我已经使用KeyCloak SAML Valve设置了Tomcat。
我在日志中看到Valve加载并从中读取其配置keycloak-saml.xml。当我访问我的应用程序时,我还在日志中看到会话未通过身份验证。
在我的日志中,我看到它继续调用FormAuthenticator而不是KeyCloak身份验证器:
15-Jun-2020 11:07:33.281 DEBUG [https-jsse-nio-8443-exec-9] org.keycloak.adapters.saml.SamlUtil.validateSamlSession SamlSession was not found in the session
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /orbeon/fr
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Form Runner services and public pages and resources]' against GET /fr --> true
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Form Runner services and public pages and resources]' against GET /fr --> true
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission()
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint already satisfied
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.FormAuthenticator.doAuthenticate Checking for reauthenticate in session StandardSession[B4143AFBD9BB4D6D1E208687CF9F5581]
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.FormAuthenticator.doAuthenticate Save request in session 'B4143AFBD9BB4D6D1E208687CF9F5581'
15-Jun-2020 11:07:33.283 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage Forwarding request for [/orbeon/fr] made with method [GET] to login page [null] of context [/orbeon] using request method GET
15-Jun-2020 11:07:33.283 WARNING [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage No login page was defined for FORM authentication in context [/orbeon]
15-Jun-2020 11:07:33.283 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed authenticate() test
将其与Valve可以正常工作的其他环境进行比较,我看到:
12-Jun-2020 14:21:43.644 FINE [ContainerBackgroundProcessor[StandardEngine[Catalina]]] org.apache.catalina.session.ManagerBase.processExpires Start expire sessions StandardManager at 1591989703644 sessioncount 0
12-Jun-2020 14:21:43.645 FINE [ContainerBackgroundProcessor[StandardEngine[Catalina]]] org.apache.catalina.session.ManagerBase.processExpires End expire sessions StandardManager processingTime 1 expired sessions: 0
12-Jun-2020 14:21:43.646 FINE [ContainerBackgroundProcessor[StandardEngine[Catalina]]] org.apache.catalina.session.ManagerBase.processExpires Start expire sessions StandardManager at 1591989703646 sessioncount 0
12-Jun-2020 14:21:43.646 FINE [ContainerBackgroundProcessor[StandardEngine[Catalina]]] org.apache.catalina.session.ManagerBase.processExpires End expire sessions StandardManager processingTime 0 expired sessions: 0
12-Jun-2020 14:21:54.746 DEBUG [https-jsse-nio-8443-exec-4] org.keycloak.adapters.saml.CatalinaSamlSessionStore.isLoggedIn session was null, returning null
12-Jun-2020 14:21:54.747 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /the-app/
12-Jun-2020 14:21:54.747 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Form Runner services and public pages and resources]' against GET / --> true
12-Jun-2020 14:21:54.748 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Form Runner services and public pages and resources]' against GET / --> true
12-Jun-2020 14:21:54.750 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.authenticator.jaspic.AuthConfigFactoryImpl.loadPersistentRegistrations Loading persistent provider registrations from [/opt/tomcat/conf/jaspic-providers.xml]
12-Jun-2020 14:21:54.765 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission()
12-Jun-2020 14:21:54.765 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint already satisfied
12-Jun-2020 14:21:54.765 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
12-Jun-2020 14:21:54.776 DEBUG [https-jsse-nio-8443-exec-4] org.keycloak.adapters.saml.SamlAuthenticator.authenticate SamlAuthenticator is using handler [org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler@68df1d6a]
12-Jun-2020 14:21:54.776 DEBUG [https-jsse-nio-8443-exec-4] org.keycloak.adapters.saml.CatalinaSamlSessionStore.isLoggedIn session was null, returning null
12-Jun-2020 14:21:54.783 DEBUG [https-jsse-nio-8443-exec-4] org.keycloak.saml.common.DefaultPicketLinkLogger.debug org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil issueInstant: 2020-06-12T19:21:54.781Z
12-Jun-2020 14:21:54.832 DEBUG [https-jsse-nio-8443-exec-4] org.keycloak.saml.common.DefaultPicketLinkLogger.debug The provider ApacheXMLDSig - 2.14 was added at position: 2
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
12-Jun-2020 14:21:54.911 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed authenticate() test
我可以设置哪些记录器选项来确定Tomcat为什么加载Form身份验证而不使用阀门?
有趣的是,我可以看到org.keycloak.adapters.saml.SamlUtil.validateSamlSession SamlSession was not found in the session两个环境的KeyCloak日志记录。之后,出现故障的环境似乎在呼叫,FormAuthenticator而工作环境却在呼叫SamlAuthenticator
两种环境都表明KeyCloak正在初始化并读取其配置:
15-Jun-2020 11:40:56.921 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.usingLoggerImplementation Using logger implementation: org.keycloak.saml.common.DefaultPicketLinkLogger
15-Jun-2020 11:40:56.947 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}PrivateKey bypassed
15-Jun-2020 11:40:56.947 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}Certificate bypassed
15-Jun-2020 11:40:56.949 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}Attribute bypassed
15-Jun-2020 11:40:56.949 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}Attribute bypassed
15-Jun-2020 11:40:56.950 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}Property bypassed
15-Jun-2020 11:40:56.955 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}Certificate bypassed
15-Jun-2020 11:40:56.957 DEBUG [localhost-startStop-1] org.keycloak.adapters.saml.config.parsers.DeploymentBuilder.build Try to load key [mykey]
15-Jun-2020 11:40:57.320 DEBUG [localhost-startStop-1] org.keycloak.adapters.saml.RoleMappingsProviderUtils.loadProviders Loaded RoleMappingsProvider properties-based-role-mapper
15-Jun-2020 11:40:57.321 DEBUG [localhost-startStop-1] org.keycloak.adapters.saml.RoleMappingsProviderUtils.loadProviders Loaded RoleMappingsProvider properties-based-role-mapper
15-Jun-2020 11:40:57.321 DEBUG [localhost-startStop-1] org.keycloak.adapters.saml.PropertiesBasedRoleMapper.init Resource loader successfully loaded role mappings from /WEB-INF/role-mappings.properties
15-Jun-2020 11:40:57.322 DEBUG [localhost-startStop-1] org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.keycloakInit Keycloak is using a per-deployment configuration.
两种环境都具有META-INF/context.xml:
<Context path="/orbeon">
<Valve className="org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve"/>
<Resource ... DATABASE RESOURCE INFO HERE ... />
</Context>
Web.xml冗长,但我认为安全配置的相关部分是:
<security-constraint>
<web-resource-collection>
<web-resource-name>Form Runner services and public pages and resources</web-resource-name>
<url-pattern>/*</url-pattern>
<url-pattern>/fr/service/*</url-pattern>
<url-pattern>/fr/style/*</url-pattern>
<url-pattern>/fr/not-found</url-pattern>
<url-pattern>/fr/unauthorized</url-pattern>
<url-pattern>/fr/error</url-pattern>
<url-pattern>/fr/login</url-pattern>
<url-pattern>/fr/login-error</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint>
<role-name>orbeon-user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/fr/login</form-login-page>
<form-error-page>/fr/login-error</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>orbeon-user</role-name>
</security-role>
<!-- End Form Runner authentication -->
<session-config>
<session-timeout>60</session-timeout>
</session-config>
我尝试更改login-config为BASIC每个WAR配置和Tomcat SAML适配器。这不会改变两种环境下的行为。
我能够将签名的SAML对象发布到POST,/orbeon/saml并且看到KeyCloak尝试验证签名等。这应该证明KeyCloak正在监听,并且我的问题是在应用程序或web.xml中以某种方式进行身份验证重定向。
请检查您使用的KeyCloak适配器的版本。Tomcat版本7的适配器与Tomcat版本8和9的适配器不同。
如果我们从KeyCloak比较两个适配器模块为Tomcat的8,9对那些为Tomcat的7我们可以看到,从Tomcat 7的模块不覆盖或实现FormAuthenticator.doAuthenticate。因此,如果从Tomcat 8调用了Tomcat 7的模块,它将调用parentdoAuthenticate方法并尝试基于表单的身份验证。
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句