为什么我的 WAS Liberty 环境中缺少 LTPA Cookie?

编程问答 2022-07-02

问题描述

我已使用 WAS Liberty Profile 版本 WebSphere Application Server 21.0.0.7/wlp-1.0.54.cl210720210629-1900 配置 OIDC 身份验证(外部 OP)。

在测试时,OIDC 认证成功,我在浏览器上看到 WAS 设置的以下 cookie:

  • JSESSIONID
  • WASReqURLOidcp1059877004
  • WASReqURLOidcp825245628
  • WAS_n1263819336
  • WAS_n1832376351
  • WAS_p2129763847
  • WASOidcStaten765589445
  • WASOidcCode

我确实在服务器启动期间在我的 messages.log 中看到了这些消息:

0000003b com.ibm.ws.security.token.ltpa.LTPAKeyInfoManager I CWWKS4103I:创建 LTPA 密钥。这可能需要几秒钟。 0000003b com.ibm.ws.security.token.ltpa.LTPAKeyInfoManager A CWWKS4104A:LTPA 密钥在 0.337 秒内创建。 LTPA 密钥文件:jv-ltpa.keys 0000003b com.ibm.ws.security.token.ltpa.internal.LTPAKeyCreateTask I CWWKS4105I:LTPA 配置在 0.341 秒后准备就绪。

此外,在我的 server.xml 中,我没有明确禁用 LTPA 令牌或 cookie 生成

disableLtpaCookie="false"

为什么我的浏览器中没有设置 LTPA cookie?

这是我的server.xml

<?xml version="1.0" encoding="UTF-8"?>
<server description="Default Server">

    <!-- Enable features -->
    <featureManager>
        <feature>javaee-8.0</feature>
        <feature>microProfile-3.0</feature>
        <feature>adminCenter-1.0</feature>
        <feature>appSecurity-2.0</feature>
        <feature>openidConnectClient-1.0</feature>
        <feature>transportSecurity-1.0</feature>
    </featureManager>

    <openidConnectClient id="oidcBridge" clientId="removed"
        clientSecret="removed"
        discoveryEndpointUrl="https://my-op.com/.well-kNown/openid-configuration" signatureAlgorithm="RS256"
        jwkEndpointUrl="https://my-op.com/.well-kNown/jwks.json" disableLtpaCookie="false"
        allowDefaultSsoCookieName="true">
    </openidConnectClient>

    <basicRegistry id="basic">
        <user name="admin" password="admin" />
        <user name="user1" password="user1" />
        <user name="user2" password="user2" />
        <group name="users">
            <member name="user1" />
            <member name="user2" />
        </group>
    </basicRegistry>

    <administrator-role>
        <user>admin</user>
    </administrator-role>

    <!-- To allow access to this server from a remote client host="*" has been added to the following element -->
    <httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080" httpsPort="9443" />

    <!-- Automatically expand WAR files and EAR files -->
    <applicationManager autoExpand="true" />
    <keyStore id="defaultKeyStore" password="removed" location="${server.config.dir}/jv-trust.p12" type="PKCS12" />
    <ltpa keysFileName="jv-ltpa.keys" keysPassword="removed" expiration="1200" />

    <webAppSecurity singleSignonEnabled="true" ssodomainNames="app1.com" allowFailoverToBasicAuth="true"
        ssoRequiresSSL="false" />

    <application context-root="snoop" id="DefaultApplication"
        location="${server.config.dir}/apps/DefaultApplication.ear" name="DefaultApplication" type="ear">
        <application-bnd>
            <security-role name="All Role">
                <special-subject type="ALL_AUTHENTICATED_USERS" />
            </security-role>
        </application-bnd>
    </application>

</server>

解决方法

暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!

如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。

小编邮箱:dio#foxmail.com (将#修改为@)

cookiescookiesltpaopenid-connectwebspherewebspherewebsphere-liberty