JMX-RMI/T3 连接导致 CallbackHandler 在存在 ContextHandlerCallback 的情况下引发异常

发布于 2024-10-05 21:04:37 字数 2663 浏览 4 评论 0原文

我在 Weblogic 10.3 中有一个自定义身份验证器,我正在使用它并遇到问题。

当用户通过 HTTP 连接并进行身份验证时,一切正常。但是,如果连接是 JMX-RMI/T3 连接,则调用 javax.security.auth.callback.CallbackHandler.handle 会引发异常。使用 ContextHandlerCallback 默认构造函数,并在回调数组中传递用户名和密码回调。下面是回调处理程序是 javax 的代码.security.auth.callback.CallbackHandler

callbacks = new Callback[2];
callbacks[0] = new NameCallback("username: ");
callbacks[1] = new PasswordCallback("password: ", false);  
callbacks[2] = new ContextHandlerCallback();  

callbackHandler.handle(callbacks);

这是从上面抛出到 callbackHandler.handle(callbacks) 点的异常的顶部:

javax.security.auth.callback.UnsupportedCallbackException: [Security:090175]Unrecognized Callback
at weblogic.security.SimpleCallbackHandler.handle(SimpleCallbackHandler.java:71)
at com.bea.common.security.internal.service.CallbackHandlerWrapper.handle(CallbackHandlerWrapper.java:76)
at weblogic.security.service.internal.WLSJAASLoginServiceImpl$CallbackHandlerWrapper.handle(WLSJAASLoginServiceImpl.java:156)
at javax.security.auth.login.LoginContext$SecureCallbackHandler$1.run(LoginContext.java:955)
at javax.security.auth.login.LoginContext$SecureCallbackHandler.handle(LoginContext.java:951)

这是我们的另一个异常跟踪还请注意:

javax.security.auth.callback.UnsupportedCallbackException: Unrecognized Callback
at weblogic.management.mbeanservers.internal.JMXAuthenticator$JMXCallbackHandler.handle(JMXAuthenticator.java:130)
at com.bea.common.security.internal.service.CallbackHandlerWrapper.handle(CallbackHandlerWrapper.java:76)
at weblogic.security.service.internal.WLSJAASLoginServiceImpl$CallbackHandlerWrapper.handle(WLSJAASLoginServiceImpl.java:156)
at javax.security.auth.login.LoginContext$SecureCallbackHandler$1.run(LoginContext.java:955)
at javax.security.auth.login.LoginContext$SecureCallbackHandler.handle(LoginContext.java:951)

值得注意的是,如果用户通过 JMX/T3 连接进行身份验证,但 HTTP 工作正常,则会抛出此异常。

我们想要实现的部分目标是捕获有关身份验证的信息,例如发起请求的 IP 地址,这就是我们需要 ContextHandlerCallback 的原因。我可以看到尝试从 JMX-RMI/T3 连接检索 HttpServletRequest 可能会导致问题,但在 javax.security.auth.callback.CallbackHandler.handle() 期间抛出异常。

其他一些信息可能相关也可能不相关,但为什么不包括我能提供的全部信息呢?

  • 应用程序正在使用基于表单的身份验证,WS 调用也是如此,但 JMX-RMI/T3 调用可能不会。
  • 不确定是否可以定义身份验证时 CallbackHandler 使用的实现。目前我们已经定义了一个自定义的LoginModule,但没有定义一个自定义的CallbackHandler。
  • 如果在 ContextHandlerCallback 之外有一种方法可以访问 LoginModule 内的调用者的 IP 地址,那么这将提供一个合适的解决方法。

我很困惑为什么它可以通过一种协议而不是另一种协议来工作。其他人见过这种行为或知道处理这种情况的方法吗?

谢谢, 托德

I have a custom Authenticator in Weblogic 10.3 that I'm using and having problems.

When a user connects and authenticates over HTTP everything functions fine. However if the connection is a JMX-RMI/T3 connection the call to javax.security.auth.callback.CallbackHandler.handle an exception is thrown. The ContextHandlerCallback default constructor is being used and passed in the array of callbacks with a username and password callback. Below is the code where callbackHandler is a javax.security.auth.callback.CallbackHandler

callbacks = new Callback[2];
callbacks[0] = new NameCallback("username: ");
callbacks[1] = new PasswordCallback("password: ", false);  
callbacks[2] = new ContextHandlerCallback();  

callbackHandler.handle(callbacks);

Here is the top of the excetption being thrown to the point of callbackHandler.handle(callbacks) from above:

javax.security.auth.callback.UnsupportedCallbackException: [Security:090175]Unrecognized Callback
at weblogic.security.SimpleCallbackHandler.handle(SimpleCallbackHandler.java:71)
at com.bea.common.security.internal.service.CallbackHandlerWrapper.handle(CallbackHandlerWrapper.java:76)
at weblogic.security.service.internal.WLSJAASLoginServiceImpl$CallbackHandlerWrapper.handle(WLSJAASLoginServiceImpl.java:156)
at javax.security.auth.login.LoginContext$SecureCallbackHandler$1.run(LoginContext.java:955)
at javax.security.auth.login.LoginContext$SecureCallbackHandler.handle(LoginContext.java:951)

And here is another exception trace that we're seeing as well:

javax.security.auth.callback.UnsupportedCallbackException: Unrecognized Callback
at weblogic.management.mbeanservers.internal.JMXAuthenticator$JMXCallbackHandler.handle(JMXAuthenticator.java:130)
at com.bea.common.security.internal.service.CallbackHandlerWrapper.handle(CallbackHandlerWrapper.java:76)
at weblogic.security.service.internal.WLSJAASLoginServiceImpl$CallbackHandlerWrapper.handle(WLSJAASLoginServiceImpl.java:156)
at javax.security.auth.login.LoginContext$SecureCallbackHandler$1.run(LoginContext.java:955)
at javax.security.auth.login.LoginContext$SecureCallbackHandler.handle(LoginContext.java:951)

It's worth noting that this exception is thrown if the users are authenticating over a JMX/T3 connection but HTTP works just fine.

Part of what we're trying to achieve is capturing information about the authentication, such as the IP address the request originated from, which is why we need the ContextHandlerCallback. I can see that trying to retrieve an HttpServletRequest from a JMX-RMI/T3 connection could cause problems, but an exception is being thrown during javax.security.auth.callback.CallbackHandler.handle().

Some other information that may or may not be relevant, but why not include all I can?

  • Application is using Form Based Authentication, as do the WS calls but the JMX-RMI/T3 call may not.
  • Unsure if it's possible to define what implementation to use for the CallbackHandler when authenticating. Currently we've defined a custom LoginModule but not a custom CallbackHandler.
  • If there is a way outside of the ContextHandlerCallback to get access to the caller's IP address inside of the LoginModule, that would provide a suitable workaround.

I'm confused why it would work via one protocol and not the other. Anyone else seen this sort of behavior or know of a way to handle this?

Thanks,
Todd

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

北方的巷 2024-10-12 21:04:37

在WebLogic 中,ContextHandlerCallback 仅为HTTP servlet 请求定义。

您可以通过实施 ConnectionFilter/ConnectionEvent 接口。您可以使用它们根据 IP 地址记录或拒绝请求。

In WebLogic, the ContextHandlerCallback is only defined for HTTP servlets requests.

You can access the IP address of the caller on all protocols (HTTP, RMI-IIOP, ...) by implementing the ConnectionFilter/ConnectionEvent interfaces. You can use them to log or reject requests based on the IP address.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文