occas resources security初探

有天有同事说他们的应用在install/uninstall的循环测试过程中报了exception，让我帮忙看看，我看了下weblogic的log，发现系统报了空指针异常。

看stack是sipSecurityStart的时候试图去embedded ldap 删除过期的role，似乎系统中使用了weblogic自带的ldap，印象中LDAP只是在security里面使用。

登录weblogic，查看了下系统的role配置，在default Security Realms myrealm中使用的是DDonly model，查看weblogic.xml, sip.xml和web.xml，role相关的配置都是在xml文件中，myrealm里面Roles and Policies页面也没有看到任何role。似乎所有的配置都很正常，不应该出现这种异常。尝试去掉xml中的role配置，一切都恢复正常。

百思不得其解，只好去查看weblogic的文档，检查security的配置问题。从weblogic的文档来看，在security Realms里面对应的default realm，我们使用embedded ldap来储存user/roles/policy相关的信息，当然用户可以手动配置信息存储到其他的数据库，也可以通过配置符合规范的Security Provider，取代weblogic默认的security策略。

通常我们把某种角色可以访问什么资源定义为policy，然后把某些user或者group map到对应的role，应用中所有的部署都是用role，这样分离了user/group
这种经常变动的元素，使用较为稳定不变的role元素。

使用weblogic默认的default realm，有多种模式：

1. DDonly model，用户的security role和policy都定义在xml文件中，role在weblogic.xml，role和user的mapping也在weblogic.xml，policy在web.xml和sip.xml
weblogic.xml:

<!-- map to web.xml/sip.xml security-role element --><security-role-assignment>    <role-name>PayrollAdmin</role-name>    <!-- define user or group here -->    <principal-name>Tanya</principal-name>    <principal-name>Fred</principal-name>    <principal-name>system</principal-name></security-role-assignment><!-- map to web.xml/sip.xml security run-as element --><run-as-role-assignment>    <role-name>RunAsRoleName</role-name>    <run-as-principal-name>joe</run-as-principal-name></run-as-role-assignment>

2. custom roles，把每种role可以访问什么资源的policy放到配置文件ejb-jar.xml/web.xml/sip.xml，policy对应的role在weblogic.xml里定义成<externally-defined/>。Weblogic的security控制台里面配置role和user/group的mapping。user/group/policy默认存在ldap中。
weblogic.xml:

<security-role-assignment>    <role-name>roleadmin</role-name>    <!-- notify external definition is provided -->    <externally-defined/></security-role-assignment>

3. custom roles and policies，role, policy都放到weblogic的security控制台里面配置，user/group/role/policy默认存在ldap中。

4. Advanced，启动时使用xml中的初始值配置，之后由weblogic控制台接管，user/group/role/policy默认存在ldap中。这种配置需要选择all web and ejb for check roles and policies, init roles/polices from dd in when deploying web or ejb，部署应用之后，选择ignore roles/policies from dd in when deploying web or ejb。

从weblogic的文档中没有看出应用配置错误的地方，只看到新版本需要用javaee的namespace，由于没有weblogic的代码，最后只能去掉了weblogic关于sip部分的security，没有更进一步的调查。

a) OCCAS 4.0 example of WEB-INF/sip.xml is using http://java.sun.com/xml/ns/j2ee name spaces: $ cat /path/to/samples/sipserver/examples/src/findme/WEB-INF/sip.xml <?xml version="1.0" encoding="UTF-8"?> <sip-app xmlns="http://www.jcp.org/xml/ns/sipservlet"            xmlns:javaee="http://java.sun.com/xml/ns/javaee"> ... <!-- NEW: For use with DIGEST authentication -->   <session-config>     <javaee:session-timeout>1</javaee:session-timeout>   </session-config>   <security-constraint>     <display-name>DEMO</display-name>     <resource-collection>       <resource-name>Demo constraint</resource-name>       <description>This is a sample constraint</description>       <servlet-name>findme</servlet-name>       <sip-method>INVITE</sip-method>     </resource-collection>     <auth-constraint>       <javaee:role-name>system-user</javaee:role-name>     </auth-constraint>   </security-constraint>   <login-config>     <auth-method>DIGEST</auth-method>     <realm-name>myrealm</realm-name>   </login-config>   <security-role>     <javaee:role-name>system-user</javaee:role-name>   </security-role> </sip-app> b) WLSS3.1 example of WEB-INF/sip.xml:$ cat /path/to/samples/sipserver/examples/src/findme/WEB-INF/sip.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE sip-app    PUBLIC "-//Java Community Process//DTD SIP Application 1.0//EN"    "http://www.jcp.org/dtd/sip-app_1_0.dtd"> <sip-app> ... <!-- NEW: For use with DIGEST authentication -->   <session-config>     <session-timeout>1</session-timeout>   </session-config>   <security-constraint>     <display-name>DEMO</display-name>     <resource-collection>       <resource-name>Demo constraint</resource-name>       <description>This is a sample constraint</description>       <servlet-name>findme</servlet-name>       <sip-method>INVITE</sip-method>     </resource-collection>     <auth-constraint>       <role-name>system-user</role-name>     </auth-constraint>   </security-constraint>   <login-config>     <auth-method>DIGEST</auth-method>     <realm-name>myrealm</realm-name>   </login-config>   <!-- system user for the run-as element for Registrar -->   <security-role>     <role-name>system-user</role-name>   </security-role> </sip-app>

更多信息：

http://docs.oracle.com/cd/E24329_01/web.1211/e24421/toc.htm

异常具体信息：

<AdminServer> <[ACTIVE] ExecuteThread: '47' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1384264755084> <BEA-149078> <Stack trace for message 149004

weblogic.application.ModuleException:    at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1514)    at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:486)    at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)    at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)    at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)    at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:201)    at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:249)    at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:427)    at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)    at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)    at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:28)    at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:1269)    at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)    at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:409)    at weblogic.application.internal.EarDeployment.activate(EarDeployment.java:58)    at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161)    at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)    at weblogic.deploy.internal.targetserver.operations.AbstractOperation.activate(AbstractOperation.java:569)    at weblogic.deploy.internal.targetserver.operations.ActivateOperation.activateDeployment(ActivateOperation.java:150)    at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doCommit(ActivateOperation.java:116)    at weblogic.deploy.internal.targetserver.operations.StartOperation.doCommit(StartOperation.java:143)    at weblogic.deploy.internal.targetserver.operations.AbstractOperation.commit(AbstractOperation.java:323)    at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentCommit(DeploymentManager.java:844)    at weblogic.deploy.internal.targetserver.DeploymentManager.activateDeploymentList(DeploymentManager.java:1253)    at weblogic.deploy.internal.targetserver.DeploymentManager.handleCommit(DeploymentManager.java:440)    at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.commit(DeploymentServiceDispatcher.java:164)    at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doCommitCallback(DeploymentReceiverCallbackDeliverer.java:195)    at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$100(DeploymentReceiverCallbackDeliverer.java:13)    at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$2.run(DeploymentReceiverCallbackDeliverer.java:69)    at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)    at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)Caused By: java.lang.NullPointerException    at com.octetstring.vde.backend.standard.BackendStandard.delete(BackendStandard.java:525)    at com.octetstring.vde.backend.BackendHandler.delete(BackendHandler.java:517)    at weblogic.ldap.EmbeddedLDAPConnection.delete(EmbeddedLDAPConnection.java:1546)    at com.bea.common.ldap.LDAPStoreManager.flush(LDAPStoreManager.java:388)    at org.apache.openjpa.abstractstore.AbstractStoreManager.flush(AbstractStoreManager.java:277)    at org.apache.openjpa.kernel.DelegatingStoreManager.flush(DelegatingStoreManager.java:130)    at org.apache.openjpa.datacache.DataCacheStoreManager.flush(DataCacheStoreManager.java:571)    at org.apache.openjpa.kernel.DelegatingStoreManager.flush(DelegatingStoreManager.java:130)    at org.apache.openjpa.kernel.BrokerImpl.flush(BrokerImpl.java:2017)    at org.apache.openjpa.kernel.BrokerImpl.flushSafe(BrokerImpl.java:1915)    at org.apache.openjpa.kernel.BrokerImpl.beforeCompletion(BrokerImpl.java:1833)    at org.apache.openjpa.kernel.LocalManagedRuntime.commit(LocalManagedRuntime.java:81)    at org.apache.openjpa.kernel.BrokerImpl.commit(BrokerImpl.java:1357)    at kodo.kernel.KodoBroker.commit(KodoBroker.java:103)    at org.apache.openjpa.kernel.DelegatingBroker.commit(DelegatingBroker.java:877)    at kodo.jdo.PersistenceManagerImpl.commit(PersistenceManagerImpl.java:409)    at com.bea.security.providers.xacml.store.BasePolicyStore.deletePolicy(BasePolicyStore.java:1045)    at com.bea.security.providers.xacml.entitlement.RoleManager.removeRole(RoleManager.java:468)    at weblogic.security.providers.xacml.DeployableRoleProviderV2Helper$DeployRoleHandleImpl.cleanStaledRoles(DeployableRoleProviderV2Helper.java:312)    at weblogic.security.providers.xacml.DeployableRoleProviderV2Helper.endDeployRoles(DeployableRoleProviderV2Helper.java:195)    at weblogic.security.providers.xacml.authorization.XACMLRoleMapperProviderImpl.endDeployRoles(XACMLRoleMapperProviderImpl.java:250)    at com.bea.common.security.internal.legacy.service.RoleDeployerProviderImpl$V2AdapterExt$DeploymentHandlerImpl.endDeployRoles(RoleDeployerProviderImpl.java:308)    at com.bea.common.security.internal.service.RoleDeploymentServiceImpl$DeploymentHandlerImpl.endDeployRoles(RoleDeploymentServiceImpl.java:184)    at weblogic.security.service.WLSRoleDeploymentServiceWrapper$DeploymentHandlerImpl.endDeployRoles(WLSRoleDeploymentServiceWrapper.java:99)    at weblogic.security.service.RoleManager$HandlerAdaptor.endDeployRoles(RoleManager.java:348)    at weblogic.security.service.RoleManager.endDeployRoles(RoleManager.java:246)    at com.bea.wcp.sip.security.internal.SipSecurityManager.start(SipSecurityManager.java:700)    at com.bea.wcp.sip.engine.server.CanaryContext.activate(CanaryContext.java:580)    at com.bea.wcp.sip.engine.SipContainerServletContextListener.contextInitialized(SipContainerServletContextListener.java:42)    at weblogic.servlet.internal.EventsManager$FireContextListenerAction.run(EventsManager.java:481)    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)    at weblogic.servlet.internal.EventsManager.notifyContextCreatedEvent(EventsManager.java:181)    at weblogic.servlet.internal.WebAppServletContext.preloadResources(Unknown Source)    at weblogic.servlet.internal.WebAppServletContext.start(Unknown Source)    at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1512)    at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:486)    at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)    at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)    at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)    at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:200)    at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:247)    at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)    at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)    at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)    at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:27)    at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:1267)    at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)    at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:409)    at weblogic.application.internal.EarDeployment.activate(EarDeployment.java:58)    at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161)    at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)    at weblogic.deploy.internal.targetserver.operations.AbstractOperation.activate(AbstractOperation.java:569)    at weblogic.deploy.internal.targetserver.operations.ActivateOperation.activateDeployment(ActivateOperation.java:150)    at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doCommit(ActivateOperation.java:116)    at weblogic.deploy.internal.targetserver.operations.StartOperation.doCommit(StartOperation.java:143)    at weblogic.deploy.internal.targetserver.operations.AbstractOperation.commit(AbstractOperation.java:323)    at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentCommit(DeploymentManager.java:844)    at weblogic.deploy.internal.targetserver.DeploymentManager.activateDeploymentList(DeploymentManager.java:1253)    at weblogic.deploy.internal.targetserver.DeploymentManager.handleCommit(DeploymentManager.java:440)    at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.commit(DeploymentServiceDispatcher.java:163)    at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doCommitCallback(DeploymentReceiverCallbackDeliverer.java:195)    at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$100(DeploymentReceiverCallbackDeliverer.java:13)    at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$2.run(DeploymentReceiverCallbackDeliverer.java:68)    at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)    at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)