使用 WebSphere Liberty 和 ADFS 服务器上的 samlWebSso20 配置,定义安全角色/约束的正确方法是什么

With a samlWebSso20 config on WebSphere Liberty and an ADFS server, what is the proper way to define security roles / contraints

我已经使用 Bluemix 上的 Liberty Buildpack 和我客户的 ADFS idp 设置了 samlWebSso20 配置。

我在 Liberty 实例上部署了一个 Web 应用程序。

我正在使用 Server Directory 选项按说明推送 Bluemix here

这是我的server.xml:

<?xml version="1.0" encoding="UTF-8"?>
<server description="johan">
<featureManager>
    <feature>webProfile-7.0</feature>
    <feature>samlWeb-2.0</feature>
    <feature>appSecurity-2.0</feature>
</featureManager>

<samlWebSso20 id="defaultSP" nameIDFormat="unspecified"
    spCookieName="my_cookie"
    idpMetadata="${server.config.dir}/resources/security/FederationMetadata.xml"
    userIdentifier="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
    sessionNotOnOrAfter="2h">
</samlWebSso20>

<keyStore id="defaultKeyStore" password="***" />

<webApplication context-root="/" location="MySampleApp.war" name="MySampleApp" type="war">
    <security-role name="any-authenticated">
        <special-subject type="ALL_AUTHENTICATED_USERS" />
    </security-role>

    <security-role name="administrators">
        <user name="user1@customer.com" />
        <user name="user2@customer.com" />
    </security-role>
</webApplication>

这是部署在 Liberty

上的应用程序的 web.xml 
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<security-constraint>
    <display-name>SampleAppServicesConstraint</display-name>
    <web-resource-collection>
        <web-resource-name>SampleAppServices</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>PUT</http-method>
        <http-method>HEAD</http-method>
        <http-method>TRACE</http-method>
        <http-method>POST</http-method>
        <http-method>DELETE</http-method>
        <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>any-authenticated</role-name>
    </auth-constraint>
</security-constraint>
<security-constraint>
    <display-name>SampleAppAdminConstraint</display-name>
    <web-resource-collection>
        <web-resource-name>SampleAppAdmin</web-resource-name>
        <url-pattern>/admin</url-pattern>
        <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>administrators</role-name>
    </auth-constraint>
</security-constraint>
<display-name>SampleApp</display-name>
<welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>index.jsp</welcome-file>
    <welcome-file>default.html</welcome-file>
    <welcome-file>default.htm</welcome-file>
    <welcome-file>default.jsp</welcome-file>
</welcome-file-list>

当我点击 SampleApp 的 /admin 路由时,我被重定向到 ADFS 登录页面。然后我使用 user1@customer.com 登录并被重定向到我的应用程序。但是,即使用户处于 'administrators' 角色,我也会收到 403。 以下是日志中的错误消息:

[AUDIT ] CWWKS9104A: Authorization failed for user user1@customer.com while invoking MySampleApp on /admin. The user is not granted access to any of the required roles: [administrators].

请注意,如果我将 /admin 路由的 AuthConstraint 角色从 administrators 更改为 any_authenticated,则 user1@customer.com 可以访问管理页面。

谁能分享一些经验并解释我做错了什么。

谢谢

改变

<security-role name="administrators">
    <user name="user1@customer.com" />
    <user name="user2@customer.com" />
</security-role>


<security-role name="administrators">
        <user name="user1@customer.com" access-id="user:<issuer name here> /user1@customer.com"/>
        <user name="user2@customer.com" access-id="user:<issuer name here> /user1@customer.com"/>
</security-role>

SAML 中显示的颁发者名称在哪里。