Bluemix 上的 Liberty - 如何使用 .EAR 项目部署保护 Web 上下文

Liberty on Bluemix - How to protect the Web Context using Deployment of .EAR Projects

我对部署到 Bluemix 环境中的 Liberty 服务器的上下文保护定义有疑问,主要是考虑到将由设置触发的登录和授权功能。对于 Liberty,所​​有配置都放在一个 server.xml 安装文件中。

Eclipse选择"Dynamic Web Project"生成的部署结构如下:

. WebSphere Application Server Packaged on Bluemix (Utilities: Package on Bluemix Server)
.. LibertyStarterClaudeEAR (.ear)
... LiberyStarterClaude (.war)  

应用程序生成了用于部署的 .ear 存档文件。这里面 存档中有一个包含 Web 应用程序本身的 .war 文件,实际上它是 Bluemix 示例存储库中的一个简单 "hello world"。没有使用 application 和 application-bnd 语句,web 屏幕显示正确,一旦 application 语句处于活动状态,我收到如下错误消息:

404 Not Found: Requested route ('xyzxyz.mybluemix.net') does not exist. 

这是我希望添加到 server.xml 的上下文定义:

<!--  Nov. 21 2016 the next section adds the web context authorization -->   
<application type="war" id="LibertyStarterClaude" name="LibertyStarterClaude" location="${server.config.dir}/apps/LibertyStarterClaude.war">
  <application-bnd>
    <security-role name="All Role">
      <special-subject type="ALL_AUTHENTICATED_USERS" />
    </security-role>
  </application-bnd> 
</application> 

激活上下文保护和登录拦截以部署 .ear 存档及其应用程序的正确路径和应用程序类型定义是什么?

控制台消息 下方由 "package on IBM Bluemix" 命令(推送)产生:

使用 server.xml 配置文件下定义的标记部分部署和推送本地 Liberty 服务器。

姓名:liberty_with_oidc

清单:保存到清单文件

子域:libertystarterclaude

域:mybluemix.net

已部署url:libertystarterclaude。mybluemix.net

部署时启动应用程序:已启用

Checking application - liberty_with_oidc
Generating application archive - liberty_with_oidc
Pushing application - liberty_with_oidc
Creating application - liberty_with_oidc
Application successfully pushed
Starting application - liberty_with_oidc
Got staging request for app with id ff091f13-1c94-4d0f-adea-70db04cceb7c
Updated app with guid ff091f13-1c94-4d0f-adea-70db04cceb7c ({"state"=>"STARTED"})
-----> Downloaded app package (36K)
[Application Running Check] - Checking if application is running - liberty_with_oidc. Please wait...

-----> Retrieving IBM 1.8.0_20160919 JRE (ibm-java-jre-8.0-3.12-pxa6480sr3fp12-20160919_01-cloud.tgz) ... (0.0s)
         Expanding JRE to .java ... (1.1s)
-----> Retrieving App Management 1.21.0_20161010-1459 (app-mgmt_v1.21-20161010-1459.zip) ... (0.0s)
         Expanding App Management to .app-management (0.1s)
-----> Retrieving com.ibm.ws.liberty-16.0.0.3-201610302241.tar.gz ... (0.0s)
         Installing archive ... (1.1s)
-----> Retrieving com.ibm.ws.liberty.ext-16.0.0.3-201610302241.tar.gz ... (0.0s)
         Installing archive ... (1.0s)
-----> Liberty buildpack is done creating the droplet

[AUDIT   ] CWWKE0001I: The server wlp2016beta has been launched.
[AUDIT   ] CWWKG0028A: Processing included configuration resource: /home/vcap/app/wlp/usr/servers/wlp2016beta/runtime-vars.xml
[INFO    ] CWWKE0002I: The kernel started after 3.267 seconds
[INFO    ] CWWKF0007I: Feature update started.

[ERROR   ] CWWKF0042E: A feature definition cannot  be found for the  bluemixutility-1.0 feature.  Try running the command, bin/installUtility install bluemixutility-1.0,  to install the feature. Alternatively, you can run the command, bin/installUtility install wlp2016beta,  to install all features that are referenced by this configuration.

[INFO    ] CWWKS0007I: The security service is starting...
[AUDIT   ] CWWKZ0058I: Monitoring dropins for applications. 
[INFO    ] CWWKO0219I: TCP Channel defaultHttpEndpoint has been started and is now listening for requests on host localhost  (IPv4: 127.0.0.1) port 61655.
[INFO    ] CWWKO0219I: TCP Channel defaultHttpEndpoint-ssl has been started and is now listening for requests on host localhost  (IPv4: 127.0.0.1) port 9443.
[INFO    ] DYNA1001I: WebSphere Dynamic Cache instance named baseCache initialized successfully.
[INFO    ] DYNA1071I: The cache provider default is being used.
[INFO    ] DYNA1056I: Dynamic Cache (object cache) initialized successfully.
[INFO    ] CWWKY0005I: The batch In-Memory persistence service is activated.
[INFO    ] CWWKY0008I: The batch feature is using persistence type In-Memory.
[INFO    ] CWIMK0009I: The user registry federation service is ready.
[INFO    ] CWWKS0008I: The security service is ready.
[INFO    ] CWWKS4105I: LTPA configuration is ready after 0.902 seconds.
[INFO    ] CWWKS1410I: The OAuth endpoint service is activated.
[INFO    ] CWWKS1700I: OpenID Connect client bluemixoidc1 configuration successfully processed.
[INFO    ] CWSCX0122I: Register management Bean provider: com.ibm.ws.cloudoe.management.client.provider.dump.JavaDumpBeanProvider@8023ef99.
[INFO    ] CWSCX0122I: Register management Bean provider: com.ibm.ws.cloudoe.management.client.provider.logging.LibertyLoggingBeanProvider@ffcd3586.
[INFO    ] CWWKY0300I: Batch security is enabled.
[WARNING ] CWWKZ0014W: The application LibertyStarterClaude could not be started as it could not be found at location /home/vcap/app/wlp/usr/servers/wlp2016beta//apps/LibertyStarterClaude.war.
[INFO    ] CWWKZ0018I: Starting application LibertyStarterClaudeEAR.
[INFO    ] SRVE0169I: Loading Web Module: ibm/api.
[INFO    ] SRVE0250I: Web Module ibm/api has been bound to default_host.
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://localhost:61655/ibm/api/
[INFO    ] SRVE0169I: Loading Web Module: com.ibm.ws.cloudoe.management.client.liberty.connector.
[INFO    ] SRVE0250I: Web Module com.ibm.ws.cloudoe.management.client.liberty.connector has been bound to default_host.
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://localhost:61655/IBMMGMTRest/
[INFO    ] SRVE0169I: Loading Web Module: OpenID Connect Client Redirect Servlet.
[INFO    ] SRVE0250I: Web Module OpenID Connect Client Redirect Servlet has been bound to default_host.
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://localhost:61655/oidcclient/
[INFO    ] SRVE0169I: Loading Web Module: IBMJMXConnectorREST.
[INFO    ] SRVE0250I: Web Module IBMJMXConnectorREST has been bound to default_host.
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://localhost:61655/IBMJMXConnectorREST/
[INFO    ] CWWKX0103I: The JMX REST connector is running and is available at the following service URL: service:jmx:rest://localhost:9443/IBMJMXConnectorREST
[INFO    ] CWWKX0103I: The JMX REST connector is running and is available at the following service URL: service:jmx:rest://localhost:9443/IBMJMXConnectorREST
[INFO    ] WELD-000900: 2.3.4 (Final)
[INFO    ] SRVE0169I: Loading Web Module: com.ibm.oauth.test.war.
[INFO    ] SRVE0250I: Web Module com.ibm.oauth.test.war has been bound to default_host.
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://localhost:61655/oauth2/
[INFO    ] SESN8501I: The session manager did not find a persistent storage location; HttpSession objects will be stored in the local application server's memory.
[INFO    ] SRVE0250I: Web Module LibertyStarterClaude has been bound to default_host.
[INFO    ] SRVE0169I: Loading Web Module: LibertyStarterClaude.
[AUDIT   ] CWWKZ0001I: Application LibertyStarterClaudeEAR started in 1.047 seconds.
[INFO    ] SRVE9103I: A configuration file for a web server plugin was automatically generated for this server at /home/vcap/app/wlp/usr/servers/wlp2016beta/logs/state/plugin-cfg.xml.
[AUDIT   ] CWWKF0015I: The server has the following interim fixes active in the runtime: PI69141,PI68805. For a full listing of installed fixes run: productInfo version --ifixes
[AUDIT   ] CWWKF0012I: The server installed the following features: [servlet-3.1, beanValidation-1.1, ssl-1.0, jndi-1.0, oauth-2.0, batchManagement-1.0, appSecurity-2.0, jdbc-4.1, jaxrs-2.0, openidConnectClient-1.0, restConnector-2.0, cdi-1.2, webProfile-7.0, jpa-2.1, appState-2.0, jsp-2.3, ejbLite-3.2, managedBeans-1.0, jsf-2.2, localConnector-1.0, federatedRegistry-1.0, jsonp-1.0, icap:managementConnector-1.0, el-3.0, jaxrsClient-2.0, batch-1.0, ldapRegistry-3.0, json-1.0, distributedMap-1.0, websocket-1.1].
[INFO    ] CWWKF0008I: Feature update completed in 42.745 seconds.
[AUDIT   ] CWWKF0011I: The server wlp2016beta is ready to run a smarter planet.

Instance (index 0) failed to start accepting connections

App instance exited with guid ff091f13-1c94-4d0f-adea-70db04cceb7c payload: {"cc_partition"=>"default", "droplet"=>"ff091f13-1c94-4d0f-adea-70db04cceb7c", "version"=>"2186b130-3bad-4631-bd74-3e436f10ec19", "instance"=>"75acb8c94a5b403398904d43aa53761d", "index"=>0, "reason"=>"CRASHED", "exit_status"=>-1, "exit_description"=>"failed to accept connections within health check timeout", "crash_timestamp"=>1479830482}
Starting app instance (index 0) with guid ff091f13-1c94-4d0f-adea-70db04cceb7c


ERROR   ] CWWKF0042E: A feature definition cannot  be found for the  admincenter-1.0 feature.  Try running the command, bin/installUtility install admincenter-1.0,  to install the feature. Alternatively, you can run the command, bin/installUtility install wlp2016beta,  to install all features that are referenced by this configuration.
[ERROR   ] CWWKF0042E: A feature definition cannot  be found for the  bluemixlogcollector-1.1 feature.  Try running the command, bin/installUtility install bluemixlogcollector-1.1,  to install the feature. Alternatively, you can run the command, bin/installUtility install wlp2016beta,  to install all features that are referenced by this configuration.
[ERROR   ] CWWKF0042E: A feature definition cannot  be found for the  bluemixutility-1.0 feature.  Try running the command, bin/installUtility install bluemixutility-1.0,  to install the feature. Alternatively, you can run the command, bin/installUtility install wlp2016beta,  to install all features that are referenced by this configuration.

[INFO    ] CWWKS0007I: The security service is starting...
[INFO    ] CWWKO0219I: TCP Channel defaultHttpEndpoint has been started and is now listening for requests on host localhost  (IPv4: 127.0.0.1) port 61700.
[AUDIT   ] CWWKZ0058I: Monitoring dropins for applications. 
[INFO    ] CWWKO0219I: TCP Channel defaultHttpEndpoint-ssl has been started and is now listening for requests on host localhost  (IPv4: 127.0.0.1) port 9443.
[INFO    ] DYNA1001I: WebSphere Dynamic Cache instance named baseCache initialized successfully.
[INFO    ] DYNA1071I: The cache provider default is being used.
[INFO    ] DYNA1056I: Dynamic Cache (object cache) initialized successfully.
[INFO    ] CWWKY0005I: The batch In-Memory persistence service is activated.
[INFO    ] CWWKY0008I: The batch feature is using persistence type In-Memory.
[INFO    ] CWIMK0009I: The user registry federation service is ready.
[INFO    ] CWWKS1700I: OpenID Connect client bluemixoidc1 configuration successfully processed.
[INFO    ] CWWKS0008I: The security service is ready.
[INFO    ] CWWKS4105I: LTPA configuration is ready after 0.752 seconds.
[INFO    ] CWSCX0122I: Register management Bean provider: com.ibm.ws.cloudoe.management.client.provider.dump.JavaDumpBeanProvider@50e65231.
[INFO    ] CWSCX0122I: Register management Bean provider: com.ibm.ws.cloudoe.management.client.provider.logging.LibertyLoggingBeanProvider@9176be54.
[INFO    ] CWWKY0300I: Batch security is enabled.
[WARNING ] CWWKZ0014W: The application LibertyStarterClaude could not be started as it could not be found at location /home/vcap/app/wlp/usr/servers/wlp2016beta//apps/LibertyStarterClaude.war.
[INFO    ] CWWKZ0018I: Starting application LibertyStarterClaudeEAR.
[INFO    ] SRVE0169I: Loading Web Module: com.ibm.ws.cloudoe.management.client.liberty.connector.
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://localhost:61700/IBMMGMTRest/
[INFO    ] SRVE0250I: Web Module OpenID Connect Client Redirect Servlet has been bound to default_host.
[INFO    ] SRVE0250I: Web Module ibm/api has been bound to default_host.
[INFO    ] SRVE0169I: Loading Web Module: ibm/api.
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://localhost:61700/ibm/api/
[INFO    ] WELD-000900: 2.3.4 (Final)
[INFO    ] SRVE0250I: Web Module IBMJMXConnectorREST has been bound to default_host.
[INFO    ] SRVE0169I: Loading Web Module: IBMJMXConnectorREST.
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://localhost:61700/IBMJMXConnectorREST/
[INFO    ] CWWKX0103I: The JMX REST connector is running and is available at the following service URL: service:jmx:rest://localhost:9443/IBMJMXConnectorREST
[INFO    ] CWWKX0103I: The JMX REST connector is running and is available at the following service URL: service:jmx:rest://localhost:9443/IBMJMXConnectorREST
[INFO    ] SRVE0169I: Loading Web Module: com.ibm.oauth.test.war.
[INFO    ] SRVE0250I: Web Module com.ibm.oauth.test.war has been bound to default_host.
[AUDIT   ] CWWKT0016I: Web application available (default_host): http://localhost:61700/oauth2/
[INFO    ] SESN8501I: The session manager did not find a persistent storage location; HttpSession objects will be stored in the local application server's memory.
[INFO    ] SRVE0169I: Loading Web Module: LibertyStarterClaude.
[INFO    ] SRVE0250I: Web Module LibertyStarterClaude has been bound to default_host.
[AUDIT   ] CWWKZ0001I: Application LibertyStarterClaudeEAR started in 1.423 seconds.
[INFO    ] SRVE9103I: A configuration file for a web server plugin was automatically generated for this server at /home/vcap/app/wlp/usr/servers/wlp2016beta/logs/state/plugin-cfg.xml.
[AUDIT   ] CWWKF0015I: The server has the following interim fixes active in the runtime: PI69141,PI68805. For a full listing of installed fixes run: productInfo version --ifixes
[AUDIT   ] CWWKF0012I: The server installed the following features: [servlet-3.1, beanValidation-1.1, ssl-1.0, jndi-1.0, oauth-2.0, batchManagement-1.0, appSecurity-2.0, jdbc-4.1, jaxrs-2.0, openidConnectClient-1.0, restConnector-2.0, cdi-1.2, webProfile-7.0, jpa-2.1, appState-2.0, jsp-2.3, ejbLite-3.2, managedBeans-1.0, jsf-2.2, localConnector-1.0, federatedRegistry-1.0, jsonp-1.0, icap:managementConnector-1.0, el-3.0, jaxrsClient-2.0, batch-1.0, ldapRegistry-3.0, json-1.0, distributedMap-1.0, websocket-1.1].
[AUDIT   ] CWWKF0011I: The server wlp2016beta is ready to run a smarter planet.
[INFO    ] CWWKF0008I: Feature update completed in 40.415 seconds.

Instance (index 0) failed to start accepting connections

App instance exited with guid ff091f13-1c94-4d0f-adea-70db04cceb7c payload: {"cc_partition"=>"default", "droplet"=>"ff091f13-1c94-4d0f-adea-70db04cceb7c", "version"=>"2186b130-3bad-4631-bd74-3e436f10ec19", "instance"=>"3cd219a09bbf48fd8b80db6b6290f5b9", "index"=>0, "reason"=>"CRASHED", "exit_status"=>-1, "exit_description"=>"failed to accept connections within health check timeout", "crash_timestamp"=>1479830595}

Starting app instance (index 0) with guid ff091f13-1c94-4d0f-adea-70db04cceb7c

.. 重新启动

我的测试表明 .ear 存档有一个重复条目,因为应用程序标签支持读取 .ear 存档。新的定义是:

`<application` location="${server.config.dir}apps/LibertyStarterClaudeEAR.ear" type="ear">
  <application-bnd>
    <security-role name="AllAuthenticated">
      <special-subject type="ALL_AUTHENTICATED_USERS"/>
    </security-role>
  </application-bnd> 
</application> 

评论原始项目设置中的重复 .ear 加载:

<!--  enterpriseApplication id="LibertyStarterClaudeEAR" location="LibertyStarterClaudeEAR.ear" name="LibertyStarterClaudeEAR"/ -->

要设置安全性,您需要定义安全角色、安全约束、身份验证方法以及应用程序绑定。您只提到了应用程序绑定部分。我不确定你是否完成了剩下的工作。您可以参考此文档了解如何设置其余部分:http://www.ibm.com/support/knowledgecenter/SS7K4U_liberty/com.ibm.websphere.wlp.zseries.doc/ae/twlp_sec_quickstart.html

对于您的应用程序,您想部署为 EAR 还是部署为独立 WAR?在动态 Web 项目结构上,您似乎正在使用 EAR。但是,在您拥有的应用程序绑定配置元素上,它已转换为没有 EAR 的独立 WAR 应用程序。我建议您保留原始的 enterpriseApplciation 元素,只在该元素下添加 application-bnd 部分,而不是定义新的 application 元素。原因是直接在服务器配置文件上更改应用程序类型会使工具设置与服务器配置不同步。如果您想部署为独立 WAR 而不是没有 EAR,请从服务器视图上的服务器中删除 EAR,然后先将 WAR 添加到服务器。然后,您可以在 WAR 定义下添加 application-bnd 部分,以保持工具和配置设置同步。