有天有同事说他们的应用在install/uninstall的循环测试过程中报了exception,让我帮忙看看,我看了下weblogic的log,发现系统报了空指针异常。
看stack是sipSecurityStart的时候试图去embedded ldap 删除过期的role,似乎系统中使用了weblogic自带的ldap,印象中LDAP只是在security里面使用。
登录weblogic,查看了下系统的role配置,在default Security Realms myrealm中使用的是DDonly model,查看weblogic.xml, sip.xml和web.xml,role相关的配置都是在xml文件中,myrealm里面Roles and Policies页面也没有看到任何role。似乎所有的配置都很正常,不应该出现这种异常。尝试去掉xml中的role配置,一切都恢复正常。
百思不得其解,只好去查看weblogic的文档,检查security的配置问题。从weblogic的文档来看,在security Realms里面对应的default realm,我们使用embedded ldap来储存user/roles/policy相关的信息,当然用户可以手动配置信息存储到其他的数据库,也可以通过配置符合规范的Security Provider,取代weblogic默认的security策略。
通常我们把某种角色可以访问什么资源定义为policy,然后把某些user或者group map到对应的role,应用中所有的部署都是用role,这样分离了user/group
这种经常变动的元素,使用较为稳定不变的role元素。
使用weblogic默认的default realm,有多种模式:
1. DDonly model,用户的security role和policy都定义在xml文件中,role在weblogic.xml,role和user的mapping也在weblogic.xml,policy在web.xml和sip.xml
weblogic.xml:
<!-- map to web.xml/sip.xml security-role element -->
<security-role-assignment>
<role-name>PayrollAdmin</role-name>
<!-- define user or group here -->
<principal-name>Tanya</principal-name>
<principal-name>Fred</principal-name>
<principal-name>system</principal-name>
</security-role-assignment>
<!-- map to web.xml/sip.xml security run-as element -->
<run-as-role-assignment>
<role-name>RunAsRoleName</role-name>
<run-as-principal-name>joe</run-as-principal-name>
</run-as-role-assignment>
2. custom roles,把每种role可以访问什么资源的policy放到配置文件ejb-jar.xml/web.xml/sip.xml,policy对应的role在weblogic.xml里定义成<externally-defined/>。Weblogic的security控制台里面配置role和user/group的mapping。user/group/policy默认存在ldap中。
weblogic.xml:
<security-role-assignment>
<role-name>roleadmin</role-name>
<!-- notify external definition is provided -->
<externally-defined/>
</security-role-assignment>
3. custom roles and policies,role, policy都放到weblogic的security控制台里面配置,user/group/role/policy默认存在ldap中。
4. Advanced,启动时使用xml中的初始值配置,之后由weblogic控制台接管,user/group/role/policy默认存在ldap中。这种配置需要选择all web and ejb for check roles and policies, init roles/polices from dd in when deploying web or ejb,部署应用之后,选择ignore roles/policies from dd in when deploying web or ejb。
从weblogic的文档中没有看出应用配置错误的地方,只看到新版本需要用javaee的namespace,由于没有weblogic的代码,最后只能去掉了weblogic关于sip部分的security,没有更进一步的调查。
a) OCCAS 4.0 example of WEB-INF/sip.xml is using http://java.sun.com/xml/ns/j2ee name spaces:
$ cat /path/to/samples/sipserver/examples/src/findme/WEB-INF/sip.xml
<?xml version="1.0" encoding="UTF-8"?>
<sip-app xmlns="http://www.jcp.org/xml/ns/sipservlet"
xmlns:javaee="http://java.sun.com/xml/ns/javaee">
...
<!-- NEW: For use with DIGEST authentication -->
<session-config>
<javaee:session-timeout>1</javaee:session-timeout>
</session-config>
<security-constraint>
<display-name>DEMO</display-name>
<resource-collection>
<resource-name>Demo constraint</resource-name>
<description>This is a sample constraint</description>
<servlet-name>findme</servlet-name>
<sip-method>INVITE</sip-method>
</resource-collection>
<auth-constraint>
<javaee:role-name>system-user</javaee:role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
<security-role>
<javaee:role-name>system-user</javaee:role-name>
</security-role>
</sip-app>
b) WLSS3.1 example of WEB-INF/sip.xml:
$ cat /path/to/samples/sipserver/examples/src/findme/WEB-INF/sip.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sip-app
PUBLIC "-//Java Community Process//DTD SIP Application 1.0//EN"
"http://www.jcp.org/dtd/sip-app_1_0.dtd">
<sip-app>
...
<!-- NEW: For use with DIGEST authentication -->
<session-config>
<session-timeout>1</session-timeout>
</session-config>
<security-constraint>
<display-name>DEMO</display-name>
<resource-collection>
<resource-name>Demo constraint</resource-name>
<description>This is a sample constraint</description>
<servlet-name>findme</servlet-name>
<sip-method>INVITE</sip-method>
</resource-collection>
<auth-constraint>
<role-name>system-user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
<!-- system user for the run-as element for Registrar -->
<security-role>
<role-name>system-user</role-name>
</security-role>
</sip-app>
更多信息:
http://docs.oracle.com/cd/E24329_01/web.1211/e24421/toc.htm
异常具体信息:
weblogic.application.ModuleException:
at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1514)
at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:486)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:201)
at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:249)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:427)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:28)
at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:1269)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:409)
at weblogic.application.internal.EarDeployment.activate(EarDeployment.java:58)
at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161)
at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
at weblogic.deploy.internal.targetserver.operations.AbstractOperation.activate(AbstractOperation.java:569)
at weblogic.deploy.internal.targetserver.operations.ActivateOperation.activateDeployment(ActivateOperation.java:150)
at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doCommit(ActivateOperation.java:116)
at weblogic.deploy.internal.targetserver.operations.StartOperation.doCommit(StartOperation.java:143)
at weblogic.deploy.internal.targetserver.operations.AbstractOperation.commit(AbstractOperation.java:323)
at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentCommit(DeploymentManager.java:844)
at weblogic.deploy.internal.targetserver.DeploymentManager.activateDeploymentList(DeploymentManager.java:1253)
at weblogic.deploy.internal.targetserver.DeploymentManager.handleCommit(DeploymentManager.java:440)
at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.commit(DeploymentServiceDispatcher.java:164)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doCommitCallback(DeploymentReceiverCallbackDeliverer.java:195)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$100(DeploymentReceiverCallbackDeliverer.java:13)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$2.run(DeploymentReceiverCallbackDeliverer.java:69)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Caused By: java.lang.NullPointerException
at com.octetstring.vde.backend.standard.BackendStandard.delete(BackendStandard.java:525)
at com.octetstring.vde.backend.BackendHandler.delete(BackendHandler.java:517)
at weblogic.ldap.EmbeddedLDAPConnection.delete(EmbeddedLDAPConnection.java:1546)
at com.bea.common.ldap.LDAPStoreManager.flush(LDAPStoreManager.java:388)
at org.apache.openjpa.abstractstore.AbstractStoreManager.flush(AbstractStoreManager.java:277)
at org.apache.openjpa.kernel.DelegatingStoreManager.flush(DelegatingStoreManager.java:130)
at org.apache.openjpa.datacache.DataCacheStoreManager.flush(DataCacheStoreManager.java:571)
at org.apache.openjpa.kernel.DelegatingStoreManager.flush(DelegatingStoreManager.java:130)
at org.apache.openjpa.kernel.BrokerImpl.flush(BrokerImpl.java:2017)
at org.apache.openjpa.kernel.BrokerImpl.flushSafe(BrokerImpl.java:1915)
at org.apache.openjpa.kernel.BrokerImpl.beforeCompletion(BrokerImpl.java:1833)
at org.apache.openjpa.kernel.LocalManagedRuntime.commit(LocalManagedRuntime.java:81)
at org.apache.openjpa.kernel.BrokerImpl.commit(BrokerImpl.java:1357)
at kodo.kernel.KodoBroker.commit(KodoBroker.java:103)
at org.apache.openjpa.kernel.DelegatingBroker.commit(DelegatingBroker.java:877)
at kodo.jdo.PersistenceManagerImpl.commit(PersistenceManagerImpl.java:409)
at com.bea.security.providers.xacml.store.BasePolicyStore.deletePolicy(BasePolicyStore.java:1045)
at com.bea.security.providers.xacml.entitlement.RoleManager.removeRole(RoleManager.java:468)
at weblogic.security.providers.xacml.DeployableRoleProviderV2Helper$DeployRoleHandleImpl.cleanStaledRoles(DeployableRoleProviderV2Helper.java:312)
at weblogic.security.providers.xacml.DeployableRoleProviderV2Helper.endDeployRoles(DeployableRoleProviderV2Helper.java:195)
at weblogic.security.providers.xacml.authorization.XACMLRoleMapperProviderImpl.endDeployRoles(XACMLRoleMapperProviderImpl.java:250)
at com.bea.common.security.internal.legacy.service.RoleDeployerProviderImpl$V2AdapterExt$DeploymentHandlerImpl.endDeployRoles(RoleDeployerProviderImpl.java:308)
at com.bea.common.security.internal.service.RoleDeploymentServiceImpl$DeploymentHandlerImpl.endDeployRoles(RoleDeploymentServiceImpl.java:184)
at weblogic.security.service.WLSRoleDeploymentServiceWrapper$DeploymentHandlerImpl.endDeployRoles(WLSRoleDeploymentServiceWrapper.java:99)
at weblogic.security.service.RoleManager$HandlerAdaptor.endDeployRoles(RoleManager.java:348)
at weblogic.security.service.RoleManager.endDeployRoles(RoleManager.java:246)
at com.bea.wcp.sip.security.internal.SipSecurityManager.start(SipSecurityManager.java:700)
at com.bea.wcp.sip.engine.server.CanaryContext.activate(CanaryContext.java:580)
at com.bea.wcp.sip.engine.SipContainerServletContextListener.contextInitialized(SipContainerServletContextListener.java:42)
at weblogic.servlet.internal.EventsManager$FireContextListenerAction.run(EventsManager.java:481)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.EventsManager.notifyContextCreatedEvent(EventsManager.java:181)
at weblogic.servlet.internal.WebAppServletContext.preloadResources(Unknown Source)
at weblogic.servlet.internal.WebAppServletContext.start(Unknown Source)
at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1512)
at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:486)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:200)
at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:247)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:27)
at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:1267)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:41)
at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:409)
at weblogic.application.internal.EarDeployment.activate(EarDeployment.java:58)
at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161)
at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
at weblogic.deploy.internal.targetserver.operations.AbstractOperation.activate(AbstractOperation.java:569)
at weblogic.deploy.internal.targetserver.operations.ActivateOperation.activateDeployment(ActivateOperation.java:150)
at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doCommit(ActivateOperation.java:116)
at weblogic.deploy.internal.targetserver.operations.StartOperation.doCommit(StartOperation.java:143)
at weblogic.deploy.internal.targetserver.operations.AbstractOperation.commit(AbstractOperation.java:323)
at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentCommit(DeploymentManager.java:844)
at weblogic.deploy.internal.targetserver.DeploymentManager.activateDeploymentList(DeploymentManager.java:1253)
at weblogic.deploy.internal.targetserver.DeploymentManager.handleCommit(DeploymentManager.java:440)
at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.commit(DeploymentServiceDispatcher.java:163)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doCommitCallback(DeploymentReceiverCallbackDeliverer.java:195)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$100(DeploymentReceiverCallbackDeliverer.java:13)
at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$2.run(DeploymentReceiverCallbackDeliverer.java:68)
at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)