occas resources security初探
来源:互联网 发布:网络本科文凭有用 编辑:程序博客网 时间:2024/06/03 20:01
有天有同事说他们的应用在install/uninstall的循环测试过程中报了exception,让我帮忙看看,我看了下weblogic的log,发现系统报了空指针异常。
看stack是sipSecurityStart的时候试图去embedded ldap 删除过期的role,似乎系统中使用了weblogic自带的ldap,印象中LDAP只是在security里面使用。
登录weblogic,查看了下系统的role配置,在default Security Realms myrealm中使用的是DDonly model,查看weblogic.xml, sip.xml和web.xml,role相关的配置都是在xml文件中,myrealm里面Roles and Policies页面也没有看到任何role。似乎所有的配置都很正常,不应该出现这种异常。尝试去掉xml中的role配置,一切都恢复正常。
百思不得其解,只好去查看weblogic的文档,检查security的配置问题。从weblogic的文档来看,在security Realms里面对应的default realm,我们使用embedded ldap来储存user/roles/policy相关的信息,当然用户可以手动配置信息存储到其他的数据库,也可以通过配置符合规范的Security Provider,取代weblogic默认的security策略。
通常我们把某种角色可以访问什么资源定义为policy,然后把某些user或者group map到对应的role,应用中所有的部署都是用role,这样分离了user/group
这种经常变动的元素,使用较为稳定不变的role元素。
使用weblogic默认的default realm,有多种模式:
1. DDonly model,用户的security role和policy都定义在xml文件中,role在weblogic.xml,role和user的mapping也在weblogic.xml,policy在web.xml和sip.xml
weblogic.xml:
<!-- map to web.xml/sip.xml security-role element --><security-role-assignment> <role-name>PayrollAdmin</role-name> <!-- define user or group here --> <principal-name>Tanya</principal-name> <principal-name>Fred</principal-name> <principal-name>system</principal-name></security-role-assignment><!-- map to web.xml/sip.xml security run-as element --><run-as-role-assignment> <role-name>RunAsRoleName</role-name> <run-as-principal-name>joe</run-as-principal-name></run-as-role-assignment>
2. custom roles,把每种role可以访问什么资源的policy放到配置文件ejb-jar.xml/web.xml/sip.xml,policy对应的role在weblogic.xml里定义成<externally-defined/>。Weblogic的security控制台里面配置role和user/group的mapping。user/group/policy默认存在ldap中。
weblogic.xml:
<security-role-assignment> <role-name>roleadmin</role-name> <!-- notify external definition is provided --> <externally-defined/></security-role-assignment>
3. custom roles and policies,role, policy都放到weblogic的security控制台里面配置,user/group/role/policy默认存在ldap中。
4. Advanced,启动时使用xml中的初始值配置,之后由weblogic控制台接管,user/group/role/policy默认存在ldap中。这种配置需要选择all web and ejb for check roles and policies, init roles/polices from dd in when deploying web or ejb,部署应用之后,选择ignore roles/policies from dd in when deploying web or ejb。
从weblogic的文档中没有看出应用配置错误的地方,只看到新版本需要用javaee的namespace,由于没有weblogic的代码,最后只能去掉了weblogic关于sip部分的security,没有更进一步的调查。
a) OCCAS 4.0 example of WEB-INF/sip.xml is using http://java.sun.com/xml/ns/j2ee name spaces: $ cat /path/to/samples/sipserver/examples/src/findme/WEB-INF/sip.xml <?xml version="1.0" encoding="UTF-8"?> <sip-app xmlns="http://www.jcp.org/xml/ns/sipservlet" xmlns:javaee="http://java.sun.com/xml/ns/javaee"> ... <!-- NEW: For use with DIGEST authentication --> <session-config> <javaee:session-timeout>1</javaee:session-timeout> </session-config> <security-constraint> <display-name>DEMO</display-name> <resource-collection> <resource-name>Demo constraint</resource-name> <description>This is a sample constraint</description> <servlet-name>findme</servlet-name> <sip-method>INVITE</sip-method> </resource-collection> <auth-constraint> <javaee:role-name>system-user</javaee:role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>DIGEST</auth-method> <realm-name>myrealm</realm-name> </login-config> <security-role> <javaee:role-name>system-user</javaee:role-name> </security-role> </sip-app> b) WLSS3.1 example of WEB-INF/sip.xml:$ cat /path/to/samples/sipserver/examples/src/findme/WEB-INF/sip.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE sip-app PUBLIC "-//Java Community Process//DTD SIP Application 1.0//EN" "http://www.jcp.org/dtd/sip-app_1_0.dtd"> <sip-app> ... <!-- NEW: For use with DIGEST authentication --> <session-config> <session-timeout>1</session-timeout> </session-config> <security-constraint> <display-name>DEMO</display-name> <resource-collection> <resource-name>Demo constraint</resource-name> <description>This is a sample constraint</description> <servlet-name>findme</servlet-name> <sip-method>INVITE</sip-method> </resource-collection> <auth-constraint> <role-name>system-user</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>DIGEST</auth-method> <realm-name>myrealm</realm-name> </login-config> <!-- system user for the run-as element for Registrar --> <security-role> <role-name>system-user</role-name> </security-role> </sip-app>
更多信息:
http://docs.oracle.com/cd/E24329_01/web.1211/e24421/toc.htm
异常具体信息:
weblogic.application.ModuleException: at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1514) at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:486) at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425) at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41) at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119) at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:201) at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:249) at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:427) at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41) at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119) at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:28) at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:1269) at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41) at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:409) at weblogic.application.internal.EarDeployment.activate(EarDeployment.java:58) at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161) at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79) at weblogic.deploy.internal.targetserver.operations.AbstractOperation.activate(AbstractOperation.java:569) at weblogic.deploy.internal.targetserver.operations.ActivateOperation.activateDeployment(ActivateOperation.java:150) at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doCommit(ActivateOperation.java:116) at weblogic.deploy.internal.targetserver.operations.StartOperation.doCommit(StartOperation.java:143) at weblogic.deploy.internal.targetserver.operations.AbstractOperation.commit(AbstractOperation.java:323) at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentCommit(DeploymentManager.java:844) at weblogic.deploy.internal.targetserver.DeploymentManager.activateDeploymentList(DeploymentManager.java:1253) at weblogic.deploy.internal.targetserver.DeploymentManager.handleCommit(DeploymentManager.java:440) at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.commit(DeploymentServiceDispatcher.java:164) at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doCommitCallback(DeploymentReceiverCallbackDeliverer.java:195) at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$100(DeploymentReceiverCallbackDeliverer.java:13) at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$2.run(DeploymentReceiverCallbackDeliverer.java:69) at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201) at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)Caused By: java.lang.NullPointerException at com.octetstring.vde.backend.standard.BackendStandard.delete(BackendStandard.java:525) at com.octetstring.vde.backend.BackendHandler.delete(BackendHandler.java:517) at weblogic.ldap.EmbeddedLDAPConnection.delete(EmbeddedLDAPConnection.java:1546) at com.bea.common.ldap.LDAPStoreManager.flush(LDAPStoreManager.java:388) at org.apache.openjpa.abstractstore.AbstractStoreManager.flush(AbstractStoreManager.java:277) at org.apache.openjpa.kernel.DelegatingStoreManager.flush(DelegatingStoreManager.java:130) at org.apache.openjpa.datacache.DataCacheStoreManager.flush(DataCacheStoreManager.java:571) at org.apache.openjpa.kernel.DelegatingStoreManager.flush(DelegatingStoreManager.java:130) at org.apache.openjpa.kernel.BrokerImpl.flush(BrokerImpl.java:2017) at org.apache.openjpa.kernel.BrokerImpl.flushSafe(BrokerImpl.java:1915) at org.apache.openjpa.kernel.BrokerImpl.beforeCompletion(BrokerImpl.java:1833) at org.apache.openjpa.kernel.LocalManagedRuntime.commit(LocalManagedRuntime.java:81) at org.apache.openjpa.kernel.BrokerImpl.commit(BrokerImpl.java:1357) at kodo.kernel.KodoBroker.commit(KodoBroker.java:103) at org.apache.openjpa.kernel.DelegatingBroker.commit(DelegatingBroker.java:877) at kodo.jdo.PersistenceManagerImpl.commit(PersistenceManagerImpl.java:409) at com.bea.security.providers.xacml.store.BasePolicyStore.deletePolicy(BasePolicyStore.java:1045) at com.bea.security.providers.xacml.entitlement.RoleManager.removeRole(RoleManager.java:468) at weblogic.security.providers.xacml.DeployableRoleProviderV2Helper$DeployRoleHandleImpl.cleanStaledRoles(DeployableRoleProviderV2Helper.java:312) at weblogic.security.providers.xacml.DeployableRoleProviderV2Helper.endDeployRoles(DeployableRoleProviderV2Helper.java:195) at weblogic.security.providers.xacml.authorization.XACMLRoleMapperProviderImpl.endDeployRoles(XACMLRoleMapperProviderImpl.java:250) at com.bea.common.security.internal.legacy.service.RoleDeployerProviderImpl$V2AdapterExt$DeploymentHandlerImpl.endDeployRoles(RoleDeployerProviderImpl.java:308) at com.bea.common.security.internal.service.RoleDeploymentServiceImpl$DeploymentHandlerImpl.endDeployRoles(RoleDeploymentServiceImpl.java:184) at weblogic.security.service.WLSRoleDeploymentServiceWrapper$DeploymentHandlerImpl.endDeployRoles(WLSRoleDeploymentServiceWrapper.java:99) at weblogic.security.service.RoleManager$HandlerAdaptor.endDeployRoles(RoleManager.java:348) at weblogic.security.service.RoleManager.endDeployRoles(RoleManager.java:246) at com.bea.wcp.sip.security.internal.SipSecurityManager.start(SipSecurityManager.java:700) at com.bea.wcp.sip.engine.server.CanaryContext.activate(CanaryContext.java:580) at com.bea.wcp.sip.engine.SipContainerServletContextListener.contextInitialized(SipContainerServletContextListener.java:42) at weblogic.servlet.internal.EventsManager$FireContextListenerAction.run(EventsManager.java:481) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121) at weblogic.servlet.internal.EventsManager.notifyContextCreatedEvent(EventsManager.java:181) at weblogic.servlet.internal.WebAppServletContext.preloadResources(Unknown Source) at weblogic.servlet.internal.WebAppServletContext.start(Unknown Source) at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1512) at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:486) at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425) at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41) at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119) at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:200) at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:247) at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425) at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41) at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119) at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:27) at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:1267) at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41) at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:409) at weblogic.application.internal.EarDeployment.activate(EarDeployment.java:58) at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161) at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79) at weblogic.deploy.internal.targetserver.operations.AbstractOperation.activate(AbstractOperation.java:569) at weblogic.deploy.internal.targetserver.operations.ActivateOperation.activateDeployment(ActivateOperation.java:150) at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doCommit(ActivateOperation.java:116) at weblogic.deploy.internal.targetserver.operations.StartOperation.doCommit(StartOperation.java:143) at weblogic.deploy.internal.targetserver.operations.AbstractOperation.commit(AbstractOperation.java:323) at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentCommit(DeploymentManager.java:844) at weblogic.deploy.internal.targetserver.DeploymentManager.activateDeploymentList(DeploymentManager.java:1253) at weblogic.deploy.internal.targetserver.DeploymentManager.handleCommit(DeploymentManager.java:440) at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.commit(DeploymentServiceDispatcher.java:163) at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doCommitCallback(DeploymentReceiverCallbackDeliverer.java:195) at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$100(DeploymentReceiverCallbackDeliverer.java:13) at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$2.run(DeploymentReceiverCallbackDeliverer.java:68) at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201) at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
- occas resources security初探
- SANS free security resources
- Managing Password Security & Resources
- Spring security初探
- Spring Security初探
- Spring security初探
- Spring security初探
- 初探Spring Security
- 13 - Managing Password Security and Resources
- A collection of android security related resources.
- springboot集成spring security初探
- ASP.NET 2.0 Membership, Roles, Forms Authentication, and Security Resources
- Resources
- Resources
- Resources
- Resources
- security information and event management 学习初探(一)
- security information and event management 学习初探(二)
- CreateJS 与 Cocos2d-HTML5 的比较
- 重写ViewGroup实现App第一次启动向导
- 【机器学习】K-MEANS算法探究
- s5pv210 android4.0.3调试,如何去掉SGX540硬件加速
- HDU 1261(全排列,大数乘除)
- occas resources security初探
- Hibernate学习笔记之EHCache的配置
- Android碎片Fragment使用简介
- C# Socket编程
- PCI的imagework已由freeview软件代替
- 寒假第三天--栈和队列--数据结构实验之栈四:括号匹配 (数组)
- Hibernate JPA 中配置Ehcache二级缓存
- POJ 2762 证明是否为单向连通图 强连通缩点+类拓扑排序
- Merge Two Sorted Lists