OpenAM J2EE代理安装打倒的tomcat(OpenAM J2EE agent install

2019-10-22 05:05发布

OpenAM版本-12,代理版本3.5和3.3版本的Tomcat 7

我试图跟随链接https://forums.alfresco.com/forum/installation-upgrades-configuration-integration/authentication-ldap-sso/sso-openam-06052012建立我的J2EE代理。 让我贴问这个问题之后的步骤(见末)

但我得到了如下错误问

无法上添加用户自己定制的数据存储为用户配置J2EE代理提供

我曾尝试使用安装3.5版和卸载多次,并试图以前的版本。

有关于这个主题的一个很好的讨论http://database.developer-works.com/article/16009911/%22Cannot+obtain+Application+SSO+token%22+error ,但它并没有帮助我很多。

我使用LDAP,所以我已经使用LDAP领域和主题都出现了确定。 我也是观察该政策标签已改变了不少,从它是如何在博客中描述。

现在用路障我不知道如何着手的错误没有给我任何线索做什么。 我甚至增加了一个名为AMConfig.properties文件中与该代理的用户名和密码的类路径,并试图OpenAM管理员的用户名和密码也为中提到的讨论建议。 但也没有帮助。

问题是Tomcat的现在没有启动,给错误AMConfig.properties属性需要

我知道OpenAM境界设置是好的,我能够通过这种境界到另一个应用程序(Liferay的),我只需要给使用OpenAM集成的URL登录。 但代理的卸载后,Tomcat启动时没有任何错误,我能够登录到该应用程序

-------------------Step copied from 1st link(modified)--------------------------

1. Configure your OpenAM agent (tried both 3.5 and 3.3 version on tomcat 7)
a. Log into OpenAM as the admin user and navigate to "Access Control -> (Your Realm) - where in my case LDAP Realm (other application using it without issue)
b. Select Policies -> New Policy
c. Enter Share as the policy name and then create 2 new URL Policy agent rules
d. 1st Resource Name = http://:/share/*
e. 2nd Resource Name = http://alfresco.domain.com:8080/share/*?*
f. Add a subjects - already part of LDAP Realm 
g. Now select Agents -> J2EE - > (your J2EE agent)
h. Select the Application tab
i. Login Processing -> Login Form URI - add /share/page/dologin
j. Logout Processing -> Application Logout URL - add Map Key = share - Corresponding Map Value = /share/page/dologout
k. Not Enforced URI Processing - Add 2 entries - /share and /share/
l. Profile Attributes Processing - Select HTTP_HEADER and add Map Key = uid - Corresponding Map Value = SsoUserHeader (This is what I called my header in the alfresco-global.properties file - see below)

  Auth chain
authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm 
alfresco.authentication.allowGuestLogin=true

  SSO settings
external.authentication.enabled=true
external.authentication.defaultAdministratorUserNames=admin
external.authentication.proxyUserName=
external.authentication.proxyHeader=SsoUserHeader

NOTE- It does not seem possible to configure SSO where the Guest login has been disabled. There are webscripts used on the Alfresco repository that need guest login.

That concludes the setup for Alfresco and OpenAM

For Share you need to have the following section uncommented in your share-config-custom.xml


alfresco/web-extension/alfresco-system.p12
pkcs12
alfresco-system



alfrescoCookie
Alfresco Connector
Connects to an Alfresco instance using cookie-based authentication
org.alfresco.web.site.servlet.SlingshotAlfrescoConnector



alfrescoHeader
Alfresco Connector
Connects to an Alfresco instance using header and cookie-based authentication
org.alfresco.web.site.servlet.SlingshotAlfrescoConnector
SsoUserHeader

alfresco
Alfresco - user access
Access to Alfresco Repository WebScripts that require user authentication
alfrescoHeader
http://alfreso.domain.com:8080/alfresco/wcs
user
true


Notice I am not using the SSL cert and in my alfrescoHeader connector I have used SsoUserHeader (as setup in OpenAM) and the endpoint uses the alfrescoHeader connector

Now you need to add the OpenAM filter to the Share web.xml file

Add the following filter just before the Share SSO authentication support filter


Agent
com.sun.identity.agents.filter.AmAgentFilter
Add the following filter mapping to the filter-mapping section


Agent

REQUEST
INCLUDE
FORWARD
ERROR
----- End ----------

Answer 1:

该错误信息是有点误导 :一般无法获取应用程序SSO令牌表示该代理无法进行自我身份验证。 当您安装,代理人询问一个档案名和密码的文件,这些值必须对应于内OpenAM配置代理配置文件。 为了测试,如果你能为用户进行身份验证,您可以简单地尝试通过做以下请求代理进行身份验证:

curl -d "username=profilename&password=password&uri=realm=/%26module=Application" http://aldaris.sch.bme.hu:8080/openam/identity/authenticate

另外,在上述命令中的境界值需要是相同作为在OpenSSOAgentBootstrap.properties定义的“com.sun.identity.agents.config.organization.name”属性的值(代理的安装目录下)。

有错误的用户名/密码组合仅仅是可能的根本原因此例外,虽然一个。 也可以在启动期间代理无法连接到OpenAM认证自身。 在这种情况下,这个问题可能是:

  • 网络错误,防火墙问题防止剂从接触OpenAM
  • SSL信任问题:(如果你已经通过提供OpenAM的HTTPS URL安装代理和证书是自签名或者只是不被信任的JVM唯一的问题)代理的JVM不信任OpenAM集装箱证书


文章来源: OpenAM J2EE agent installation bringing down tomcat