1

我无法在 tomcat-7.0.42 上的 Guvnor 5.4.0.Final 上进行身份验证。我用 seam-security-3.2.0.Final 替换了 seam-security-3.1.0.Final。

这是我设置基本身份验证器的 XML 片段:

guvnor/WEB-INF/beans.xml

<security:IdentityImpl>
   <s:modifies/>
   <security:authenticatorName>jaasAuthenticator</security:authenticatorName>
  </security:IdentityImpl>

  <security:jaas.JaasAuthenticator>
         <s:modifies/>
         <security:jaasConfigName>drools-guvnor</security:jaasConfigName>
  </security:jaas.JaasAuthenticator>

配置文件

drools-guvnor {
   com.ndipiazza.JaasGuvnor required debug=true;
};

有关 Guvnor JAAS 登录信息,请参阅此 ZIP 文件:https ://community.jboss.org/servlet/JiveServlet/download/831268-105978/guvnor-jaas.zip

我没有启用基于角色的权限。只要没有来宾用户,每个人都具有相同的角色,我很好。

但是当我使用此配置然后转到 Guvnor 时,我看到我已经登录 Welcome: guest [Sign Out]

我希望它转到基于表单的登录。我该如何设置?我错过了什么吗?

当我启用基于角色的权限时:

  <guvnorSecurity:RoleBasedPermissionResolver>
   <s:modifies/>
   <guvnorSecurity:enableRoleBasedAuthorization>true</guvnorSecurity:enableRoleBasedAuthorization>
  </guvnorSecurity:RoleBasedPermissionResolver>

然后我收到此错误消息(401 此用户没有权限设置。)。下面的堆栈跟踪显示:

INFO  03-08 12:53:23,517 (LoggingHelper.java:info:56)
Service method 'public

abstract org.drools.guvnor.client.rpc.UserSecurityContext org.drools.guvnor.clie
nt.rpc.SecurityService.getCurrentUser()' threw an unexpected exception: org.jbos
s.seam.security.AuthorizationException: This user has no permissions setup.
com.google.gwt.user.server.rpc.UnexpectedException: Service method 'public abstr
act org.drools.guvnor.client.rpc.UserSecurityContext org.drools.guvnor.client.rp
c.SecurityService.getCurrentUser()' threw an unexpected exception: org.jboss.sea
m.security.AuthorizationException: This user has no permissions setup.


at com.google.gwt.user.server.rpc.RPC.encodeResponseForFailure(RPC.java:

385)


at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:5

88)


at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(Remot

eServiceServlet.java:208)


at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(Remot

eServiceServlet.java:248)


at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(Ab

stractRemoteServiceServlet.java:62)


at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)


at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)


at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl

icationFilterChain.java:305)


at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF

ilterChain.java:210)


at org.jboss.solder.servlet.exception.CatchExceptionFilter.doFilter(Catc

hExceptionFilter.java:65)


at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl

icationFilterChain.java:243)


at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF

ilterChain.java:210)


at org.jboss.solder.servlet.event.ServletEventBridgeFilter.doFilter(Serv

letEventBridgeFilter.java:74)


at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl

icationFilterChain.java:243)


at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF

ilterChain.java:210)


at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV

alve.java:222)


at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV

alve.java:123)


at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica

torBase.java:502)


at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j

ava:171)


at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j

ava:99)


at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:

953)


at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal

ve.java:118)


at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav

a:408)


at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp

11Processor.java:1023)


at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(

AbstractProtocol.java:589)


at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoin

t.java:1852)


at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.

java:1145)


at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor

.java:615)


at java.lang.Thread.run(Thread.java:722)

Caused by: org.jboss.seam.security.AuthorizationException: This user has no perm
issions setup.


at org.drools.guvnor.server.security.SecurityServiceImpl.getUserCapabili

ties(SecurityServiceImpl.java:128)


at org.drools.guvnor.server.security.SecurityServiceImpl.getCurrentUser(

SecurityServiceImpl.java:101)


at org.drools.guvnor.server.security.SecurityServiceImpl$Proxy$_$$_WeldC

lientProxy.getCurrentUser(SecurityServiceImpl$Proxy$_$$_WeldClientProxy.java)


at org.drools.guvnor.server.SecurityServiceServlet.getCurrentUser(Securi

tyServiceServlet.java:74)


at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)


at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.

java:57)


at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces

sorImpl.java:43)


at java.lang.reflect.Method.invoke(Method.java:601)


at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:5

69)


... 27 more

使用调试器进入,我看到用户 ID 是“guest”。

我错过了什么步骤才能看到登录屏幕?

这张票也在 JBoss 社区开放:https ://community.jboss.org/message/831268#831268

4

1 回答 1

1

此解决方案未使用 Tomcat 进行测试,而是使用 JBoss 7.1.1。不知道是否有很大的不同,但无论如何它是这样的:

首先,您必须在standalone.xml 中创建一个新的安全域:

        <security-domain name="your-security-domain-name" cache-type="default">
            <authentication>
                <login-module code="LdapExtended" flag="required">
                    <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                    <module-option name="java.naming.provider.url" value="your LDAP url/>
                    <module-option name="baseCtxDN" value="ou=your_OU,dc=yourDC,dc=com"/>
                    <module-option name="baseFilter" value="(uid={0})"/>
                    <module-option name="rolesCtxDN" value="ou=your_Roles_OU, dc=yourDC,dc=com"/>
                    <module-option name="roleFilter" value="(member={1})"/>
                    <module-option name="roleAttributeID" value="cn"/>
                    <module-option name="throwValidateError" value="true"/>
                    <module-option name="searchScope" value="ONELEVEL_SCOPE"/>
                </login-module>
            </authentication>
        </security-domain>

接下来,配置 guvnor.war beans.xml 文件以使用 JAAS:

(...)
<security:IdentityImpl> <s:modifies/>
    <!-- JAAS based authentication -->
      <security:authenticatorName>jaasAuthenticator</security:authenticatorName>
</security:IdentityImpl>
<security:jaas.JaasAuthenticator>
<s:modifies/>
  <security:jaasConfigName>your-security-domain-name</security:jaasConfigName>
</security:jaas.JaasAuthenticator>
<!-- SECURITY AUTHORIZATION CONFIGURATION --> <!-- This is used to enable or disable role-based authorization. By default it is disabled. -->      
<guvnorSecurity:RoleBasedPermissionResolver>
  <s:modifies/>
  <guvnorSecurity:enableRoleBasedAuthorization>false</guvnorSecurity:enableRoleBasedAuthorization>
</guvnorSecurity:RoleBasedPermissionResolver>

  <weld:scan>
    <!-- Disable the seam-security by drools rules
    <weld:exclude name="org.jboss.seam.security.permission.RuleBasedPermissionResolver"/>-->
    <!-- TODO remove me when GUVNOR-1196 is fixed -->
    <weld:exclude name="org.drools.guvnor.gwtutil.**"/>
    <weld:exclude name="org.drools.guvnor.client.**"/>
  </weld:scan>


</beans>

在此处将此行设置为 true 之前

<guvnorSecurity:enableRoleBasedAuthorization>false</guvnorSecurity:enableRoleBasedAuthorization>

您必须先不使用角色登录,以便将用户映射到他的权限。将管理员权限授予至少一位用户,否则您将根本无法登录。

另外,不要忘记将 WEB-INF/lib 下的两个 seam-security jar 从 3.1 版更新到 3.2 版。这非常重要,否则登录将不起作用。

这个解决方案让我登录到 Guvnor 上的 LDAP 服务器对用户进行身份验证,没有任何问题。如果你还有什么麻烦,请告诉我。

拉斐尔

于 2013-10-11T08:56:33.143 回答