Hawtio/Jaas ldap登录

Question

通过遵循configuration docs，尝试使用JAAS将身份验证添加到hawtio

首先使用jetty的demo-base test-jaas war配置基本的JAAS/jetty登录，并能够进行身份验证/授权。

我试图通过阅读docs将同样的概念融入到hawtio中，但我确信它甚至不能触及ldap，因为当我用demo war尝试它时，我会得到像"found user? true"这样的日志。

我决定暂时忽略授权，只尝试使用ldap进行身份验证。如果任何人有任何建议，我可以尝试做进一步的调试，我将不胜感激。

以下是我的领域配置：

hawtio {
   org.eclipse.jetty.jaas.spi.LdapLoginModule required
   debug="true"
   useLdaps="false"
   contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
   hostname="10.10.10.10"
   port="389"
   bindDn="asfd@test.com"
   bindPassword="asdf"
   authenticationMethod="simple"
   forceBindingLogin="false"
   userBaseDn="cn=Users,dc=test,dc=com"
   userRdnAttribute="cn"
   userIdAttribute="sAMAccountName"
   userPasswordAttribute="userPassword"
   userObjectClass="user"
   roleBaseDn="cn=Schema Admins,cn=Users,dc=test,dc=com"
   roleNameAttribute="name"
   roleMemberAttribute="member"
   roleObjectClass="group";
};

有关jaas/ web.xml /roles的一些hawtio身份验证：

<env-entry>
    <description>Enable/disable hawtio's authentication filter, value is really a boolean</description>
    <env-entry-name>hawtio/authenticationEnabled</env-entry-name>
    <env-entry-type>java.lang.String</env-entry-type>
    <env-entry-value>true</env-entry-value>
  </env-entry>

  <env-entry>
    <description>Authorized user role, empty string disables authorization</description>
    <env-entry-name>hawtio/role</env-entry-name>
    <env-entry-type>java.lang.String</env-entry-type>
    <env-entry-value>*</env-entry-value>
  </env-entry>

  <env-entry>
    <description>JAAS classname that would contain the role principal, empty string disables authorization</description>
    <env-entry-name>hawtio/rolePrincipalClasses</env-entry-name>
    <env-entry-type>java.lang.String</env-entry-type>
    <env-entry-value></env-entry-value>
  </env-entry>

  <env-entry>
    <description>JAAS realm used to authenticate users</description>
    <env-entry-name>hawtio/realm</env-entry-name>
    <env-entry-type>java.lang.String</env-entry-type>
    <env-entry-value>hawtio</env-entry-value>
  </env-entry>

我正在看的一些日志

DEBUG | qtp580024961-17 | doAuthenticate[realm=hawtio, role=*, rolePrincipalClasses=, configuration=null, username=dummy, password=******]
DEBUG | qtp580024961-17 | Unknown callback class [org.eclipse.jetty.jaas.callback.ObjectCallback]
WARN  | qtp580024961-17 | Login failed due to: Login Failure: all modules ignored
DEBUG | qtp580024961-17 | Failed stacktrace:
javax.security.auth.login.LoginException: Login Failure: all modules ignored
        at javax.security.auth.login.LoginContext.invoke(Unknown Source)
        at javax.security.auth.login.LoginContext.access$000(Unknown Source)
        at javax.security.auth.login.LoginContext$4.run(Unknown Source)
        at javax.security.auth.login.LoginContext$4.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
        at javax.security.auth.login.LoginContext.login(Unknown Source)
        at io.hawt.system.Authenticator.doAuthenticate(Authenticator.java:131)
        at io.hawt.system.Authenticator.authenticate(Authenticator.java:92)
        at io.hawt.web.AuthenticationFilter.doFilter(AuthenticationFilter.java:168)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650)
        at io.hawt.web.XXSSProtectionFilter.doFilter(XXSSProtectionFilter.java:28)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650)
        at io.hawt.web.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:28)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650)
        at io.hawt.web.CORSFilter.doFilter(CORSFilter.java:42)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650)
        at io.hawt.web.CacheHeadersFilter.doFilter(CacheHeadersFilter.java:37)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650)
        at io.hawt.web.SessionExpiryFilter.process(SessionExpiryFilter.java:126)
        at io.hawt.web.SessionExpiryFilter.doFilter(SessionExpiryFilter.java:69)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650)
        at io.hawt.web.RedirectFilter.process(RedirectFilter.java:86)
        at io.hawt.web.RedirectFilter.doFilter(RedirectFilter.java:72)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:583)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1125)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1059)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
        at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
        at org.eclipse.jetty.server.Server.handle(Server.java:497)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:248)
        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:610)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:539)
        at java.lang.Thread.run(Unknown Source)

Answer 1

This在更大程度上是一种变通解决方案，但最终还是通过使用不同的ldaploginmodule配置了hawtio

必须是org.eclipse.jetty.jaas.spi.LdapLoginModule类的某种配置。