我正在使用 OpenAM 作为我的 Web 应用程序的身份验证解决方案。我在反向代理后面配置了 OpenAM。我已经对标题及其工作正常进行了所有更改。我还为服务器配置了一个站点。我可以以管理员身份登录并配置领域和策略。我已经配置了一个 Web 代理以与我的应用程序一起使用。我正面临网络代理的问题。当我登录我的应用程序时,请求转到 OpenAM 并验证用户身份,但无法重定向到指定页面。它只是显示
#403x
在浏览器上。在身份验证器日志中,我看到以下内容
amCDC:09/30/2021 01:54:19:020 PM UTC: Thread[http-apr-8080-exec-8,5,main]: TransactionId[786cdea2-e670-488d-955d-f6679002c3c0-1140]
ERROR: Invalid Agent: Could not get agent for the realm
java.lang.Exception: Goto URL not valid for the agent Provider ID
at com.iplanet.services.cdc.LdapSPValidator.validateAndGetRestriction(LdapSPValidator.java:208)
at com.iplanet.services.cdc.CDCServlet.redirectWithAuthNResponse(CDCServlet.java:375)
at com.iplanet.services.cdc.CDCServlet.doGetPost(CDCServlet.java:343)
at com.iplanet.services.cdc.CDCServlet.doGet(CDCServlet.java:234)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:106)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2445)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
amCDC:09/30/2021 01:54:19:020 PM UTC: Thread[http-apr-8080-exec-8,5,main]: TransactionId[786cdea2-e670-488d-955d-f6679002c3c0-1140]
ERROR: CDCServlet.doGetPost
java.lang.Exception: Invalid Agent: Could not get agent for the realm
at com.iplanet.services.cdc.LdapSPValidator.validateAndGetRestriction(LdapSPValidator.java:227)
at com.iplanet.services.cdc.CDCServlet.redirectWithAuthNResponse(CDCServlet.java:375)
at com.iplanet.services.cdc.CDCServlet.doGetPost(CDCServlet.java:343)
at com.iplanet.services.cdc.CDCServlet.doGet(CDCServlet.java:234)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:106)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1099)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:670)
at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2445)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
我也完成了代理的所有相关配置。我已禁用服务器查找,请按照文档中的建议设置以下属性
com.sun.identity.agents.config.agenturi.prefix
com.sun.identity.agents.config.override.protocol=true
com.sun.identity.agents.config.override.host=true
com.sun.identity.agents.config.override.port=true
我的网站网址是
https://example.com/openam
我这样创建代理
server url = https://example.com:443/openam
agent url = https://example.com:443/
我的代理配置如下
com.sun.identity.agents.config.agent.logout.url[0]=
com.sun.identity.agents.config.agenturi.prefix=https://example.com:443/amagent
com.sun.identity.agents.config.anonymous.user.enable=false
com.sun.identity.agents.config.anonymous.user.id=anonymous
com.sun.identity.agents.config.attribute.multi.value.separator=|
com.sun.identity.agents.config.audit.accesstype=LOG_BOTH
com.sun.identity.agents.config.auth.connection.timeout=2
com.sun.identity.agents.config.cdsso.cdcservlet.url[0]=https://example.com:443/openam/cdcservlet
com.sun.identity.agents.config.cdsso.cookie.domain[0]=
com.sun.identity.agents.config.cdsso.enable=false
com.sun.identity.agents.config.change.notification.enable=true
com.sun.identity.agents.config.cleanup.interval=30
com.sun.identity.agents.config.client.ip.validation.enable=false
com.sun.identity.agents.config.convert.mbyte.enable=false
com.sun.identity.agents.config.cookie.name=iPlanetDirectoryPro
com.sun.identity.agents.config.cookie.reset.enable=false
com.sun.identity.agents.config.cookie.reset[0]=
com.sun.identity.agents.config.cookie.secure=false
com.sun.identity.agents.config.debug.file.rotate=true
com.sun.identity.agents.config.debug.file.size=10000000
com.sun.identity.agents.config.debug.level=All
com.sun.identity.agents.config.domino.check.name.database=false
com.sun.identity.agents.config.domino.ltpa.config.name=LtpaToken
com.sun.identity.agents.config.domino.ltpa.cookie.name=LtpaToken
com.sun.identity.agents.config.domino.ltpa.enable=false
com.sun.identity.agents.config.encode.cookie.special.chars.enable=false
com.sun.identity.agents.config.encode.url.special.chars.enable=false
com.sun.identity.agents.config.fetch.from.root.resource=false
com.sun.identity.agents.config.fqdn.check.enable=true
com.sun.identity.agents.config.fqdn.default=example.com
com.sun.identity.agents.config.fqdn.mapping[]=
com.sun.identity.agents.config.get.client.host.name=false
com.sun.identity.agents.config.ignore.path.info=false
com.sun.identity.agents.config.ignore.path.info.for.not.enforced.list=true
com.sun.identity.agents.config.ignore.preferred.naming.url=true
com.sun.identity.agents.config.ignore.server.check=true
com.sun.identity.agents.config.iis.filter.priority=HIGH
com.sun.identity.agents.config.iis.logonuser=false
com.sun.identity.agents.config.iis.owa.enable=false
com.sun.identity.agents.config.iis.owa.enable.change.protocol=false
com.sun.identity.agents.config.iis.password.header=false
com.sun.identity.agents.config.load.balancer.enable=true
com.sun.identity.agents.config.local.log.rotate=true
com.sun.identity.agents.config.local.log.size=52428800
com.sun.identity.agents.config.locale=en_US
com.sun.identity.agents.config.log.disposition=ALL
com.sun.identity.agents.config.login.url[0]=https://example.com:443/openam/UI/Login
com.sun.identity.agents.config.logout.cookie.reset[0]=
com.sun.identity.agents.config.logout.url[0]=https://example.com:443/openam/UI/Logout
com.sun.identity.agents.config.notenforced.ip[0]=
com.sun.identity.agents.config.notenforced.url.attributes.enable=false
com.sun.identity.agents.config.notenforced.url.invert=false
com.sun.identity.agents.config.notenforced.url[0]=/logout.html
com.sun.identity.agents.config.notenforced.url[1]=/images/*
com.sun.identity.agents.config.notenforced.url[2]=/css/-*-
com.sun.identity.agents.config.notenforced.url[3]=/*.jsp?locale=*
com.sun.identity.agents.config.notification.enable=true
com.sun.identity.agents.config.organization.name=/
com.sun.identity.agents.config.override.host=true
com.sun.identity.agents.config.override.notification.url=true
com.sun.identity.agents.config.override.port=true
com.sun.identity.agents.config.override.protocol=true
com.sun.identity.agents.config.policy.cache.polling.interval=3
com.sun.identity.agents.config.policy.clock.skew=0
com.sun.identity.agents.config.poll.primary.server=5
com.sun.identity.agents.config.polling.interval=60
com.sun.identity.agents.config.postcache.entry.lifetime=10
com.sun.identity.agents.config.postdata.preserve.enable=false
com.sun.identity.agents.config.profile.attribute.cookie.maxage=300
com.sun.identity.agents.config.profile.attribute.cookie.prefix=HTTP_
com.sun.identity.agents.config.profile.attribute.fetch.mode=NONE
com.sun.identity.agents.config.profile.attribute.mapping[]=
com.sun.identity.agents.config.proxy.override.host.port=false
com.sun.identity.agents.config.redirect.param=goto
com.sun.identity.agents.config.remote.log.interval=5
com.sun.identity.agents.config.remote.logfile=amAgent_xyz_com_443.log
com.sun.identity.agents.config.repository.location=centralized
com.sun.identity.agents.config.response.attribute.fetch.mode=NONE
com.sun.identity.agents.config.response.attribute.mapping[]=
com.sun.identity.agents.config.session.attribute.fetch.mode=NONE
com.sun.identity.agents.config.session.attribute.mapping[]=
com.sun.identity.agents.config.sso.cache.polling.interval=3
com.sun.identity.agents.config.sso.only=false
com.sun.identity.agents.config.url.comparison.case.ignore=true
com.sun.identity.agents.config.userid.param=UserToken
com.sun.identity.agents.config.userid.param.type=session
com.sun.identity.client.notification.url=https://example.com:443/UpdateAgentCacheServlet?shortcircuit=false
org.forgerock.openam.agents.config.policy.evaluation.application=iPlanetAMWebAgentService
org.forgerock.openam.agents.config.policy.evaluation.realm=/
sunIdentityServerDeviceKeyValue[0]=agentRootURL=https://example.com:443/
sunIdentityServerDeviceStatus=Active
userpassword=
但它仍然无法正常工作。有人可以解释我缺少什么以及我该如何解决这个问题?
问候
编辑
我已在应用程序的 nginx 设置中添加了标头
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forward-For op$proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
现在错误已经改变
error: [bq2ptiS62] Unknown issuer: http://example.com:8080/openam/cdcservlet Unknown issuer: http://example.com:8080/openam/cdcservlet {"stack":"Error: Unknown issuer: http://example.com:8080/openam/cdcservlet
at PolicyAgent.<anonymous> (/node_modules/@forgerock/openam-agent/dist/policyagent/policy-agent.js:483:35)
at step (/node_modules/@forgerock/openam-agent/dist/policyagent/policy-agent.js:57:23)
at Object.next (/node_modules/@forgerock/openam-agent/dist/policyagent/policy-agent.js:38:53)
at fulfilled (/node_modules/@forgerock/openam-agent/dist/policyagent/policy-agent.js:29:58)
at process._tickCallback (internal/process/next_tick.js:68:7)","timestamp":"2021-10-04T15:21:40.630Z"}