【问题标题】:digest authentication for application deployed on jboss 7.2部署在 jboss 7.2 上的应用程序的摘要身份验证
【发布时间】:2020-12-12 14:00:27
【问题描述】:

我已经在 jboss7.2 上运行的应用程序的 web.xml 中配置了登录模块

<login-config>
        <auth-method>DIGEST</auth-method>
        <realm-name>newrealm</realm-name>
</login-config>

jboss-web.xml 配置了安全域

<jboss-web>
  <security-domain>securitydomain1</security-domain>
</jboss-web>

standalone.xml 配置安全域如下

<security-domain name="RPAHttps" cache-type="default">
                    <authentication>
                        <login-module code="UsersRoles" flag="required">
                            <module-option name="usersProperties" value="D:\jboss7\jboss-eap-7.2\standalone\configuration\rpahttpsusers.properties"/>
                            <module-option name="rolesProperties" value="D:\jboss7\jboss-eap-7.2\standalone\configuration\rpahttpsroles.properties"/>
                            <module-option name="defaultUsersProperties" value="D:\jboss7\jboss-eap-7.2\standalone\configuration\rpahttpsusers.properties"/>
                            <module-option name="defaultRolesProperties" value="D:\jboss7\jboss-eap-7.2\standalone\configuration\rpahttpsroles.properties"/>
                            <module-option name="hashAlgorithm" value="MD5"/>
                            <module-option name="hashEncoding" value="rfc2617"/>
                            <module-option name="ignorePasswordCase" value="false"/>
                            <module-option name="hashStorePassword" value="true"/>
                            <module-option name="hashUserPassword" value="false"/>
                            <module-option name="passwordIsA1Hash" value="true"/>
                            <module-option name="storeDigestCallback" value="org.jboss.security.auth.callback.RFC2617Digest"/>
                        </login-module>
                    </authentication>
                </security-domain>

我生成了存储在属性文件中的密码,如下所示

D:\jboss7\jboss-eap-7.2\modules\system\layers\base\org\picketbox\main>java -classpath picketbox-5.0.3.Final-redhat-3.jar org.jboss.security.auth.callback.RFC2617Digest TD-ADMIN new_1015 RPAHttpsRealm
RFC2617 A1 hash: cdb6fe455334228532b07355043afcb6

请注意,我在 storeDigestCall 返回模块选项中给出了相同的值。我徒劳地尝试了其他回调类

我收到以下错误,请您帮忙

UG [io.undertow.request.security](默认任务 2)身份验证结果为 NOT_ATTEMPTED,方法 io.undertow.security.impl.CachedAuthenticatedSessionMechanism@234fd496 用于 /rpaws/services/SearchIPAddressPort 03:19:06,161 DEBUG [org.jboss.security](默认任务 2)PBOX00281:密码散列激活,算法:MD5,编码:rfc2617,字符集:null,回调:null,storeCallBack:org.jboss.security.auth .callback.RFC2617摘要 03:19:06,173 调试 [org.jboss.security](默认任务 2)PBOX00283:用户名 TD-ADMIN 的密码错误 03:19:06,173 调试 [org.jboss.security](默认任务 2)PBOX00206:登录失败:javax.security.auth.login.FailedLoginException:PBOX00070:密码无效/需要密码 在 org.picketbox//org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286) 在 org.picketbox//org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:171) 在 java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726) 在 java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665) 在 java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663) 在 java.base/java.security.AccessController.doPrivileged(本机方法) 在 java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663) 在 java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574) 在 org.picketbox//org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406) 在 org.picketbox//org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345) 在 org.picketbox//org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:323) 在 org.picketbox//org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146) 在 org.wildfly.extension.undertow@7.2.0.GA-redhat-00005//org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123) 在 org.wildfly.extension.undertow@7.2.0.GA-redhat-00005//org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:89) 在 org.wildfly.extension.undertow@7.2.0.GA-redhat-00005//org.wildfly.extension.undertow.security.digest.DigestAuthenticationMechanism.handleDigestHeader(DigestAuthenticationMechanism.java:312) 在 org.wildfly.extension.undertow@7.2.0.GA-redhat-00005//org.wildfly.extension.undertow.security.digest.DigestAuthenticationMechanism.authenticate(DigestAuthenticationMechanism.java:170) 在 io.undertow.core@2.0.15.Final-redhat-00001//io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245) 在 io.undertow.core@2.0.15.Final-redhat-00001//io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:268) 在 io.undertow.core@2.0.15.Final-redhat-00001//io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231) 在 io.undertow.core@2.0.15.Final-redhat-00001//io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125) 在 io.undertow.core@2.0.15.Final-redhat-00001//io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99) 在 io.undertow.core@2.0.15.Final-redhat-00001//io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92) 在 io.undertow.servlet@2.0.15.Final-redhat-00001//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) 在 io.undertow.core@2.0.15.Final-redhat-00001//io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) 在 io.undertow.core@2.0.15.Final-redhat-00001//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 在 io.undertow.core@2.0.15.Final-redhat-00001//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53) 在 io.undertow.core@2.0.15.Final-redhat-00001//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 在 io.undertow.servlet@2.0.15.Final-redhat-00001//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 在 io.undertow.servlet@2.0.15.Final-redhat-00001//io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59) 在 io.undertow.core@2.0.15.Final-redhat-00001//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) 在 io.undertow.servlet@2.0.15.Final-redhat-00001//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) 在 io.undertow.core@2.0.15.Final-redhat-00001//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 在 io.undertow.core@2.0.15.Final-redhat-00001//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) 在 io.undertow.core@2.0.15.Final-redhat-00001//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 在 org.wildfly.extension.undertow@7.2.0.GA-redhat-00005//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 在 io.undertow.core@2.0.15.Final-redhat-00001//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 在 org.wildfly.extension.undertow@7.2.0.GA-redhat-00005//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) 在 io.undertow.core@2.0.15.Final-redhat-00001//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 在 io.undertow.servlet@2.0.15.Final-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) 在 io.undertow.servlet@2.0.15.Final-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) 在 io.undertow.servlet@2.0.15.Final-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) 在 io.undertow.servlet@2.0.15.Final-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) 在 io.undertow.servlet@2.0.15.Final-redhat-00001//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) 在 io.undertow.servlet@2.0.15.Final-redhat-00001//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) 在 org.wildfly.extension.undertow@7.2.0.GA-redhat-00005//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) 在 org.wildfly.extension.undertow@7.2.0.GA-redhat-00005//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) 在 org.wildfly.extension.undertow@7.2.0.GA-redhat-00005//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) 在 org.wildfly.extension.undertow@7.2.0.GA-redhat-00005//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) 在 org.wildfly.extension.undertow@7.2.0.GA-redhat-00005//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) 在 io.undertow.servlet@2.0.15.Final-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) 在 io.undertow.servlet@2.0.15.Final-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) 在 io.undertow.servlet@2.0.15.Final-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) 在 io.undertow.core@2.0.15.Final-redhat-00001//io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) 在 io.undertow.core@2.0.15.Final-redhat-00001//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) 在 org.jboss.threads@2.3.2.Final-redhat-1//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) 在 org.jboss.threads@2.3.2.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) 在 org.jboss.threads@2.3.2.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) 在 org.jboss.threads@2.3.2.Final-redhat-1//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) 在 java.base/java.lang.Thread.run(Thread.java:834)

03:19:06,175 DEBUG [io.undertow.request.security](默认任务 2)身份验证失败,消息 UT000038:身份验证失败,请求的用户名 'TD-ADMIN' 和 HttpServerExchange 的机制 DIGEST{ POST /rpaws /services/SearchIPAddressPort 请求 {Connection=[Keep-Alive], SOAPAction=[""], Authorization=[Digest username="TD-ADMIN", realm="RPAHttpsRealm", nonce="RFQLuAOrMiANMTU5ODIxOTM0NjE1NGdPOKC+2c1pRogJZwM8eYU=", uri= "/rpaws/services/SearchIPAddressPort", response="a0e500d779a876633b968e0180f3da42", qop=auth, nc=00000001, cnonce="c18eb749fd10230c", algorithm=MD5, opaque="00000000000000000000000, Accept-Encoding=" Content-Type=[text/xml;charset=UTF-8], Content-Length=[652], User-Agent=[Apache-HttpClient/4.5.2 (Java/12.0.1)], Host=[localhost: 8080]} 响应 {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], Pragma=[no-cache]}}

【问题讨论】:

    标签: hash callback jboss


    【解决方案1】:

    我在同一个问题上苦苦挣扎,但是您对standalone.xml 文件的添加使这对我有用。这是我如何做到的。希望它可以帮助某人。

    这是在 Jboss-EAP 7.2.9 上执行的

    1. 添加将用于 DIGEST 身份验证的用户和密码。
    $ cd ./modules/system/layers/base/org/picketbox/main
    $ java -classpath picketbox-5.0.3.Final-redhat-3.jar org.jboss.security.auth.callback.RFC2617Digest username PAssword1234 ApplicationRealm
    RFC2617 A1 hash: 03e86946408b9e9c85c7b62f3d811062
    
    1. 将用户名和哈希添加到 ./standalone/configuration/application-users.properties 文件中
    username=03e86946408b9e9c85c7b62f3d811062
    
    1. 将角色添加到 ./standalone/configuration/application-roles.properties
    username=RoleName
    
    1. 在我的应用程序的 jboss-web.xml 文件中
    <jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="
          http://www.jboss.com/xml/ns/javaee
          http://www.jboss.org/j2ee/schema/jboss-web_5_1.xsd">
        <security-domain>filesystemSD</security-domain>
        <context-root>rest</context-root>
    </jboss-web>
    
    1. 在我的应用程序 web.xml 文件的底部,我添加了以下内容:
    <security-constraint>
          <web-resource-collection>
              <web-resource-name>rest</web-resource-name>
              <url-pattern>/rest/*</url-pattern>
          </web-resource-collection>
          <auth-constraint>
              <role-name>RoleName</role-name>
          </auth-constraint>
      </security-constraint>
    
      <security-role>
          <role-name>RoleName</role-name>
      </security-role>
    
      <login-config>
          <auth-method>DIGEST</auth-method>
          <realm-name>ApplicationRealm</realm-name>
      </login-config>
    
    </web-app>
    
    1. 然后我运行了这三个 jboss-cli 命令
    /subsystem=security/security-domain=filesystemSD:add
    /subsystem=security/security-domain=filesystemSD/authentication=classic:add
    /subsystem=security/security-domain=filesystemSD/authentication=classic/login-module=UsersRoles:add(code=UsersRoles,flag=required,module-options=["usersProperties"=>"file:///${jboss.server.config.dir}/application-users.properties", \
    "rolesProperties"=>"file:///${jboss.server.config.dir}/application-roles.properties", \
    "hashAlgorithm"=>"MD5",\
    "hashEncoding"=>"rfc2617",\
    "ignorePasswordCase"=>"false",\
    "hashStorePassword"=>"true",\
    "hashUserPassword"=>"false",\
    "passwordIsA1Hash"=>"true",\
    "storeDigestCallback"=>"org.jboss.security.auth.callback.RFC2617Digest"])
    
    1. 然后重新加载 jboss 并部署应用程序。当用户尝试访问 /rest/ 时,系统会提示他们输入您在步骤 1 中创建的用户名和密码

    【讨论】:

      猜你喜欢
      • 2011-03-05
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2013-08-29
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2013-08-11
      相关资源
      最近更新 更多