问题描述
我有一个JASPIC身份验证模块,可以在GlassFish,WildFly和WebLogic上很好地工作.
I have a JASPIC auth module that works really well on GlassFish, WildFly and WebLogic.
现在我们有一个使用WebSphere 8.5的新客户,我无法在其中正常运行auth模块.
Now we have a new customer who uses WebSphere 8.5, and I can't get the auth module to run properly there.
问题是WebSphere不接受auth模块放入CallerPrincipalCallback中的用户名.我们其他受支持的服务器只是接受此命令,但是WebSphere出于某种原因认为它需要执行一些额外的检查.
The problem is that WebSphere doesn't accept the username that the auth module puts in the CallerPrincipalCallback. Our other supported servers just accept this, but WebSphere for some reason thinks it needs to perform some extra checks.
在调查了该问题之后,我偶然发现了这一问题: https://www.ibm.com/developerworks/community/forums/html/topic?id=77777777-0000-0000-0000-000014937852
After investigating the issue I stumbled upon this one: https://www.ibm.com/developerworks/community/forums/html/topic?id=77777777-0000-0000-0000-000014937852
这恰好描述了我的问题,但是那里没有解决方案.
This exactly describes my problem, but there's no solution given there.
如何让WebSphere像其他所有服务器一样处理CallerPrincipalHandler并接受任何用户名?
How can I confince WebSphere to just process the CallerPrincipalHandler and accepting any username like all other servers do?
推荐答案
该行为归因于WebSphere 8.5,WRT对JASPIC CallerPrincipalCallback的处理与JASPIC规范不兼容.
The behavior attributed to WebSphere 8.5, WRT the processing of the JASPIC CallerPrincipalCallback is NOT compatible with the JASPIC specification.
CallerPrincipalCallback必须能够支持用户注册表为集成在SAM中,包括用于提供用户组成员身份的目的.
The CallerPrincipalCallback(s) must be able to support the case where the user registry isintegrated within the SAM, including for the purpose of providing user group memberships.
对于基于密码的验证的特殊情况,SAM可以调用提供的CallbackHandler容器来处理PasswordValidationCallback.在这种情况下,如果与容器的CallbackHandler集成的用户注册表中不存在用户名和/或密码组合,则CallbackHandler将返回失败结果.在这种情况下,SAM将返回失败的(或连续的)身份验证结果,并且不会调用CallbackHandler来处理CallerPrincipalCallback.
For the special case of password based validation, A SAM can invoke the container provided CallbackHandler to handle a PasswordValidationCallback; in which case the CallbackHandler will return a failure result if the username and/or password combination does not exist in the user registry integrated with the container's CallbackHandler. In that case, the SAM would return a failed (or continuation) authentication result and would NOT invoke the CallbackHandler to handle the CallerPrincipalCallback.
HTH,
Ron Monzillo
Ron Monzillo
这篇关于在WebSphere 8.5上使用JASPIC auth模块的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!