在jboss 7.2上部署的应用程序的摘要式身份验证

问题描述

我已经在jboss7.2上运行的应用程序的web.xml中配置了登录模块

<login-config>
        <auth-method>DIGEST</auth-method>
        <realm-name>newrealm</realm-name>
</login-config>

jboss-web.xml配置了安全域

<jboss-web>
  <security-domain>securitydomain1</security-domain>
</jboss-web>

standalone.xml的安全域配置如下

<security-domain name="RPAHttps" cache-type="default">
                    <authentication>
                        <login-module code="UsersRoles" flag="required">
                            <module-option name="usersProperties" value="D:\jboss7\jboss-eap-7.2\standalone\configuration\rpahttpsusers.properties"/>
                            <module-option name="rolesProperties" value="D:\jboss7\jboss-eap-7.2\standalone\configuration\rpahttpsroles.properties"/>
                            <module-option name="defaultUsersProperties" value="D:\jboss7\jboss-eap-7.2\standalone\configuration\rpahttpsusers.properties"/>
                            <module-option name="defaultRolesProperties" value="D:\jboss7\jboss-eap-7.2\standalone\configuration\rpahttpsroles.properties"/>
                            <module-option name="hashAlgorithm" value="MD5"/>
                            <module-option name="hashEncoding" value="rfc2617"/>
                            <module-option name="ignorePasswordCase" value="false"/>
                            <module-option name="hashStorePassword" value="true"/>
                            <module-option name="hashUserPassword" value="false"/>
                            <module-option name="passwordisA1Hash" value="true"/>
                            <module-option name="storeDigestCallback" value="org.jboss.security.auth.callback.RFC2617Digest"/>
                        </login-module>
                    </authentication>
                </security-domain>

我生成了如下所示存储在属性文件中的密码

D:\jboss7\jboss-eap-7.2\modules\system\layers\base\org\picketBox\main>java -classpath picketBox-5.0.3.Final-redhat-3.jar org.jboss.security.auth.callback.RFC2617Digest TD-ADMIN new_1015 RPAHttpsRealm
RFC2617 A1 hash: cdb6fe455334228532b07355043afcb6

请注意，我在storeDigestCall back模块选项中给出了相同的值。我曾尝试过其他的回叫课程

我遇到以下错误，请您帮忙

UG [io.undertow.request.security]（默认任务2）/ rpaws / services / SearchIPAddressport使用方法io.undertow.security.impl.CachedAuthenticatedSessionMechanism@234fd496的身份验证结果为NOT_ATTEMPTED 03：19：06,161调试[org.jboss.security]（默认任务2）PBox00281：密码散列已激活，算法：MD5，编码：rfc2617，字符集：null，回调：null，storeCallBack：org.jboss.security.auth .callback.RFC2617摘要 03：19：06,173 DEBUG [org.jboss.security]（默认任务2）PBox00283：用户名TD-ADMIN的密码错误 03：19：06,173调试[org.jboss.security]（默认任务2）PBox00206：登录失败：javax.security.auth.login.FailedLoginException：PBox00070：密码无效/需要密码在org.picketBox // org.jboss.security.auth.spi.UsernamePasswordLoginModule.login（UsernamePasswordLoginModule.java:286）在org.picketBox // org.jboss.security.auth.spi.UsersRolesLoginModule.login（UsersRolesLoginModule.java:171）在java.base / javax.security.auth.login.LoginContext.invoke（LoginContext.java:726）在java.base / javax.security.auth.login.LoginContext $ 4.run（LoginContext.java:665）在java.base / javax.security.auth.login.LoginContext $ 4.run（LoginContext.java:663）在java.base / java.security.AccessController.doPrivileged（本机方法）在java.base / javax.security.auth.login.LoginContext.invokePriv（LoginContext.java:663）在java.base / javax.security.auth.login.LoginContext.login（LoginContext.java:574）在org.picketBox // org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin（JBossCachedAuthenticationManager.java:406）在org.picketBox // org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin（JBossCachedAuthenticationManager.java:345）在org.picketBox // org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate（JBossCachedAuthenticationManager.java:323）在org.picketBox // org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid（JBossCachedAuthenticationManager.java:146）在[email protected]//org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential（JAASIdentityManagerImpl.java:123）在[email protected]//org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify（JAASIdentityManagerImpl.java:89）在[email protected]//org.wildfly.extension.undertow.security.digest.DigestAuthenticationMechanism.handleDigestHeader（DigestAuthenticationMechanism.java:312）在[email protected]//org.wildfly.extension.undertow.security.digest.DigestAuthenticationMechanism.authenticate（DigestAuthenticationMechanism.java:170）在[email protected]//io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition（SecurityContextImpl.java:245）在[email protected]//io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition（SecurityContextImpl.java:268）在[email protected]//io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100（SecurityContextImpl.java:231）在[email protected]//io.undertow.security.impl.SecurityContextImpl.attemptAuthentication（SecurityContextImpl.java:125）在[email protected]//io.undertow.security.impl.SecurityContextImpl.authTransition（SecurityContextImpl.java:99）在[email protected]//io.undertow.security.impl.SecurityContextImpl.authenticate（SecurityContextImpl.java:92）在[email protected]//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest（ServletAuthenticationCallHandler.java:55）在[email protected]//io.undertow.server.handlers.disableCacheHandler.handleRequest（disableCacheHandler.java:33）在[email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest（PredicateHandler.java:43）在[email protected]//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest（AuthenticationConstraintHandler.java:53）在[email protected]//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest（AbstractConfidentialityHandler.java:46）在[email protected]//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest（ServletConfidentialityConstraintHandler.java:64）在[email protected]//io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest（ServletSecurityConstraintHandler.java:59）在[email protected]//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest（AuthenticationMechanismsHandler.java:60）在[email protected]//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest（CachedAuthenticatedSessionHandler.java:77）在[email protected]//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest（NotificationReceiverHandler.java:50）在[email protected]//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest（AbstractSecurityContextAssociationHandler.java:43）在[email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest（PredicateHandler.java:43）在[email protected]//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest（JACCContextIdHandler.java:61）在[email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest（PredicateHandler.java:43）在[email protected]//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest（GlobalRequestControllerHandler.java:68）在[email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest（PredicateHandler.java:43）在[email protected]//io.undertow.servlet.handlers.ServletinitialHandler.handleFirstRequest（ServletinitialHandler.java:292）在[email protected]//io.undertow.servlet.handlers.ServletinitialHandler.access$100（ServletinitialHandler.java:81）在[email protected]//io.undertow.servlet.handlers.ServletinitialHandler$2.call（ServletinitialHandler.java:138）在[email protected]//io.undertow.servlet.handlers.ServletinitialHandler$2.call（ServletinitialHandler.java:135）在[email protected]//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call（ServletRequestContextThreadSetupAction.java:48）在[email protected]//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call（ContextClassLoaderSetupAction.java:43）在[email protected]//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0（SecurityContextThreadSetupAction.java:105）在[email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0（UndertowDeploymentInfoService.java:1502）在[email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0（UndertowDeploymentInfoService.java:1502）在[email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0（UndertowDeploymentInfoService.java:1502）在[email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0（UndertowDeploymentInfoService.java:1502）在[email protected]//io.undertow.servlet.handlers.ServletinitialHandler.dispatchRequest（ServletinitialHandler.java:272）在[email protected]//io.undertow.servlet.handlers.ServletinitialHandler.access$000（ServletinitialHandler.java:81）在[email protected]//io.undertow.servlet.handlers.ServletinitialHandler$1.handleRequest（ServletinitialHandler.java:104）在[email protected]//io.undertow.server.Connectors.executeRootHandler（Connectors.java:360）在[email protected]//io.undertow.server.HttpServerExchange$1.run（HttpServerExchange.java:830）在[email protected]//org.jboss.threads.ContextClassLoaderSavingRunnable.run（ContextClassLoaderSavingRunnable.java:35）在[email protected]//org.jboss.threads.EnhancedQueueExecutor.safeRun（EnhancedQueueExecutor.java:1985）在[email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask（EnhancedQueueExecutor.java:1487）在[email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run（EnhancedQueueExecutor.java:1378）在java.base / java.lang.Thread.run（Thread.java:834）

03：19：06,175调试[io.undertow.request.security]（默认任务2），身份验证失败，并显示消息UT000038：身份验证失败，请求用户名'TD-ADMIN'和HttpServerExchange的机制DIGEST {POST / rpaws / services / SearchIPAddressport请求{Connection = [Keep-Alive]，SOAPAction = [“”]，Authorization = [Digest username =“ TD-ADMIN”，realm =“ RPAHttpsRealm”，nonce =“ RFQLuAOrMiANMTU5ODIxOTM0NjE1NGdPOKC + 2c1pRogJZWM8eYU “ / rpaws / services / SearchIPAddressport”，响应=“ a0e500d779a876633b968e0180f3da42”，qop = auth，nc = 00000001，cnonce =“ c18eb749fd10230c”，算法= MD5，opaque =“ 00000000000000000000000000000000000000”]，Accept-Encoding = [gzip，放气] Content-Type = [text / xml; charset = UTF-8]，Content-Length = [652]，User-Agent = [Apache-HttpClient / 4.5.2（Java / 12.0.1）]，Host = [localhost： 8080]}响应{Expires = [0]，Cache-Control = [no-cache，no-store，must-revalidate]，Pragma = [no-cache]}}

解决方法

我一直在为同样的问题苦苦挣扎，但是您对 standalone.xml 文件所做的添加使我可以使用它。这是我如何做到的。希望它可以帮助某人。

这是在 Jboss-EAP 7.2.9 上执行的

添加将用于 DIGEST 身份验证的用户和密码。

$ cd ./modules/system/layers/base/org/picketbox/main
$ java -classpath picketbox-5.0.3.Final-redhat-3.jar org.jboss.security.auth.callback.RFC2617Digest username PAssword1234 ApplicationRealm
RFC2617 A1 hash: 03e86946408b9e9c85c7b62f3d811062

将用户名和哈希添加到 ./standalone/configuration/application-users.properties 文件

username=03e86946408b9e9c85c7b62f3d811062

将角色添加到 ./standalone/configuration/application-roles.properties

username=RoleName

在我的应用程序的 jboss-web.xml 文件中

<jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="
      http://www.jboss.com/xml/ns/javaee
      http://www.jboss.org/j2ee/schema/jboss-web_5_1.xsd">
    <security-domain>filesystemSD</security-domain>
    <context-root>rest</context-root>
</jboss-web>

在我的应用程序的 web.xml 文件的底部，我添加了以下内容：

<security-constraint>
      <web-resource-collection>
          <web-resource-name>rest</web-resource-name>
          <url-pattern>/rest/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
          <role-name>RoleName</role-name>
      </auth-constraint>
  </security-constraint>

  <security-role>
      <role-name>RoleName</role-name>
  </security-role>

  <login-config>
      <auth-method>DIGEST</auth-method>
      <realm-name>ApplicationRealm</realm-name>
  </login-config>

</web-app>

然后我运行了这三个 jboss-cli 命令

/subsystem=security/security-domain=filesystemSD:add
/subsystem=security/security-domain=filesystemSD/authentication=classic:add
/subsystem=security/security-domain=filesystemSD/authentication=classic/login-module=UsersRoles:add(code=UsersRoles,flag=required,module-options=["usersProperties"=>"file:///${jboss.server.config.dir}/application-users.properties",\
"rolesProperties"=>"file:///${jboss.server.config.dir}/application-roles.properties",\
"hashAlgorithm"=>"MD5",\
"hashEncoding"=>"rfc2617",\
"ignorePasswordCase"=>"false",\
"hashStorePassword"=>"true",\
"hashUserPassword"=>"false",\
"passwordIsA1Hash"=>"true",\
"storeDigestCallback"=>"org.jboss.security.auth.callback.RFC2617Digest"])

然后重新加载 jboss 并部署应用程序。当用户尝试访问 /rest/ 时，系统会提示他们输入您在步骤 1 中创建的用户名和密码

callback hash jboss