JBOSS EAP 7.1.5尽管AUTH被关闭,为什么服务器仍在尝试身份验证?
我在JBOSS EAP 7.1.5中的< security-constraint> / /code>< code>< code>< gt; /code>。基本上,服务器试图对用户进行身份验证,而应允许用户访问给定路径而无需进行身份验证(通过JBoss-Security)。
更多的上下文
我们的旧Javaee-8应用程序在JBOSS EAP 7.1.5上运行的确实接收了其登录机构的升级,我们希望确保并行操作(具有旧登录机制)一定时间。因此,我们创建了两个单独的路径,可以访问(相同)应用程序:
- 路径上的新登录机构
/baug1eg: https://www.ourcompany.com/baug1 - 路径上的旧登录 - 莫尼基
/baug eg: https://www.ourcompany.com/baug
旧的login-method基于自定义Jaas &lt; login-module&gt; 新的>基于REST API。因此,在我的理解中,我们不需要&lt; security-constraint&gt; ,而是&lt; auth-constraint&gt; 用于/baug1 < /代码> - Path。如果我没记错的话,则应该使用以下 web.xml 配置:
<security-constraint>
<web-resource-collection>
<web-resource-name>Baug1</web-resource-name>
<url-pattern>/baug1/*</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resouce-name>BaugMainForward</web-resource-name>
<url-pattern>/baug/servlet/*</url-pattern>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>BaugMain</web-resource-name>
<url-pattern>/baug/secure/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Customer</role-name>
<role-name>Clerk</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>${jboss.web.default.authentication:HEADER}
</auth-method>
<realm-name>alcatraz-combined-user-role-property</realm-name>
</login-config>
<security-role>
<role-name>Customer</role-name>
</security-role>
<security-role>
<role-name>Clerk</role-name>
</security-role>
我尝试了不同的变体,例如删除第一个&lt; security-constraint&gt; 或将 baug1 的URL模式设置为&lt; url-pattern&gt;/*&lt;/url-pattern&gt; ,但无济于事。同时,我们的 jboss-web.xml 看起来像这样:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web xmlns:jboss=http://www.jboss.com/xml/ns/javaee xmlns:javaee=http://java.sun.com/xml/ns/javaee>
<security-domain>alcatraz-combined-user-role-property</security-domain>
<context-root>/</context-root>
</jboss-web>
最后在JBOSS的 standalone.xml 中定义了以下安全域,
<subsystem xmlns="urn:jboss:domain:security:2.0">
<security-domains>
<security-domain name="alcatraz-combined-user-role-property" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="com.ourourcompany.loginmodule.AlcatrazAssertedIdentityLoginModule" flag="optional" module="com.ourourcompany.loginmodule">
<module-option name="alcatraz.adapter.jndi.name" value="${alcatraz.adapter.jndi.name}"/>
</login-module>
</authentication>
<mapping>
<mapping-module code="com.ourourcompany.jboss.security.mappingmodule.AlcatrazRolesMappingProvider" type="role" module="com.ourourcompany.jboss.mappingmodule">
<module-option name="application" value="${alcatraz.application.name}"/>
<module-option name="alcatraz.adapter.jndi.name" value="${alcatraz.adapter.jndi.name}"/>
</mapping-module>
<mapping-module code="com.ourourcompany.jboss.security.mappingmodule.SimpleConfiguredRolesMappingProvider" type="role" module="com.ourourcompany.jboss.mappingmodule">
<module-option name="roles" value="ALLOW-ALL"/>
</mapping-module>
</mapping>
</security-domain>
<security-domain name="accept-all" cache-type="default">
<authentication>
<login-module code="com.ourourcompany.loginmodule.SimplePrincipalAcceptingLoginModule" flag="required" module="com.ourourcompany.loginmodule"/>
</authentication>
<mapping>
<mapping-module code="com.ourourcompany.jboss.security.mappingmodule.SimpleConfiguredRolesMappingProvider" type="role" module="com.ourourcompany.jboss.mappingmodule">
<module-option name="roles" value="ALLOW-ALL"/>
</mapping-module>
</mapping>
</security-domain>
<security-domain name="alcatraz" cache-type="default">
<authentication>
<login-module code="com.ourourcompany.loginmodule.AlcatrazAssertedIdentityLoginModule" flag="required" module="com.ourourcompany.loginmodule">
<module-option name="alcatraz.adapter.jndi.name" value="${alcatraz.adapter.jndi.name}"/>
</login-module>
</authentication>
<mapping>
<mapping-module code="com.ourourcompany.jboss.security.mappingmodule.SimpleConfiguredRolesMappingProvider" type="role" module="com.ourourcompany.jboss.mappingmodule">
<module-option name="roles" value="ALLOW-ALL"/>
</mapping-module>
<mapping-module code="com.ourourcompany.jboss.security.mappingmodule.AlcatrazRolesMappingProvider" type="role" module="com.ourourcompany.jboss.mappingmodule">
<module-option name="application" value="${alcatraz.application.name}"/>
<module-option name="alcatraz.adapter.jndi.name" value="${alcatraz.adapter.jndi.name}"/>
</mapping-module>
</mapping>
</security-domain>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jaspitest" cache-type="default">
<authentication-jaspi>
<login-module-stack name="dummy">
<login-module code="Dummy" flag="optional"/>
</login-module-stack>
<auth-module code="Dummy"/>
</authentication-jaspi>
</security-domain>
</security-domains>
</subsystem>
现在,尽管使用了该配置,服务器仍将尝试身份验证用户每次我调用/baug1 :
DEBUG [io.undertow.request] Matched default handler path /baug1/
DEBUG [io.undertow.request.security] Security constraints for request /baug1/ are [SingleConstraintMatch{emptyRoleSemantic=PERMIT, requiredRoles=[]}]
DEBUG [io.undertow.request.security] Attempting to authenticate HttpServerExchange{ GET /baug1/ request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[de-CH,de;q=0.9,en-US;q=0.8,en;q=0.7,fr-CH;q=0.6,fr;q=0.5,it-CH;q=0.4,it;q=0.3], X-Host=[app.dev.ourourcompany.ch], DNT=[1], User-Agent=[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 Edg/101.0.1210.39], ClientCorrelator=[92120c4b5b530fe26e05232c0cc23138], LoginUserDataHeaderName=[UserDataJSF], Front-End-Https=[On], Connection=[close], X-Forwarded-Proto=[https], RequestCorrelator=[YoeuM8QyMlGDv-W-X-4YZgAAAFg], X-Forwarded-For=[xx.xx.xx.12], Cookie=[JSESSIONID=xU4I5PXjcJz7LM_Cm7ZKAttYJLa_5flcAOGh7_7j.baug-84-4hw5t; SAT_CH_BAUG=eyJhbGciOiJSUzI1NiIsImtpZCI6IkFUMjAxODA0MjMi...
DEBUG [io.undertow.request.security] Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism@73c27b72 for HttpServerExchange{ GET /baug1/ request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[de-CH,de;q=0.9,en-US;q=0.8,en;q=0.7,fr-CH;q=0.6,fr;q=0.5,it-CH;q=0.4,it;q=0.3], X-Host=[app.dev.ourourcompany.ch], DNT=[1], User-Agent=[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 Edg/101.0.1210.39], ClientCorrelator=[92120c4b5b530fe26e05232c0cc23138], LoginUserDataHeaderName=[UserDataJSF], Front-End-Https=[On], Connection=[close], X-Forwarded-Proto=[https], RequestCorrelator=[YoeuM8QyMlGDv-W-X-4YZgAAAFg], X-Forwarded-For=[xx.xx.xx.12], Cookie=[JSESSIONID=xU4I5PXjcJz7LM_Cm7ZKAttYJLa_5flcAOGh7_7j.baug-84-4hw5t; dtCookie=v_4_srv_4_sn_D4077DA36E05A5EE30FD7B942BC956B3_perc...
DEBUG [com.xxx.jboss.security.web.authenticator.AbstractIdentityExtractor] Header 'UserDataJSF' is 'null'.
ERROR [com.xxx.jboss.security.web.authenticator.HeaderAuthenticatorHelper] Identity is 'null'!
DEBUG [io.undertow.request.security] Authentication failed with message UT000038: Authentication failed, requested user name 'null' and mechanism HEADER for HttpServerExchange{ GET /baug1/ request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[de-CH,de;q=0.9,en-US;q=0.8,en;q=0.7,fr-CH;q=0.6,fr;q=0.5,it-CH;q=0.4,it;q=0.3], X-Host=[app.dev.xxx.com], DNT=[1], User-Agent=[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 Edg/101.0.1210.39], ClientCorrelator=[92120c4b5b530fe26e05232c0cc23138], LoginUserDataHeaderName=[UserDataJSF], Front-End-Https=[On], Connection=[close], X-Forwarded-Proto=[https], RequestCorrelator=[YoeuM8QyMlGDv-W-X-4YZgAAAFg], X-Forwarded-For=[xx.xx.xx.12], Cookie=[JSESSIONID=xU4I5PXjcJz7LM_Cm7ZKAttYJLa_5flcAOGh7_7j.baug-84-4hw5t;
DEBUG [io.undertow.request.security] Authentication outcome was NOT_AUTHENTICATED with method com.xxx.jboss.security.web.authenticator.undertow.HeaderAuthenticationMechanism@3b28aa40 for HttpServerExchange{ GET /baug1/ request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[de-CH,de;q=0.9,en-US;q=0.8,en;q=0.7,fr-CH;q=0.6,fr;q=0.5,it-CH;q=0.4,it;q=0.3], X-Host=[app.dev.ourourcompany.ch], DNT=[1], User-Agent=[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 Edg/101.0.1210.39], ClientCorrelator=[92120c4b5b530fe26e05232c0cc23138], LoginUserDataHeaderName=[UserDataJSF], Front-End-Https=[On], Connection=[close], X-Forwarded-Proto=[https], RequestCorrelator=[YoeuM8QyMlGDv-W-X-4YZgAAAFg], X-Forwarded-For=[xx.xx.xx.12], Cookie=[JSESSIONID=xU4I5PXjcJz7LM_Cm7ZKAttYJLa_5flcAOGh7_7j.baug-84-4hw5t;
DEBUG [io.undertow.request.security] Sending authentication challenge for HttpServerExchange{ GET /baug1/ request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[de-CH,de;q=0.9,en-US;q=0.8,en;q=0.7,fr-CH;q=0.6,fr;q=0.5,it-CH;q=0.4,it;q=0.3], X-Host=[app.dev.ourourcompany.ch], DNT=[1], User-Agent=[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 Edg/101.0.1210.39], ClientCorrelator=[92120c4b5b530fe26e05232c0cc23138], LoginUserDataHeaderName=[UserDataJSF], Front-End-Https=[On], Connection=[close], X-Forwarded-Proto=[https], RequestCorrelator=[YoeuM8QyMlGDv-W-X-4YZgAAAFg], X-Forwarded-For=[xx.xx.xx.12], Cookie=[JSESSIONID=xU4I5PXjcJz7LM_Cm7ZKAttYJLa_5flcAOGh7_7j.baug-84-4hw5t; SAT_CH_BAUG=eyJhbGciOiJSUzI1NiIsImtpZCI6IkFUMj...
DEBUG [io.undertow.request.security] Authentication result was CHALLENGE_SENT for HttpServerExchange{ GET /baug1/ request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9], Accept-Language=[de-CH,de;q=0.9,en-US;q=0.8,en;q=0.7,fr-CH;q=0.6,fr;q=0.5,it-CH;q=0.4,it;q=0.3], X-Host=[app.dev.ourourcompany.ch], DNT=[1], User-Agent=[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 Edg/101.0.1210.39], ClientCorrelator=[92120c4b5b530fe26e05232c0cc23138], LoginUserDataHeaderName=[UserDataJSF], Front-End-Https=[On], Connection=[close], X-Forwarded-Proto=[https], RequestCorrelator=[YoeuM8QyMlGDv-W-X-4YZgAAAFg], X-Forwarded-For=[xx.xx.xx.12], Cookie=[JSESSIONID=xU4I5PXjcJz7LM_Cm7ZKAttYJLa_5flcAOGh7_7j.baug-84-4hw5t; SAT_CH_BAUG=eyJhbGciOiJSUzI1NiIsImtpZC...
INFO [io.undertow.accesslog] 10.94.12.14 - - [20/May/2022:17:05:23 +0200] GET /baug1/?pol_nr=xxxx HTTP/1.1 403 68 https://xxx.sharepoint.com/ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 Edg/101.0.1210.39 - -
DEBUG [io.undertow.request] UT005013: An IOException occurred: java.nio.channels.ClosedChannelException
at io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:846)
at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:649)
at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1100)
at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)
因此,回顾一下,我的问题是为什么服务器在调用/baug1 时进行身份验证 - 进行攻击,尽管事实上否&lt; auth-constraint&gt; 是为此路径设置的吗?
欢迎任何想法! :)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论