问题描述
OpenAM 版本 -12,代理版本 3.5 和 3.3,tomcat 版本 7
OpenAM version -12 , Agent version 3.5 and 3.3 , tomcat version 7
我尝试点击链接https://forums.alfresco.com/forum/installation-upgrades-configuration-integration/authentication-ldap-sso/sso-openam-06052012 来设置我的 J2EE 代理.提问后贴一下步骤(见文末)
I have tried to follow the link https://forums.alfresco.com/forum/installation-upgrades-configuration-integration/authentication-ldap-sso/sso-openam-06052012 to set up my J2EE Agent. Let me paste the steps after asking the question(see at the end)
但我收到如下询问的错误
but I am getting the error as asked below
我尝试使用 3.5 版本安装和卸载多次并尝试使用以前的版本.
I have tried to use 3.5 version installed and uninstalled multiple times and tried previous version.
在 http://database.developer-works.com/article/16009911/%22Cannot+obtain+Application+SSO+token%22+error但对我帮助不大.
我使用的是 LDAP,所以我使用了 LDAP 领域,并且主题显示正常.此外,我观察到策略选项卡与博客中的描述相比发生了很大变化.
I am using LDAP so I have used LDAP realm and subjects are showing up ok. Also I am observing that the policy tab has changed quite a bit from how it is described in the Blogs.
现在有了障碍,我不知道如何继续,因为错误没有给我任何线索.我什至在类路径中添加了名为 AMConfig.properties 的文件,其中包含代理的用户名和密码,并按照上述讨论中的建议尝试了 OpenAM 管理员的用户名和密码.但这也无济于事.
Now with the roadblock I am not sure how to proceed as the error is not giving me any clue what to do. I even added the file named AMConfig.properties in the classpath with username and password of the agent and tried the username and password of the OpenAM admin too as suggested in the discussion mentioned. but that too did not help.
问题是 Tomcat 现在没有启动并给出需要 AMConfig.properties 属性的错误
The issue is the Tomcat now is not starting and giving error that AMConfig.properties properties are needed
我知道 OpenAM Realm 设置很好,因为我可以通过这个领域登录到另一个应用程序 (Liferay),在那里我只需要提供使用 OpenAM 集成的 URL.但卸载代理后,tomcat 启动时没有任何错误,我可以登录应用程序
I know the OpenAM Realm setup is good as I am able to login via this realm to another application (Liferay) where I just have to give the URL for use OpenAM integration. but after uninstallation of the agent the tomcat starts without any error and i am able to login to the application
-------------------Step copied from 1st link(modified)--------------------------
1. Configure your OpenAM agent (tried both 3.5 and 3.3 version on tomcat 7)
a. Log into OpenAM as the admin user and navigate to "Access Control -> (Your Realm) - where in my case LDAP Realm (other application using it without issue)
b. Select Policies -> New Policy
c. Enter Share as the policy name and then create 2 new URL Policy agent rules
d. 1st Resource Name = http://:/share/*
e. 2nd Resource Name = http://alfresco.domain.com:8080/share/*?*
f. Add a subjects - already part of LDAP Realm
g. Now select Agents -> J2EE - > (your J2EE agent)
h. Select the Application tab
i. Login Processing -> Login Form URI - add /share/page/dologin
j. Logout Processing -> Application Logout URL - add Map Key = share - Corresponding Map Value = /share/page/dologout
k. Not Enforced URI Processing - Add 2 entries - /share and /share/
l. Profile Attributes Processing - Select HTTP_HEADER and add Map Key = uid - Corresponding Map Value = SsoUserHeader (This is what I called my header in the alfresco-global.properties file - see below)
Auth chain
authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
alfresco.authentication.allowGuestLogin=true
SSO settings
external.authentication.enabled=true
external.authentication.defaultAdministratorUserNames=admin
external.authentication.proxyUserName=
external.authentication.proxyHeader=SsoUserHeader
NOTE- It does not seem possible to configure SSO where the Guest login has been disabled. There are webscripts used on the Alfresco repository that need guest login.
That concludes the setup for Alfresco and OpenAM
For Share you need to have the following section uncommented in your share-config-custom.xml
alfresco/web-extension/alfresco-system.p12
pkcs12
alfresco-system
alfrescoCookie
Alfresco Connector
Connects to an Alfresco instance using cookie-based authentication
org.alfresco.web.site.servlet.SlingshotAlfrescoConnector
alfrescoHeader
Alfresco Connector
Connects to an Alfresco instance using header and cookie-based authentication
org.alfresco.web.site.servlet.SlingshotAlfrescoConnector
SsoUserHeader
alfresco
Alfresco - user access
Access to Alfresco Repository WebScripts that require user authentication
alfrescoHeader
http://alfreso.domain.com:8080/alfresco/wcs
user
true
Notice I am not using the SSL cert and in my alfrescoHeader connector I have used SsoUserHeader (as setup in OpenAM) and the endpoint uses the alfrescoHeader connector
Now you need to add the OpenAM filter to the Share web.xml file
Add the following filter just before the Share SSO authentication support filter
Agent
com.sun.identity.agents.filter.AmAgentFilter
Add the following filter mapping to the filter-mapping section
Agent
REQUEST
INCLUDE
FORWARD
ERROR
----- End ----------
推荐答案
错误信息有点误导:无法获得应用程序 SSO 令牌通常意味着代理无法对自身进行身份验证.安装代理时,代理会要求提供配置文件名称和密码文件,这些值需要与 OpenAM 中配置的代理配置文件相对应.要测试您是否可以作为用户进行身份验证,您可以简单地尝试通过发出以下请求以代理身份进行身份验证:
The error message is a bit misleading: the Cannot obtain application SSO token in general means that the agent was unable to authenticate itself. When you install the agent, the agent asks for a profile name and a password file, those values need to correspond to the agent profile configured within OpenAM.To test if you can authenticate as the user, you could simply try to authenticate as the agent by making the following request:
curl -d "username=profilename&password=password&uri=realm=/%26module=Application" http://aldaris.sch.bme.hu:8080/openam/identity/authenticate
在上述命令中,领域值需要与 OpenSSOAgentBootstrap.properties(在代理的安装目录下)中定义的com.sun.identity.agents.config.organization.name"属性的值相同.
In the above command the realm value needs to be the same as the value for the "com.sun.identity.agents.config.organization.name" property defined in OpenSSOAgentBootstrap.properties (under the agent's install directory).
不过,用户名/密码组合错误只是导致此异常的可能根本原因之一.也有可能是在启动期间,代理无法连接到 OpenAM 来验证自己.在这些情况下,问题可能是:
Having bad username/password combination is only one of the possible root causes for this exception though. It is also possible that during startup the agent was unable to connect to OpenAM to authenticate itself. In those cases the problem could be:
- 网络错误、防火墙问题阻止代理联系 OpenAM
- SSL 信任问题:代理的 JVM 不信任 OpenAM 容器的证书(仅当您通过提供 OpenAM 的 HTTPS URL 安装代理并且证书是自签名的或根本不受 JVM 信任时才会出现问题)
这篇关于OpenAM J2EE 代理安装导致 tomcat的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!