0

我已经使用 project-defaults.yml 在 thorntail 应用程序上配置了 WildFly Elytron 安全性。但是,应用程序无法调用或连接到远程安全 EJB

这是 Elytron 的 yaml 配置 - 我不确定这是否正确配置。

thorntail:
  elytron:
    sasl-authentication-factories:
      application-sasl-authentication:
        mechanism-configurations:
          - mechanism-name: 'GSSAPI'
          - mechanism-name: 'PLAIN'
          - mechanism-name: 'JBOSS-LOCAL-USER'
          - mechanism-name: 'DIGEST-MD5'
          - mechanism-realm-configurations:
              - realm-name: ApplicationRealm
        security-domain: ApplicationDomain
        sasl-server-factory: configured
    authentication-configurations:
      default:
        security-domain: ApplicationDomain
        sasl-mechanism-selector: 'PLAIN'
    security-domains:
      ApplicationDomain:
        realms:
          - realm: ApplicationRealm
        default-realm: ApplicationRealm

  remoting:
    http-connectors:
      http-remoting-connector:
        sasl-security:
          policy-sasl-policy:
            no-plain-text: false
          include-mechanisms:
            - 'PLAIN'
        sasl-authentication-factory: application-sasl-authentication
        security-realm: ApplicationRealm
        connector-ref: default

  management:
    https:
      port: 9993
    http:
      port: 9990
    security-realms:
      ApplicationRealm:
        jaas-authentication:
          name: AppSecDom
        ssl-server-identity:
          alias: 'alias'
          keystore-provider: PKCS12
          keystore-path: ${javax.net.ssl.keyStore}
          keystore-password: ${javax.net.ssl.keyStorePassword}

从客户端这就是我尝试连接到 EJB 的方式。

    public final static AuthenticationContext authenticationContext() throws  Exception{
        LOG.info("***********Start AUTHENTICATION*****************." );
        try{
            AuthenticationConfiguration config = AuthenticationConfiguration.empty().setSaslMechanismSelector(SaslMechanismSelector.NONE.addMechanism("#ALL")).
                    useName("username").usePassword("password");
            final AuthenticationContext authCtx = AuthenticationContext.empty().
                    with(MatchRule.ALL, config);
            ContextManager<AuthenticationContext> contextManager = authCtx.getInstanceContextManager();
            contextManager.setThreadDefault(authCtx);
            return contextManager.get();
        }catch (Exception e){
            LOG.error("Error authentication : " + e);
            throw  new Exception(e);
        }
    }

来自控制台的错误。

Suppressed: org.jboss.ejb.client.RequestSendFailedException: Destination @ remote+http://127.0.0.1:8080
        at org.jboss.ejb.protocol.remote.RemoteEJBReceiver$1.handleFailed(RemoteEJBReceiver.java:104)
        at org.jboss.ejb.protocol.remote.RemoteEJBReceiver$1.handleFailed(RemoteEJBReceiver.java:76)
        at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
        at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)
    Caused by: javax.security.sasl.SaslException: Authentication failed: none of the mechanisms presented by the server (GSSAPI, JBOSS-LOCAL-USER, GS2-KRB5-PLUS, GS2-KRB5, ANONYMOUS) are supported
        at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:444)
        at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:242)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
        at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
        at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)
        at ...asynchronous invocation...(Unknown Source)

请协助解决这个问题,因为我不确定我接下来需要做什么。

4

1 回答 1

0

以下 yaml 配置有效。

thorntail:
  elytron:
    simple-role-decoders:
      from-roles-attribute:
        attribute: roles
    jdbc-realms:
      app-jdbc-realm:
        principal-query:
          - sql: SELECT PASSWORD FROM USERS WHERE USERNAME  = ?
            data-source: TestDS
            clear-password-mapper:
              password-index: 1
          - sql: SELECT R.NAME, 'Roles' FROM USERS_ROLES UR INNER JOIN ROLES R ON R.ID = UR.ROLE_ID INNER JOIN USERS U ON U.ID = UR.USER_ID WHERE U.USERNAME = ?
            data-source: TestDS
            attribute-mapping:
              - index: 1
                to: roles

    sasl-authentication-factories:
      application-sasl-authentication:
        mechanism-configurations:
          - mechanism-name: 'PLAIN'
          - mechanism-realm-configurations:
              - realm-name: app-jdbc-realm
        security-domain: ApplicationDomain
        sasl-server-factory: configured

    security-domains:
      ApplicationDomain:
        realms:
          - realm: app-jdbc-realm
            role-decoder: from-roles-attribute
        default-realm: app-jdbc-realm

  remoting:
    http-connectors:
      http-remoting-connector:
        sasl-authentication-factory: application-sasl-authentication
        security-realm: ApplicationRealm
        connector-ref: default

有关更详细的说明 - 包括为用户身份验证详细信息创建模式表的 sql 脚本。

https://developer.jboss.org/thread/280474

https://github.com/wildfly-security-incubator/elytron-examples

于 2020-06-08T21:53:37.770 回答