我正在尝试将 tomcat 配置为使用 JNDI 领域连接到 ldap 数据库,以便与 Active Directory 集成。但是,我的日志中出现以下错误,并且似乎无法提高日志级别以查看实际情况。
Feb 19, 2014 10:10:41 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1048 ms
Feb 19, 2014 10:10:42 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Feb 19, 2014 10:10:42 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.36
Feb 19, 2014 10:10:42 AM org.apache.catalina.realm.RealmBase init
FINE: Register Realm Catalina:type=Realm,realmPath=/realm0
Feb 19, 2014 10:10:42 AM org.apache.catalina.authenticator.AuthenticatorBase start
FINE: No SingleSignOn Valve is present
Feb 19, 2014 10:11:34 AM org.apache.catalina.authenticator.AuthenticatorBase start
FINE: No SingleSignOn Valve is present
Feb 19, 2014 10:11:44 AM org.apache.catalina.authenticator.AuthenticatorBase start
FINE: No SingleSignOn Valve is present
Feb 19, 2014 10:11:45 AM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor host-manager.xml
Feb 19, 2014 10:11:45 AM org.apache.catalina.authenticator.AuthenticatorBase start
FINE: No SingleSignOn Valve is present
Feb 19, 2014 10:11:45 AM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor manager.xml
Feb 19, 2014 10:11:45 AM org.apache.catalina.authenticator.AuthenticatorBase start
FINE: No SingleSignOn Valve is present
Feb 19, 2014 10:11:45 AM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-80
Feb 19, 2014 10:11:45 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 64228 ms
Feb 19, 2014 10:11:54 AM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Security checking request GET /tip/
Feb 19, 2014 10:11:54 AM org.apache.catalina.realm.RealmBase findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[Secure Area]' against GET /index.jsp --> true
Feb 19, 2014 10:11:54 AM org.apache.catalina.realm.RealmBase findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[Secure Area]' against GET /index.jsp --> true
Feb 19, 2014 10:11:54 AM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Calling hasUserDataPermission()
Feb 19, 2014 10:11:54 AM org.apache.catalina.realm.RealmBase hasUserDataPermission
FINE: User data constraint has no restrictions
Feb 19, 2014 10:11:54 AM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Calling authenticate()
Feb 19, 2014 10:11:54 AM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Failed authenticate() test
我在 tomcat 的 server.xml 中的 Realm 配置如下所示:(我显然删除了敏感信息)
<!-- JNDI Realm authentication start -->
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://<ldap server goes here>:389"
connectionName="cn=app,ou=service admin accounts,ou=users,o=iam"
connectionPassword="password goes here"
referrals="follow"
userBase="ou=fil,ou=users,o=iam"
userSearch="(AMAccountName={0})"
userSubtree="true"
roleBase="ou=groups,o=iam"
roleName="cn"
roleSubtree="true"
roleSearch="(member={0})"
/>
<!-- JNDI Realm authentication end -->
我的 tomcat logging.properties 看起来像这样:
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
############################################################
# Handler specific properties.
# Describes specific configuration info for Handlers.
############################################################
1catalina.org.apache.juli.FileHandler.level = ALL
1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
1catalina.org.apache.juli.FileHandler.prefix = catalina.
1catalina.org.apache.juli.FileHandler.bufferSize = -1
2localhost.org.apache.juli.FileHandler.level = ALL
2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
2localhost.org.apache.juli.FileHandler.prefix = localhost.
3manager.org.apache.juli.FileHandler.level = ALL
3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
3manager.org.apache.juli.FileHandler.prefix = manager.
4host-manager.org.apache.juli.FileHandler.level = ALL
4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
4host-manager.org.apache.juli.FileHandler.prefix = host-manager.
java.util.logging.ConsoleHandler.level = ALL
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
############################################################
# Facility specific properties.
# Provides extra control for each logger.
############################################################
# Possible levels are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = ALL
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = ALL
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.FileHandler
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = ALL
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.FileHandler
# For example, to log debug messages in ContextConfig and HostConfig
# classes and to log only warnings and errors in other
# org.apache.catalina.** classes, uncomment these lines:
#org.apache.catalina.startup.ContextConfig.level = FINE
#org.apache.catalina.startup.HostConfig.level = FINE
#org.apache.catalina.level = WARNING
因此,正如您所看到的,我尝试通过将 debug="99"添加到 server.xml 并将真实和身份验证器级别更改为 ALL 来提高日志级别。但是,除了错误 之外,我仍然没有得到任何看起来有用的东西。验证()测试失败
其余的日志信息在哪里?我期望看到 LDAP 查询结束。
最佳答案
你的设置在我看来是正确的。所以我想知道你确定还有其他日志要显示吗?
正如您在 JavaDocs 中看到的那样这个库的方法认证是这样定义的:
authenticate
protected abstract boolean authenticate(Request request,
Response response,
LoginConfig config)
throws java.io.IOException
并描述为:Authenticate the user making this request, based on the specified login configuration.
Return true if any specified constraint has been satisfied, or false if we have created a response challenge already.
Parameters: request - Request we are processing response - Response we are creating config - Login configuration describing how authentication should be performed.
Throws: java.io.IOException - if an input/output error occurs
这意味着该方法仅在出现 IO 错误时才会抛出错误(以及一些带有它的日志信息),否则它只会返回 false(可能由于其他原因导致身份验证出错)。
因此,如果调用此方法的人不处理“错误”情况,则记录一些有意义的内容而仅记录“身份验证失败”可能是您的配置做得很好并且您无法从中获得其他信息的情况。
关于authentication - 无法使用 jndi 领域在 tomcat6 中增加日志级别调试,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/21886846/