无法终止 WSO2 IS 会话答案

【问题标题】：Unable to terminate WSO2 IS sessions无法终止 WSO2 IS 会话
【发布时间】：2021-03-26 10:44:05
【问题描述】：

我之前遇到过 WSO2 IS active-sessions-limit-handler 无法正常工作的问题。我问过previous question 解决了这个问题（我升级到了 5.11.0）。

现在的问题是，当我关注this guide 并为 SP 设置一个 active-sessions-limit-handler 时，服务器知道我何时超过了限制，但它无法正确处理这种情况。

我将最大会话数设置为 2，因此当我第三次尝试使用同一用户登录时，WSO2 正确地知道它现在超出了限制。问题是它给了我以下屏幕：

当我选择提供的 3 个选项中的任何一个时，我会收到一个身份验证错误并且登录失败。如果我转到用户的“我的帐户”页面，我可以看到会话处于预期状态。

WSO2 似乎无法检索活动会话。发生此错误时，我还看到以下错误日志，这似乎是 WSO2 正在调用它自己的 API，但由于未经授权而被拒绝：

java.io.IOException: Server returned HTTP response code: 401 for URL: https://HOST:9443/api/identity/auth/v1.1/context/916aff37-aaf8-464c-bede-7f249279ff1a

我是否需要对 API 进行不同的配置才能不返回 401？我找不到任何似乎是相同问题的未解决问题。

编辑，添加完整的堆栈跟踪：

[2020-12-16 17:49:00,105] [4e6a703b-f19a-4d27-a80e-c2f2088f7d0e]  INFO {org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.JsLogger} - USER Has one of Roles: [admin]
[2020-12-16 17:49:00,334] [2192ca86-fc09-4767-9647-ff8ec91a6698] ERROR {org.wso2.carbon.identity.application.authentication.endpoint.util.AuthContextAPIClient} - Sending GET request to URL : https://HOST:9443/api/identity/auth/v1.1/context/1bef7d0a-5aba-4e14-a7a3-a6bb53e02a62, failed. java.io.IOException: Server returned HTTP response code: 401 for URL: https://HOST:9443/api/identity/auth/v1.1/context/1bef7d0a-5aba-4e14-a7a3-a6bb53e02a62
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1924)
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1520)
    at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:250)
    at org.wso2.carbon.identity.application.authentication.endpoint.util.AuthContextAPIClient.getContextProperties(AuthContextAPIClient.java:69)
    at org.apache.jsp.handle_002dmultiple_002dsessions_jsp._jspService(handle_002dmultiple_002dsessions_jsp.java:256)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:71)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:477)
    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:385)
    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter.doFilter(ContentTypeBasedCachePreventionFilter.java:53)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.wso2.carbon.identity.application.authentication.endpoint.util.filter.AuthenticationEndpointFilter.doFilter(AuthenticationEndpointFilter.java:190)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
    at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:107)
    at org.wso2.carbon.identity.cors.valve.CORSValve.invoke(CORSValve.java:98)
    at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:110)
    at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:102)
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
    at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49)
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
    at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:145)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
    at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
    at org.wso2.carbon.tomcat.ext.valves.RequestEncodingValve.invoke(RequestEncodingValve.java:49)
    at org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:126)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.base/java.lang.Thread.run(Thread.java:834)

【问题讨论】：

似乎检索活动会话失败。实际上“您当前有 2 个活动会话。您不能拥有超过 2 个活动会话。”应该是屏幕上的消息，并且应该列出活动会话。你能附上错误的完整堆栈跟踪吗？
@AnuradhaKarunarathna 我将堆栈跟踪添加到原始帖子中。但是，是的，我同意它无法获取活动会话，即使它知道它们存在
@wearbob 您的 WSO2 IS 部署是否由负载均衡器引导？
@AnuradhaKarunarathna 没有明确表示。但它运行在 GCP 实例上，可能在内部使用一些负载平衡。

标签： session wso2 wso2is

【解决方案1】：

通过在<IS_HOME>/repository/deployment/server/webapps/authenticationendpoint/WEB-INF/web.xml 文件中取消注释名称为AuthenticationRESTEndpointURL 的<context-param> 块来尝试该场景。

    <!-- *************** Authentication REST API URL Configuration ********************** -->
    <context-param>
        <param-name>AuthenticationRESTEndpointURL</param-name>
        <param-value>https://localhost:9443/api/identity/auth/v1.1/</param-value>
    </context-param>
    <!-- *************** End of Authentication REST API URL Configuration ********************** -->```

【讨论】：

它现在调用 localhost，但由于 SSL 错误而失败：[f40628e0-4370-4873-a8bc-0156964739ab] ERROR {org.wso2.carbon.identity.application.authentication.endpoint.util.AuthContextAPIClient} - Sending GET request to URL : https://localhost:9443/api/identity/auth/v1.1/c ontext/55f6aa52-0394-41db-9e87-9f0062fd3a3f, failed. javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching localhost found.
你能在这里试试第一个选项吗(stackoverflow.com/a/65320529/10055162)？将 SAN 添加到证书
@Anuradha Karunarathna 抱歉回复慢。我一直在尝试使用 localhost SAN 获得证书，但是我的 IT 部门无法给我一个从我们的 CA 颁发的证书。他们说将 localhost 作为域是无效的。我还有其他方向可以走，可能修复调用 HOST 时返回的 401？