:
我最近花了不少时间用Active directory配置LDAP。我发现一个很好的测试方法是安装ApacheDirectory服务器并将其用于本地调试
<security-domain name="LdapSecurityDomain" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://your.ldap.host:389/"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="uid=BindUser,OU=Users,DC=yourCompany,DC=biz"/>
<module-option name="bindCredential" value="theBindUserPassword"/>
<module-option name="baseCtxDN" value="OU=Users,DC=yourCompany,DC=biz"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="rolesCtxDN" value="OU=RoleGroups,DC=yourCompany,DC=biz"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="roleRecursion" value="0"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="java.naming.referral" value="follow"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
<module-option name="unauthenticatedIdentity" value="unauthenticated"/>
<module-option name="allowEmptyPasswords" value="false"/>
</login-module>
</authentication>
web.xml中的角色约束表示管理员,但您的角色xdn OU=Groups、OU=XXX Company、OU=XXX Group、DC=ferradev、DC=fe可能扮演的不同角色是APP_GG_(适用于开发管理员)、APP_GG_(适用于开发经理)、APP_GG_(适用于开发用户)和APP_GG_(适用于开发管理员)
还可以使用中介绍的所有跟踪日志选项来帮助解决您的问题。非常感谢您的回答,我尝试了两种选项,但仍然出现相同的错误。因此,问题似乎也存在于LDAP的模块选项中。请您检查并帮助我,好吗?如果您查看我的广告截图,我应该更改什么模块选项以符合我的广告?我看到您设置了以下选项,用户以fop.account.adim作为用户名登录时也是如此?我的建议是使用类似Apache Directory的LDAP浏览器来浏览Active Directory LDAP,以便获得正确的筛选器和上下文DNs。是的,用户名是fop.account.admin,例如,用户“kwart”给出了两个如何重新映射角色的选项