Tomcat 使用 FormAuthentication 而不是 KeyCloak Tomcat Valve SAML 身份验证

标签 tomcat keycloak saml

我已经使用 KeyCloak SAML Valve 设置了 Tomcat。

我在日志中看到 Valve 从 keycloak-saml.xml 加载并读取其配置。当我访问我的应用程序时,我还在日志中看到 session 未经过身份验证。

在我的日志中,我看到它继续调用 FormAuthenticator 而不是 KeyCloak 验证器:

  15-Jun-2020 11:07:33.281 DEBUG [https-jsse-nio-8443-exec-9] org.keycloak.adapters.saml.SamlUtil.validateSamlSession SamlSession was not found in the session
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /orbeon/fr
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking constraint 'SecurityConstraint[Form Runner services and public pages and resources]' against GET /fr --> true
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking constraint 'SecurityConstraint[Form Runner services and public pages and resources]' against GET /fr --> true
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.AuthenticatorBase.invoke  Calling hasUserDataPermission()
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.realm.RealmBase.hasUserDataPermission   User data constraint already satisfied
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.AuthenticatorBase.invoke  Calling authenticate()
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.FormAuthenticator.doAuthenticate Checking for reauthenticate in session StandardSession[B4143AFBD9BB4D6D1E208687CF9F5581]
15-Jun-2020 11:07:33.282 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.FormAuthenticator.doAuthenticate Save request in session 'B4143AFBD9BB4D6D1E208687CF9F5581'
15-Jun-2020 11:07:33.283 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage Forwarding request for [/orbeon/fr] made with method [GET] to login page [null] of context [/orbeon] using request method GET
15-Jun-2020 11:07:33.283 WARNING [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage No login page was defined for FORM authentication in context [/orbeon]
15-Jun-2020 11:07:33.283 FINE [https-jsse-nio-8443-exec-9] org.apache.catalina.authenticator.AuthenticatorBase.invoke  Failed authenticate() test

将其与 Valve 工作的不同环境进行比较,我发现:

12-Jun-2020 14:21:43.644 FINE [ContainerBackgroundProcessor[StandardEngine[Catalina]]] org.apache.catalina.session.ManagerBase.processExpires Start expire sessions StandardManager at 1591989703644 sessioncount 0
12-Jun-2020 14:21:43.645 FINE [ContainerBackgroundProcessor[StandardEngine[Catalina]]] org.apache.catalina.session.ManagerBase.processExpires End expire sessions StandardManager processingTime 1 expired sessions: 0
12-Jun-2020 14:21:43.646 FINE [ContainerBackgroundProcessor[StandardEngine[Catalina]]] org.apache.catalina.session.ManagerBase.processExpires Start expire sessions StandardManager at 1591989703646 sessioncount 0
12-Jun-2020 14:21:43.646 FINE [ContainerBackgroundProcessor[StandardEngine[Catalina]]] org.apache.catalina.session.ManagerBase.processExpires End expire sessions StandardManager processingTime 0 expired sessions: 0
12-Jun-2020 14:21:54.746 DEBUG [https-jsse-nio-8443-exec-4] org.keycloak.adapters.saml.CatalinaSamlSessionStore.isLoggedIn session was null, returning null
12-Jun-2020 14:21:54.747 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /the-app/
12-Jun-2020 14:21:54.747 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking constraint 'SecurityConstraint[Form Runner services and public pages and resources]' against GET / --> true
12-Jun-2020 14:21:54.748 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking constraint 'SecurityConstraint[Form Runner services and public pages and resources]' against GET / --> true
12-Jun-2020 14:21:54.750 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.authenticator.jaspic.AuthConfigFactoryImpl.loadPersistentRegistrations Loading persistent provider registrations from [/opt/tomcat/conf/jaspic-providers.xml]
12-Jun-2020 14:21:54.765 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke  Calling hasUserDataPermission()
12-Jun-2020 14:21:54.765 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.realm.RealmBase.hasUserDataPermission   User data constraint already satisfied
12-Jun-2020 14:21:54.765 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke  Calling authenticate()
12-Jun-2020 14:21:54.776 DEBUG [https-jsse-nio-8443-exec-4] org.keycloak.adapters.saml.SamlAuthenticator.authenticate SamlAuthenticator is using handler [org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler@68df1d6a]
12-Jun-2020 14:21:54.776 DEBUG [https-jsse-nio-8443-exec-4] org.keycloak.adapters.saml.CatalinaSamlSessionStore.isLoggedIn session was null, returning null
12-Jun-2020 14:21:54.783 DEBUG [https-jsse-nio-8443-exec-4] org.keycloak.saml.common.DefaultPicketLinkLogger.debug org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil issueInstant: 2020-06-12T19:21:54.781Z
12-Jun-2020 14:21:54.832 DEBUG [https-jsse-nio-8443-exec-4] org.keycloak.saml.common.DefaultPicketLinkLogger.debug The provider ApacheXMLDSig - 2.14 was added at position: 2
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
12-Jun-2020 14:21:54.911 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.invoke  Failed authenticate() test

我可以设置哪些记录器选项来确定 Tomcat 加载表单例份验证而不是使用阀门的原因?

有趣的是,我可以看到 KeyCloak 日志记录 org.keycloak.adapters.saml.SamlUtil.validateSamlSession SamlSession was not found in the session 对于两个环境。之后,失败环境似乎调用 FormAuthenticator,而工作环境调用 SamlAuthenticator

两个环境都显示 KeyCloak 正在初始化并读取其配置:

15-Jun-2020 11:40:56.921 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.usingLoggerImplementation Using logger implementation: org.keycloak.saml.common.DefaultPicketLinkLogger
15-Jun-2020 11:40:56.947 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}PrivateKey bypassed
15-Jun-2020 11:40:56.947 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}Certificate bypassed
15-Jun-2020 11:40:56.949 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}Attribute bypassed
15-Jun-2020 11:40:56.949 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}Attribute bypassed
15-Jun-2020 11:40:56.950 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}Property bypassed
15-Jun-2020 11:40:56.955 DEBUG [localhost-startStop-1] org.keycloak.saml.common.DefaultPicketLinkLogger.debug Element {urn:keycloak:saml:adapter}Certificate bypassed
15-Jun-2020 11:40:56.957 DEBUG [localhost-startStop-1] org.keycloak.adapters.saml.config.parsers.DeploymentBuilder.build Try to load key [mykey]
15-Jun-2020 11:40:57.320 DEBUG [localhost-startStop-1] org.keycloak.adapters.saml.RoleMappingsProviderUtils.loadProviders Loaded RoleMappingsProvider properties-based-role-mapper
15-Jun-2020 11:40:57.321 DEBUG [localhost-startStop-1] org.keycloak.adapters.saml.RoleMappingsProviderUtils.loadProviders Loaded RoleMappingsProvider properties-based-role-mapper
15-Jun-2020 11:40:57.321 DEBUG [localhost-startStop-1] org.keycloak.adapters.saml.PropertiesBasedRoleMapper.init Resource loader successfully loaded role mappings from /WEB-INF/role-mappings.properties
15-Jun-2020 11:40:57.322 DEBUG [localhost-startStop-1] org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.keycloakInit Keycloak is using a per-deployment configuration.

两个环境的 META-INF/context.xml 如下:

<Context path="/orbeon">
        <Valve className="org.keycloak.adapters.saml.tomcat.SamlAuthenticatorValve"/>
        <Resource ... DATABASE RESOURCE INFO HERE ... />
</Context>

Web.xml 很长,但我认为安全配置的相关部分是:

<security-constraint>
        <web-resource-collection>
            <web-resource-name>Form Runner services and public pages and resources</web-resource-name>
            <url-pattern>/*</url-pattern>
            <url-pattern>/fr/service/*</url-pattern>
            <url-pattern>/fr/style/*</url-pattern>
            <url-pattern>/fr/not-found</url-pattern>
            <url-pattern>/fr/unauthorized</url-pattern>
            <url-pattern>/fr/error</url-pattern>
            <url-pattern>/fr/login</url-pattern>
            <url-pattern>/fr/login-error</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
        <auth-constraint>
            <role-name>orbeon-user</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/fr/login</form-login-page>
            <form-error-page>/fr/login-error</form-error-page>
        </form-login-config>
    </login-config>
    <security-role>
        <role-name>orbeon-user</role-name>
    </security-role>
    <!-- End Form Runner authentication -->
    <session-config>
        <session-timeout>60</session-timeout>
    </session-config>

我已尝试根据 WAR Configurationlogin-config 更改为 BASICTomcat SAML Adapters 。这不会改变任一环境中的行为。

我能够将签名的 SAML 对象发布到 /orbeon/saml 并且我看到 KeyCloak 尝试验证签名等。这应该证明 KeyCloak 正在监听,并且我的问题不知何故出在应用程序或 web.xml 中进行身份验证重定向。

最佳答案

请检查您正在使用的 KeyCloak 适配器的版本。 Tomcat 版本 7 的适配器与 Tomcat 版本 8 和 9 的适配器不同。

如果我们比较 KeyCloak 的两个适配器模块 Tomcat 8,9Tomcat 7 的相对应我们看到 Tomcat 7 中的模块没有覆盖或实现 FormAuthenticator.doAuthenticate。因此,如果从 Tomcat 8 调用 Tomcat 7 的该模块,它将调用父级 doAuthenticate 方法并尝试基于表单的身份验证。

关于Tomcat 使用 FormAuthentication 而不是 KeyCloak Tomcat Valve SAML 身份验证,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/62351403/

相关文章:

keycloak - 如何在keycloak主题中使用我自己的常用文件?

spring - 获取签名引用 URI 的 SAML 未解析为预期的父元素

java - OpenSaml AuthnRequest 签名

java - Keycloak错误invalid_client Bearer only not allowed

spring - Keycloak Spring Boot 适配器和匿名资源

tomcat - Grails项目BuildConfig.groovy Tomcat插件版本?

java - Tomcat:WebService 响应作为 zip 存档而不是文件

azure - 使用 Salesforce 作为 SAML 的服务提供商 使用 Azure B2C 作为身份提供商,如何识别未正确配置的内容?

hibernate - 获取 org.hibernate.DuplicateMappingException : Duplicate class/entity mapping in hibernate3. 0

Eclipse:在我重新启动 Eclipse 之前,Apache Tomcat 不会更新我的项目