当前位置: 文江博客话题详情

有没有办法让 OpenSSO/OpenAM 与数据库进行身份验证和授权?

发布于 2024-09-25 05:06:55 字数 721 浏览 7 评论 0原文

我们希望使用 OpenSSO 来满足我们的身份验证和授权需求,但更喜欢它 与数据库而不是默认的 LDAP 数据存储进行通信。我们发现 OpenAM 9.0 版本中存在一个实验性数据库数据存储。

然而,它似乎只关心身份验证和用户生命周期管理。没有在数据库数据存储中存储权利信息的规定。我们希望将整个身份验证和授权信息保留在数据库中。

我什至可以花一些精力定制代码,使 OpenAM 与数据库对话以评估策略并决定用户对特定资源可以做什么或不能做什么。顺便说一句,我们有保护多种资源的要求,而不仅仅是页面(URL)。

我查看了代码,发现基本数据存储类如 com.sun.identity.entitlement.opensso.DataStore.javacom.sun.identity.entitlement.PolicyDataStore.java , com.sun.identity.entitlement.opensso.OpenSSOPolicyDataStore.java

都与基于 LDAP 的实现紧密结合。

是否有任何我可以自定义的接口或抽象类,以使 opensso 与数据库数据存储区对话以获取其权利和策略决策?

如果有人可以提供任何我可以开始使用的提示,我什至愿意花几个月的时间来完成这项工作。

谢谢和问候,

桑巴

原文

We want to use OpenSSO for our authentication and authorization needs but would prefer it
talking to database instead of the default LDAP datastore. We found that there is an experimental Database datastore present in the OpenAM 9.0 release.

However, it seems to be just concerned with authentication and user lifecycle management. There is no provision for storing entitlements information in the database datastore. We would want to keep the entire authentication and authorization info in database.

I'm okay to even put some efforts in customizing the code to make OpenAM talk to database for evaluating the policies and decide on what a user can do or cannot do on particular resource. By the way, We have requirements to safe guard several kinds of resources, not just pages(URLs).

I have looked into the code and found that the base datastore classes like com.sun.identity.entitlement.opensso.DataStore.java,
com.sun.identity.entitlement.PolicyDataStore.java ,
com.sun.identity.entitlement.opensso.OpenSSOPolicyDataStore.java

are all tightly bound to LDAP based implementation.

Are there any interfaces or abstract classes which I can customize to make opensso talk to database datastore for its entitlements and policy decisions?

I would be even willing to spend a couple of months effort in getting this work if some can provide any hints using which I can get started.

Thanks and Regards,

Samba

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

还不是爱你 2024-10-02 05:06:55

这可能有助于身份验证: http://rahul -ghose.blogspot.com/2014/05/openam-database-connectivity-with-mysql.html

博客的内容,制作者 Rahul Ghose

OpenAM 与 MySql 的数据库连接

这篇文章是在很长一段时间后发布的。我一直致力于创建单点登录实现的项目。我正在使用一个令人惊叹的软件,OpenAM,以前称为 OpenSSO,目前由 Forgerock 社区维护。

我的设置:我使用 Tomcat 与 Mysql 和在 Centos 上运行的 OpenAM 11.0.0

因此,首先,为您的操作系统安装 mysql-connector-java,您应该会获得一个 jar 文件。这是我在我的盒子上得到的内容:

# rpm -ql mysql-connector-java | grep jar
/usr/share/java/mysql-connector-java-5.1.17.jar
/usr/share/java/mysql-connector-java.jar
Now copy this to your tomcat installation directory. At "$CATALINA_HOME/lib" and restart tomcat.

如果您跳过上述步骤,您将遇到如下错误:

java.lang.InstantiationException: JdbcSimpleUserDao.initialize: failed to load driver class jdbcDriver=com.mysql.jdbc.Driver exception=com.mysql.jdbc.Driver
    at com.sun.identity.idm.plugins.database.JdbcSimpleUserDao.initialize(JdbcSimpleUserDao.java:274)
    at com.sun.identity.idm.plugins.database.DatabaseRepo.initialize(DatabaseRepo.java:429)
    at com.sun.identity.idm.server.IdRepoPluginsCache.constructIdRepoPlugin(IdRepoPluginsCache.java:475)
    at com.sun.identity.idm.server.IdRepoPluginsCache.addIdRepo(IdRepoPluginsCache.java:353)
    at com.sun.identity.idm.server.IdRepoPluginsCache.removeIdRepo(IdRepoPluginsCache.java:251)
    at com.sun.identity.idm.server.IdRepoPluginsCache.organizationConfigChanged(IdRepoPluginsCache.java:646)
    at com.sun.identity.sm.ServiceConfigManagerImpl.notifyOrgConfigChange(ServiceConfigManagerImpl.java:493)
    at com.sun.identity.sm.ServiceConfigManagerImpl.objectChanged(ServiceConfigManagerImpl.java:453)
    at com.sun.identity.sm.SMSNotificationManager.sendNotifications(SMSNotificationManager.java:289)
    at com.sun.identity.sm.SMSNotificationManager$LocalChangeNotifcationTask.run(SMSNotificationManager.java:365)
    at com.iplanet.am.util.ThreadPool$WorkerThread.run(ThreadPool.java:306)

接下来,连接到您的 mysql 服务器并导航到 OpenAM 中的此页面(访问控制 -> 领域(您选择的)-> 数据存储 -> 新建):

Step 1 of 2: Select type of Data store

Name: My_Database_Repo
Type: 
   Active Directory
   Active Directory Application Mode (ADAM)
   Database Repository (Early Access)  <--- TICK THIS ONE
   Generic LDAPv3
   OpenDJ
   Sun DS with OpenAM schema
   Tivoli Directory Server

现在单击下一步。我们只需要更改以下字段:

Password for Connecting to database: 
Password for Connecting to database (confirm):
JDBC driver url: jdbc:mysql://127.0.0.1:3306/test
Connect this user to database: root

输入 mysql 数据库用户的密码和用户名。还要更改 mysql 数据库安装的 IP 地址、端口和数据库名称,以引用您专门保留供 OpenAM 使用的表。 OpenAM 将使用此数据库中的 2 个表,您需要在此处指定其名称:

User Configuration
    *Database User Table Name: opensso_users

和此处:

Group configuration
    Database Membership table name: groups

因此,对于用户表,您需要将列创建为 VARCHAR,不知何故整数对我不起作用。您的表中需要的列名可以在此表中找到:

List of User Attributes Names in Database

uid
ChangePassword
sunIdentityMSISDNNumber
mail
sn
manager
preferredlocale
iplanet_am_user_password_reset_force_reset
givenname
iplanet_am_user_alias_list

我删除了所有 iplanet_* 属性并在 MySql 数据库中创建了一个用户表。然后使用以下 sql 脚本创建默认配置的数据库条目:

create database test;
use test; 
create table opensso_users (uid varchar(50), userpassword varchar(50), inetuserstatus integer, cn varchar(50),mail varchar(50),manager varchar(50), preferredlocale varchar(50), givenname varchar(50), telephonenumber varchar(50), telephonenumber varchar(50), telephonenumber varchar(50), sn varchar(50)  );
create table groups (uid varchar(50), group_name varchar(50), cn varchar(50));

现在将您的用户添加到此表中,然后开始,开始,开始!

注意:我无法让小组使用此配置,如果您有任何专业知识,请告诉我

另请阅读:

1:https://wikis.forgerock.org/confluence/display/openidm/JDBC+Repository

2:数据库配置上的邮件列表条目

This might help for authentication: http://rahul-ghose.blogspot.com/2014/05/openam-database-connectivity-with-mysql.html

The contents of the blog, made by Rahul Ghose

OpenAM database connectivity with MySql

This post comes after a long time. I had been really stuck with my project in creating a Single Sign On implementation. I was working with an amazing piece of software, OpenAM, formerly OpenSSO, currently maintained by the Forgerock community.

My setup: I used Tomcat with Mysql and OpenAM 11.0.0 running on Centos

So first things first, install mysql-connector-java for your operating system and you should get a jar file. Here is what I got on my box:

# rpm -ql mysql-connector-java | grep jar
/usr/share/java/mysql-connector-java-5.1.17.jar
/usr/share/java/mysql-connector-java.jar
Now copy this to your tomcat installation directory. At "$CATALINA_HOME/lib" and restart tomcat.

If you skip the above step, you will run into an error that looks like this:

java.lang.InstantiationException: JdbcSimpleUserDao.initialize: failed to load driver class jdbcDriver=com.mysql.jdbc.Driver exception=com.mysql.jdbc.Driver
    at com.sun.identity.idm.plugins.database.JdbcSimpleUserDao.initialize(JdbcSimpleUserDao.java:274)
    at com.sun.identity.idm.plugins.database.DatabaseRepo.initialize(DatabaseRepo.java:429)
    at com.sun.identity.idm.server.IdRepoPluginsCache.constructIdRepoPlugin(IdRepoPluginsCache.java:475)
    at com.sun.identity.idm.server.IdRepoPluginsCache.addIdRepo(IdRepoPluginsCache.java:353)
    at com.sun.identity.idm.server.IdRepoPluginsCache.removeIdRepo(IdRepoPluginsCache.java:251)
    at com.sun.identity.idm.server.IdRepoPluginsCache.organizationConfigChanged(IdRepoPluginsCache.java:646)
    at com.sun.identity.sm.ServiceConfigManagerImpl.notifyOrgConfigChange(ServiceConfigManagerImpl.java:493)
    at com.sun.identity.sm.ServiceConfigManagerImpl.objectChanged(ServiceConfigManagerImpl.java:453)
    at com.sun.identity.sm.SMSNotificationManager.sendNotifications(SMSNotificationManager.java:289)
    at com.sun.identity.sm.SMSNotificationManager$LocalChangeNotifcationTask.run(SMSNotificationManager.java:365)
    at com.iplanet.am.util.ThreadPool$WorkerThread.run(ThreadPool.java:306)

Next up, connect to your mysql server and navigate to this page in OpenAM (Access Control -> Realm (of your choice) -> Datastores -> New):

Step 1 of 2: Select type of Data store

Name: My_Database_Repo
Type: 
   Active Directory
   Active Directory Application Mode (ADAM)
   Database Repository (Early Access)  <--- TICK THIS ONE
   Generic LDAPv3
   OpenDJ
   Sun DS with OpenAM schema
   Tivoli Directory Server

Now click on next. We just need to change the following fields:

Password for Connecting to database: 
Password for Connecting to database (confirm):
JDBC driver url: jdbc:mysql://127.0.0.1:3306/test
Connect this user to database: root

Enter the password and username of your mysql database user. Also change the IP address, port and database name of your mysql database installation to refer to a table you have specifically reserved for OpenAM to use. OpenAM will be using 2 tables in this database, the names of which you need to specify here:

User Configuration
    *Database User Table Name: opensso_users

and here:

Group configuration
    Database Membership table name: groups

So for the user table, you need to create the columns as VARCHAR, somehow integer did not work for me. The column names which you need to have in your table can be found in this table here:

List of User Attributes Names in Database

uid
ChangePassword
sunIdentityMSISDNNumber
mail
sn
manager
preferredlocale
iplanet_am_user_password_reset_force_reset
givenname
iplanet_am_user_alias_list

I removed all the iplanet_* attributes and created an user table in MySql Database. Then used the following sql script to create the database entries for default configuration:

create database test;
use test; 
create table opensso_users (uid varchar(50), userpassword varchar(50), inetuserstatus integer, cn varchar(50),mail varchar(50),manager varchar(50), preferredlocale varchar(50), givenname varchar(50), telephonenumber varchar(50), telephonenumber varchar(50), telephonenumber varchar(50), sn varchar(50)  );
create table groups (uid varchar(50), group_name varchar(50), cn varchar(50));

Now add your users to this table and go, go, go!

NB: I could not get groups working with this configuration, if you have any know-how, please let me know

Read also:

1: https://wikis.forgerock.org/confluence/display/openidm/JDBC+Repository

2: Mailing list entry on database configuration

回复 原文
舟遥客 2024-10-02 05:06:55

研究类似问题。找到 OpenAM 的自定义身份验证模块: https://wikis .forgerock.org/confluence/display/openam/Write+a+custom+authentication+module

Researching similar issue. Found custom authentication modules for for OpenAM: https://wikis.forgerock.org/confluence/display/openam/Write+a+custom+authentication+module

回复 原文
私藏温柔 2024-10-02 05:06:55

我可以通过编写新的 opensso 存储库将身份验证和授权指向数据库(或任何其他存储支持)。我通过编写一个扩展 com.sun.identity.idm.IdRepo 的新类来做到这一点。这很长,因为新类必须重载许多 IdRepo 抽象方法。

但这允许我在 opensso 中创建一个新的数据存储。为了避免 opensso 内部数据存储出现问题,我在新领域上使用了新数据存储。

我的代码基于 opensso 数据库和 ldap 存储库示例代码(可在 opensso 源代码中找到)。

I could make both authentication and authorization point to database (or any other storage support) by writing a new opensso repository. I did it by writing a new class which extends com.sun.identity.idm.IdRepo. This is quite long since the new class must overload a lot of IdRepo abstract methods.

But this allowed me to create a new datastore in opensso. To avoid issues with opensso internal datastore, I used my new datastore on a new realm.

I based my code on the opensso database and ldap repository example code (available in opensso sources).

回复 原文
独享拥抱 2024-10-02 05:06:55

OpenAM 配置存储目前仅限于 LDAP 目录,并且权利存储在配置存储中,因此您可能会发现此要求很难实现。如果您仍然确实想使用DataBase作为后端,您可能必须重构大量代码,即使这样您也可能会发现它根本不可行。

配置主要由 com.sun.identity.sm.SMSObject 实现检索/修改,因此您必须提供一个与数据库配合使用的自定义 impl。

OpenAM configuration store is limited to LDAP directories at the moment, and the entitlements are stored in the configuration store, hence you may find this requirement quite difficult to implement. If you still really want to use DataBase as a backend, you would have to probably refactor a lot of code, and even then you may find that it isn't feasible at all.

The configuration is mainly retrieved/modified by the com.sun.identity.sm.SMSObject implementations, so you would have to come up with a custom impl that works with a database.

回复 原文
~没有更多了~

关于作者

扛起拖把扫天下

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

胡图图

文章 0 评论 0

zt006

文章 0 评论 0

z祗昰~

文章 0 评论 0

冰葑

文章 0 评论 0

野の

文章 0 评论 0

天空

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文