websphere-liberty - IBM IHS 动态路由不适用于通过功能 (adminCenter/openIDConnect) 公开的 api
问题描述
我已经使用 IHS 和 liberty (17.x) 单个集合(1 个控制器,1 个成员服务器)配置了 dynamicRounting,它对于部署的应用程序运行良好。但不适用于从功能中公开的 openidConnect api openidConnectClient-1.0
。
<openidConnectClient id="H3HO4HuLimleON8UDZaMqAZXF4yZsvMX"
clientId="H3HO4HuLimleON8UDZaMqAZXF4yZsvMX"
clientSecret="-secret"
issuerIdentifier="https://abc/"
authorizationEndpointUrl="https://abc"
tokenEndpointUrl="https://abc/oauth/token"
jwkEndpointUrl="https://abc/.well-known/jwks.json"
userInfoEndpointUrl="https://abc/userinfo"
userIdentifier="https://abc/userinfo/ab"
groupIdentifier="https://abc/userinfo/cd"
redirectJunctionPath="/was"
accessTokenInLtpaCookie="true"
realmName="defaultRealm"
authnSessionDisabled="false"
mapIdentityToRegistryUser="false"
audiences="openid, https://abc/userinfo"
responseType="code"
scope="openid"
signatureAlgorithm="RS256"
grantType="authorization_code"
>
</openidConnectClient>
生成plugin-cfg.xml
的是这样的
<?xml version="1.0" encoding="UTF-8"?>
<!--HTTP server plugin config file for webserver1 generated on 2021.10.22 at 08:05:10 GMT-->
<!--Merged HTTP server plugin config file-->
<Config ASDisableNagle="false" AcceptAllContent="false" AppServerPortPreference="HostHeader"
ChunkedResponse="false" FIPSEnable="false" IISDisableNagle="false" IISPluginPriority="High"
IgnoreDNSFailures="false" RefreshInterval="60" ResponseChunkSize="64" SSLConsolidate="false"
TrustedProxyEnable="false" VHostMatchingCompat="false">
<Log LogLevel="Error" Name="/opt/IBM/WebSphere/Plugins/logs/webserver1/http_plugin.log"/>
<Property Name="ESIEnable" Value="true"/>
<Property Name="ESIMaxCacheSize" Value="1024"/>
<Property Name="ESIInvalidationMonitor" Value="false"/>
<Property Name="ESIEnableToPassCookies" Value="false"/>
<Property Name="PluginInstallRoot" Value="/opt/IBM/WebSphere/Plugins/"/>
<!-- Configuration generated using httpEndpointRef=defaultHttpEndpoint-->
<!-- The default_host contained only aliases for endpoint defaultHttpEndpoint.
The generated VirtualHostGroup will contain only configured web server ports:
webserverPort=80
webserverSecurePort=443 -->
<Property Name="Keyfile" Value="/opt/IBM/WebSphere/Plugins/config/webserver1/plugin-key.kdb"/>
<Property Name="Stashfile" Value="/opt/IBM/WebSphere/Plugins/config/webserver1/plugin-key.sth"/>
<IntelligentManagement>
<Property name="webserverName" value="webserver1"/>
<ConnectorCluster enabled="true" maxRetries="5" name="defaultCollective" retryInterval="10000">
<Property name="uri" value="/ibm/api/dynamicRouting"/>
<Connector host="was-controller" port="9443" protocol="https">
<Property name="keyring" value="/opt/IBM/WebSphere/Plugins/config/webserver1/plugin-key.kdb"/>
</Connector>
</ConnectorCluster>
<Property name="RoutingRulesConnectorClusterName" value="defaultCollective"/>
</IntelligentManagement>
</Config>
我可以直接访问 openid api(https://localhost:9443/...),但如果我尝试通过 IHS 访问它(https://localhost/was-services-openid/redirect/H3HO4HuLimleON8UDZaMqAZXF4yZsvMX.. .) 它404
没有找到。
adminCenter
托管在控制器服务器上的 url 也发生了同样的事情。
我什至尝试了特殊的路由规则,但没有改变plugin-cfg.xml
<dynamicRouting maxRetries="5" retryInterval="10000">
<routingRules webServers="webserver1">
<routingRule order="100" matchExpression="URI LIKE '/was-services-openid%'">
<permitAction>
<loadBalanceEndPoints>
<endpoint destination="cluster=defaultCollective,servicesAppCluster"/>
</loadBalanceEndPoints>
</permitAction>
</routingRule>
</routingRules>
</dynamicRouting>
做错了什么?
更新:
从 IHSserver-status
我可以看到这个
{
"applications": {
"/cell/defaultCollective/application/was-home": {
"editions": {
"": {
"webModules": {
"/cell/defaultCollective/application/was-home/webModule/was-home.war": {
"contextRoot": "/was-home"
}
}
}
}
},
"/cell/defaultCollective/application/was-services": {
"editions": {
"": {
"webModules": {
"/cell/defaultCollective/application/was-services/webModule/was-services.war": {
"contextRoot": "/was-services"
}
}
}
}
}
},
"clusters": {
"/cell/defaultCollective/cluster/was-controller,%2Fwlp%2Fusr:defaultServer": {
"servers": {
"/cell/defaultCollective/node/was-controller,%2Fwlp%2Fusr/server/defaultServer": {
"state": "STARTED",
"weight": 2,
"maintenanceMode": "normal",
"cloneID": "e8c43d41-38fa-4123-8b63-e89d5b913368",
"averageResponseTimeInMillis": 0,
"sessionAffinityCookies": "JSESSIONID",
"outstandingRequests": 0,
"applications": {}
}
}
},
"/cell/defaultCollective/cluster/servicesAppCluster": {
"servers": {
"/cell/defaultCollective/node/e60fc3f43af6,%2Fwlp%2Fusr/server/services-app": {
"state": "STARTED",
"weight": 2,
"maintenanceMode": "normal",
"cloneID": "2b69c058-3953-4cea-a6ca-6f19db78e9de",
"averageResponseTimeInMillis": 0,
"sessionAffinityCookies": "JSESSIONID",
"outstandingRequests": 0,
"applications": {
"was-services": {
"state": "STARTED",
"outstandingRequests": 0
}
}
}
}
},
"/cell/defaultCollective/cluster/homeAppCluster": {
"servers": {
"/cell/defaultCollective/node/ebf4858d8306,%2Fwlp%2Fusr/server/home-app": {
"state": "STARTED",
"weight": 2,
"maintenanceMode": "normal",
"cloneID": "d240a3db-e107-44ed-9640-1084ccc23ea7",
"averageResponseTimeInMillis": 0,
"sessionAffinityCookies": "JSESSIONID",
"outstandingRequests": 0,
"applications": {
"was-home": {
"state": "STARTED",
"outstandingRequests": 0
}
}
}
}
}
},
"version": "ODRLIBX.ODRLIB_a1646.02",
"connectorGroups": {
"defaultCollective": {
"state": "STARTED",
"failures": 0,
"connectors": {
"https://was-controller:9443": {
"state": "STARTED",
"failures": 0
}
}
}
}
}
没有从功能中公开的contextRoots/应用程序,即使该文档说它将通过动态路由公开所有端点 - IHS,它仅适用于已部署的应用程序 url。
解决方案
没有看到你的整体配置,我们只能猜测一些方面。唯一需要的两个元素是您在一台或多台服务器上安装了 openidConnectClient-1.0 功能,并且在控制器上安装了 dynamicRouting-1.0 功能。如果是这种情况并且您仍然遇到问题,您可以尝试查看 IHS 的服务器状态页面,以了解 IHS 对您的集体的了解情况。您可以在此处找到有关如何配置服务器状态页面的详细信息:
https://www.ibm.com/support/pages/monitoring-ibm-http-server-connections
完成配置后,您将需要重新启动 IHS。然后,您应该会在以下位置看到服务器状态页面:
http://myihs:port/server-status
在服务器状态页面中,查看该Intelligent Management status
部分的页面底部。在本节中,您将看到 IHS 和插件查看的集合的 json 转储。您应该可以
/cell/defaultCollective/application/com.ibm.ws.security.openidconnect.client
在应用程序部分找到。其中将是您的 oidc 连接客户端的 contextRoot 元素。
这将是隔离问题的第一步。
推荐阅读
- android-studio - How do I sync in Android Studio
- android-studio - 尝试从命令行编译 android 时无法编译 settings.gradle
- javascript - Exploding tier 2 element of a PHP/Typescript array
- angular - “如何在我的项目中匹配 typescript 版本,因为它显示错误“需要 typescript@>=2.7.0 <2.8.0”
- c# - 方法程序无法猜测数字
- c - 我怎样才能像许多其他应用程序一样在没有手动设置的情况下以管理员权限编译 ac 程序?
- javascript - Convert from JavaScript v.splice(vi, 1) to Go
- php - Routes parameters are interchangeable
- python - 无法将 json 转换为数据框
- types - 在类型化球拍中的集合列表上使用应用时的奇怪类型检查器行为