安装 OpenAM J2EE 策略代理后不再能够访问 Tomcat Manager
我已经安装了带有 j2ee openam 策略代理的 tomcat 6 服务器。安装后我无法访问它,我总是被重定向到 manager/amlogin.html。
以前没有发生过这种情况,所以我只能假设这是因为代理安装所致。是否有我错过的配置设置?
I have installed a tomcat 6 server with a j2ee openam policy agent. After the installation I am unable to access it, I always get redirected to manager/amlogin.html.
This did not previously happen so I can only assume it is because of the agent installation. Is there a configuration setting I have missed?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
作为持续集成的一部分,我们希望能够自动将应用程序部署到受 openam 代理保护的 tomcat 服务器中。
hudson 部署插件使用 tomcat 管理器应用程序进行部署,但是如问题中所详述,在代理安装后,管理器应用程序不再可以通过正常机制(HTTP 基本身份验证)访问。
在安装过程中,代理会更新管理器应用程序 web.xml,以将默认的 BASIC 身份验证更改为基于 FORM 的身份验证,随后可以将其配置为与 openam 配合使用(也提供对管理器应用程序的单点登录) - 了解更多信息请参阅http://docs.oracle.com/cd/E19681-01/820-7251/gicpx/index.html。
为了使用 hudson 部署插件,我们恢复了对管理器应用程序 web.xml 的更改(代理在安装过程中备份原始 web.xml)。
为了启用管理器的默认 UserDatabase 领域,我们将领域定义放入特定于管理器应用程序的 Context 元素 ${TOMCAT_HOME}/conf/Catalina/manager.xml:
这重新启用了管理器应用程序的基本身份验证登录,而不影响其他 Web 应用程序需要的代理安装的自定义领域用于 openam 集成。
As part of our continuous integration we wanted the ability to automatically deploy our application into our openam agent protected tomcat server.
The hudson deploy plugin uses the tomcat manager application to deploy, however as detailed in the question, after agent installation the manager application is no longer accessible by the normal mechanism (HTTP basic auth).
During installation the agent updates the manager app web.xml to change the default BASIC authentication to a FORM based authentication, that can subsequently be configured to work with openam (to provide a single sign on to the manager app as well) - for more info see http://docs.oracle.com/cd/E19681-01/820-7251/gicpx/index.html.
To use the hudson deploy plugin, we reverted the changes to the manager app web.xml (the agent backs up the original web.xml during its installation)
In order to enable the default UserDatabase realm for the manager, we placed the Realm definition into the Context element specific to the manager app ${TOMCAT_HOME}/conf/Catalina/manager.xml:
This re-enabled basic auth login to the manager app, without affecting the custom realm installed by the agent that the other web application need for openam integration.
是的,如果您尝试访问受保护的内容,这是正常行为。
策略代理检测到您没有经过身份验证的会话,因此会将您重定向到负责对您进行身份验证的身份提供商。
有关 OpenAM 工作原理的更多信息,您应该查看 SAML 2.0 维基百科页面:http:// /en.wikipedia.org/wiki/SAML_2.0
就您而言,OpenAM 代理是服务提供商。
策略代理通常会影响全局 web.xml 和 Tomcat 的 server.xml 文件。如果您访问未受保护的内容,则应编辑 OpenAM 应在这 2 个文件中保护的 URL 模式。
Yep, that's normal behaviour if you're trying to access protected content.
The policy agent detects that you don't have an authenticated session and as a consequence redirects you to the Identity Provider that will be in charge to authenticate you.
For more info on how OpenAM works, you should take a look at the SAML 2.0 wikipedia page: http://en.wikipedia.org/wiki/SAML_2.0
In your case, the OpenAM agent is a Service Provider.
The policy agent normally affects the global web.xml and Tomcat's server.xml files. If you were accessing unprotected content, you should edit the URL pattern that OpenAM should protect in those 2 files.