时间戳

首页 > 解决方案 > IBM IHS 动态路由不适用于通过功能 (adminCenter/openIDConnect) 公开的 api

websphere-liberty - IBM IHS 动态路由不适用于通过功能 (adminCenter/openIDConnect) 公开的 api

问题描述

我已经使用 IHS 和 liberty (17.x) 单个集合(1 个控制器,1 个成员服务器)配置了 dynamicRounting,它对于部署的应用程序运行良好。但不适用于从功能中公开的 openidConnect api openidConnectClient-1.0

<openidConnectClient id="H3HO4HuLimleON8UDZaMqAZXF4yZsvMX"
                     clientId="H3HO4HuLimleON8UDZaMqAZXF4yZsvMX"
                     clientSecret="-secret"
                     issuerIdentifier="https://abc/"
                     authorizationEndpointUrl="https://abc"
                     tokenEndpointUrl="https://abc/oauth/token"
                     jwkEndpointUrl="https://abc/.well-known/jwks.json"
                     userInfoEndpointUrl="https://abc/userinfo"
                     userIdentifier="https://abc/userinfo/ab"
                     groupIdentifier="https://abc/userinfo/cd"
                     redirectJunctionPath="/was"
                     accessTokenInLtpaCookie="true"
                     realmName="defaultRealm"
                     authnSessionDisabled="false"
                     mapIdentityToRegistryUser="false"
                     audiences="openid, https://abc/userinfo"
                     responseType="code"
                     scope="openid"
                     signatureAlgorithm="RS256"
                     grantType="authorization_code"
>
</openidConnectClient>

生成plugin-cfg.xml的是这样的

    <?xml version="1.0" encoding="UTF-8"?>
<!--HTTP server plugin config file for webserver1 generated on 2021.10.22 at 08:05:10 GMT-->
<!--Merged HTTP server plugin config file-->
<Config ASDisableNagle="false" AcceptAllContent="false" AppServerPortPreference="HostHeader" 
    ChunkedResponse="false" FIPSEnable="false" IISDisableNagle="false" IISPluginPriority="High" 
    IgnoreDNSFailures="false" RefreshInterval="60" ResponseChunkSize="64" SSLConsolidate="false" 
    TrustedProxyEnable="false" VHostMatchingCompat="false">
   <Log LogLevel="Error" Name="/opt/IBM/WebSphere/Plugins/logs/webserver1/http_plugin.log"/>
   <Property Name="ESIEnable" Value="true"/>
   <Property Name="ESIMaxCacheSize" Value="1024"/>
   <Property Name="ESIInvalidationMonitor" Value="false"/>
   <Property Name="ESIEnableToPassCookies" Value="false"/>
   <Property Name="PluginInstallRoot" Value="/opt/IBM/WebSphere/Plugins/"/>
<!-- Configuration generated using httpEndpointRef=defaultHttpEndpoint-->
<!-- The default_host contained only aliases for endpoint defaultHttpEndpoint.
     The generated VirtualHostGroup will contain only configured web server ports:
        webserverPort=80
        webserverSecurePort=443 -->
   <Property Name="Keyfile" Value="/opt/IBM/WebSphere/Plugins/config/webserver1/plugin-key.kdb"/>
   <Property Name="Stashfile" Value="/opt/IBM/WebSphere/Plugins/config/webserver1/plugin-key.sth"/>
   <IntelligentManagement>
      <Property name="webserverName" value="webserver1"/>
      <ConnectorCluster enabled="true" maxRetries="5" name="defaultCollective" retryInterval="10000">
         <Property name="uri" value="/ibm/api/dynamicRouting"/>
         <Connector host="was-controller" port="9443" protocol="https">
            <Property name="keyring" value="/opt/IBM/WebSphere/Plugins/config/webserver1/plugin-key.kdb"/>
         </Connector>
      </ConnectorCluster>
   <Property name="RoutingRulesConnectorClusterName" value="defaultCollective"/>
</IntelligentManagement>
</Config>

我可以直接访问 openid api(https://localhost:9443/...),但如果我尝试通过 IHS 访问它(https://localhost/was-services-openid/redirect/H3HO4HuLimleON8UDZaMqAZXF4yZsvMX.. .) 它404没有找到。

adminCenter托管在控制器服务器上的 url 也发生了同样的事情。

我什至尝试了特殊的路由规则,但没有改变plugin-cfg.xml

<dynamicRouting maxRetries="5" retryInterval="10000">
    <routingRules webServers="webserver1">
        <routingRule order="100" matchExpression="URI LIKE '/was-services-openid%'">
            <permitAction>
                <loadBalanceEndPoints>
                    <endpoint destination="cluster=defaultCollective,servicesAppCluster"/>
                </loadBalanceEndPoints>
            </permitAction>
        </routingRule>
    </routingRules>
</dynamicRouting>

做错了什么?

更新:

从 IHSserver-status我可以看到这个

{
   "applications": {
      "/cell/defaultCollective/application/was-home": {
         "editions": {
            "": {
               "webModules": {
                  "/cell/defaultCollective/application/was-home/webModule/was-home.war": {
                     "contextRoot": "/was-home"
                  }
               }
            }
         }
      },
      "/cell/defaultCollective/application/was-services": {
         "editions": {
            "": {
               "webModules": {
                  "/cell/defaultCollective/application/was-services/webModule/was-services.war": {
                     "contextRoot": "/was-services"
                  }
               }
            }
         }
      }
   },
   "clusters": {
      "/cell/defaultCollective/cluster/was-controller,%2Fwlp%2Fusr:defaultServer": {
         "servers": {
            "/cell/defaultCollective/node/was-controller,%2Fwlp%2Fusr/server/defaultServer": {
               "state": "STARTED",
               "weight": 2,
               "maintenanceMode": "normal",
               "cloneID": "e8c43d41-38fa-4123-8b63-e89d5b913368",
               "averageResponseTimeInMillis": 0,
               "sessionAffinityCookies": "JSESSIONID",
               "outstandingRequests": 0,
               "applications": {}
            }
         }
      },
      "/cell/defaultCollective/cluster/servicesAppCluster": {
         "servers": {
            "/cell/defaultCollective/node/e60fc3f43af6,%2Fwlp%2Fusr/server/services-app": {
               "state": "STARTED",
               "weight": 2,
               "maintenanceMode": "normal",
               "cloneID": "2b69c058-3953-4cea-a6ca-6f19db78e9de",
               "averageResponseTimeInMillis": 0,
               "sessionAffinityCookies": "JSESSIONID",
               "outstandingRequests": 0,
               "applications": {
                  "was-services": {
                     "state": "STARTED",
                     "outstandingRequests": 0
                  }
               }
            }
         }
      },
      "/cell/defaultCollective/cluster/homeAppCluster": {
         "servers": {
            "/cell/defaultCollective/node/ebf4858d8306,%2Fwlp%2Fusr/server/home-app": {
               "state": "STARTED",
               "weight": 2,
               "maintenanceMode": "normal",
               "cloneID": "d240a3db-e107-44ed-9640-1084ccc23ea7",
               "averageResponseTimeInMillis": 0,
               "sessionAffinityCookies": "JSESSIONID",
               "outstandingRequests": 0,
               "applications": {
                  "was-home": {
                     "state": "STARTED",
                     "outstandingRequests": 0
                  }
               }
            }
         }
      }
   },
   "version": "ODRLIBX.ODRLIB_a1646.02",
   "connectorGroups": {
      "defaultCollective": {
         "state": "STARTED",
         "failures": 0,
         "connectors": {
            "https://was-controller:9443": {
               "state": "STARTED",
               "failures": 0
            }
         }
      }
   }
}

没有从功能中公开的contextRoots/应用程序,即使该文档说它将通过动态路由公开所有端点 - IHS,它仅适用于已部署的应用程序 url。

标签: websphere-libertyibmhttpserverdynamic-routing

解决方案

没有看到你的整体配置,我们只能猜测一些方面。唯一需要的两个元素是您在一台或多台服务器上安装了 openidConnectClient-1.0 功能,并且在控制器上安装了 dynamicRouting-1.0 功能。如果是这种情况并且您仍然遇到问题,您可以尝试查看 IHS 的服务器状态页面,以了解 IHS 对您的集体的了解情况。您可以在此处找到有关如何配置服务器状态页面的详细信息:

https://www.ibm.com/support/pages/monitoring-ibm-http-server-connections

完成配置后,您将需要重新启动 IHS。然后,您应该会在以下位置看到服务器状态页面:

http://myihs:port/server-status

在服务器状态页面中,查看该Intelligent Management status部分的页面底部。在本节中,您将看到 IHS 和插件查看的集合的 json 转储。您应该可以 /cell/defaultCollective/application/com.ibm.ws.security.openidconnect.client在应用程序部分找到。其中将是您的 oidc 连接客户端的 contextRoot 元素。

这将是隔离问题的第一步。

推荐阅读