使用 Jboss 和 Spring boot 进行基于容器的 LDAP 身份验证

发布于 2025-01-09 03:52:59 字数 5310 浏览 3 评论 0原文

我有一个返回字符串的简单 API。我的目标是使用 LDAP 身份验证来保护我的 API。我已在 JBoss EAP 7.1 的安全域下配置了 LDAP。我已经在 web.xml 中定义了安全约束，并在 jboss-web.xml 中定义了相应的安全域。这是我将 LDAP 与 REST API 集成的第一次尝试。不知道出了什么问题，但是当我从浏览器点击 API 时，它不断提示输入凭据 3 次，然后给出以下错误。

Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.

Tue Feb 22 13:42:54 EST 2022
There was an unexpected error (type=Unauthorized, status=401).
Full authentication is required to access this resource

如果我从邮递员中点击，它会以 json 格式给出类似的错误...

{
"timestamp": 1645553512290,
"status": 401,
"error": "Unauthorized",
"message": "Bad credentials",
"path": "/SecureAPI/mypath"
}

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
   <security-constraint>
    <web-resource-collection>
      <web-resource-name>WebServiceSecurity</web-resource-name>
      <url-pattern>/</url-pattern>
      <http-method>GET</http-method>     
    </web-resource-collection>
    <auth-constraint>
      <role-name>ROLE_ADMIN</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  <security-role>
    <role-name>ROLE_ADMIN</role-name>
  </security-role>
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>basic ldap realm</realm-name>
  </login-config> 
</web-app>

jboss-web.xml

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="
      http://www.jboss.com/xml/ns/javaee
      http://www.jboss.org/j2ee/schema/jboss-web_5_2.xsd">
  <context-root>SecureAPI</context-root>    
  <security-domain>java:/jaas/ldapLogin</security-domain>
</jboss-web>

APIstandalone

@RestController
public class SecuredController {
    
    @GetMapping("/mypath")
    public String sayHi() {
        return "This API is Secured";
    }

}

-full-ha.xml 配置：

<security-domain name="ldapLogin">
                    <authentication>
                        <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
                            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                            <module-option name="java.naming.provider.url" value="ldaps://<ldapserver>:<port>"/>
                            <module-option name="java.naming.security.authentication" value="simple"/>
                            <module-option name="principalDNPrefix" value="uid="/>
                            <module-option name="principalDNSuffix" value=",ou=users,dc=bcn,dc=com"/>
                            <module-option name="rolesCtxDN" value="ou=groups,dc=bcn,dc=com"/>
                            <module-option name="uidAttributeID" value="uniqueMember"/>
                            <module-option name="matchOnUserDN" value="true"/>
                            <module-option name="roleAttributeID" value="cn"/>
                            <module-option name="roleAttributeIsDN" value="false"/>
                            <module-option name="unauthenticatedIdentity" value="guest"/>
                        </login-module>
                    </authentication>
                </security-domain>

我在 pom.xml 中的依赖项是：

<dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
            <version>${spring-boot.version}</version>
            <exclusions>
                <exclusion>
                    <groupId>org.springframework.boot</groupId>
                    <artifactId>spring-boot-starter-tomcat</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>javax.servlet-api</artifactId>
            <version>4.0.1</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
            <version>${spring-boot.version}</version>
        </dependency>
    </dependencies>

我的问题是，为什么 API 会提示从浏览器访问时多次获取凭据？我确认所提供的凭据没有任何问题。此外，json 响应表明存在一些未处理的异常。不确定，它是从哪里来的。任何建议都会有帮助。

相同的配置适用于基于 SOAP 的服务。对于 REST，它不起作用。有什么区别吗？

原文

I've a simple API that returns a string. My objective is to secure my API using LDAP authentication. I've my LDAP configured in my JBoss EAP 7.1 under the security-domain. I've defined my security constraint in the web.xml and the corresponding security-domain in my jboss-web.xml This is my first shot to integrate LDAP with REST API. Not sure what went wrong, but when I hit my API from browser, it keeps prompting for credentials 3 times and then gives below error.

Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.

Tue Feb 22 13:42:54 EST 2022
There was an unexpected error (type=Unauthorized, status=401).
Full authentication is required to access this resource

If I hit from postman, it gives similar error in json format...

{
"timestamp": 1645553512290,
"status": 401,
"error": "Unauthorized",
"message": "Bad credentials",
"path": "/SecureAPI/mypath"
}

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
   <security-constraint>
    <web-resource-collection>
      <web-resource-name>WebServiceSecurity</web-resource-name>
      <url-pattern>/</url-pattern>
      <http-method>GET</http-method>     
    </web-resource-collection>
    <auth-constraint>
      <role-name>ROLE_ADMIN</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  <security-role>
    <role-name>ROLE_ADMIN</role-name>
  </security-role>
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>basic ldap realm</realm-name>
  </login-config> 
</web-app>

jboss-web.xml

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="
      http://www.jboss.com/xml/ns/javaee
      http://www.jboss.org/j2ee/schema/jboss-web_5_2.xsd">
  <context-root>SecureAPI</context-root>    
  <security-domain>java:/jaas/ldapLogin</security-domain>
</jboss-web>

API

@RestController
public class SecuredController {
    
    @GetMapping("/mypath")
    public String sayHi() {
        return "This API is Secured";
    }

}

standalone-full-ha.xml configuration:

<security-domain name="ldapLogin">
                    <authentication>
                        <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
                            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                            <module-option name="java.naming.provider.url" value="ldaps://<ldapserver>:<port>"/>
                            <module-option name="java.naming.security.authentication" value="simple"/>
                            <module-option name="principalDNPrefix" value="uid="/>
                            <module-option name="principalDNSuffix" value=",ou=users,dc=bcn,dc=com"/>
                            <module-option name="rolesCtxDN" value="ou=groups,dc=bcn,dc=com"/>
                            <module-option name="uidAttributeID" value="uniqueMember"/>
                            <module-option name="matchOnUserDN" value="true"/>
                            <module-option name="roleAttributeID" value="cn"/>
                            <module-option name="roleAttributeIsDN" value="false"/>
                            <module-option name="unauthenticatedIdentity" value="guest"/>
                        </login-module>
                    </authentication>
                </security-domain>

My dependencies in pom.xml are:

<dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
            <version>${spring-boot.version}</version>
            <exclusions>
                <exclusion>
                    <groupId>org.springframework.boot</groupId>
                    <artifactId>spring-boot-starter-tomcat</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>javax.servlet-api</artifactId>
            <version>4.0.1</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
            <version>${spring-boot.version}</version>
        </dependency>
    </dependencies>

My question is, why the API prompts for credentials multiple times when accessed from browser? I confirm there is nothing wrong with the credentials that are given. Also, the json response suggests some unhandled exception. Not sure, where it is coming from. Any suggestions would be helpful.

The same configuration worked for SOAP based services. For REST, its not working. Does it make difference?

分享到QQ

分享到微博