|
嗨,我正在尝试使用JAVA和spring设置SSO.为此,我使用此文档:http://docs./spring-security-kerberos/docs/1.0.0.RELEASE/reference/htmlsingle/
和第3段的代码.Scnego谈判.
但它不起作用我得到错误:
org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter doFilter
WARNING: Negotiate Header was invalid: Negotiate YIIGywYGKwYBBQUCoIIGvzCCBrugMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBoUEggaBYIIGfQYJKoZIhvcSAQICAQBuggZsMIIGaKADAgEFoQMCAQ6iBwMFACAAAACjggTtYYIE6TCCBOWgAwIBBaENGwtCSVVSTy5MT0NBTKIiMCCgAwIBAqEZMBcbBEhUVFAbD3ZtaS5iaXVyby5sb2NhbKOCBKkwggSloAMCARehAwIBDqKCBJcEggSTURM5n5gBXc6mVdBmyns4DHBkvw0gqD1GxkYQQx8dWb/upu5sopCPZoxsir970evZKg6/3iDSOyQuGDzjK1xl0Sqma VNy4ZB9bA5RVCFMZqQT2poicYhaKQbkjazG6GeGUYh7NS91g9qqLXYXtI jeoOPIDwMCAjaEuq4bRN/JqOIZFLinK2qwEM7h62kRVoqF48cxVHdG chwLzHCSorp1 ZimU00nkdLk/WjDd88Om1K 735m2JsvGV4h5eSYiZ19fDF5fpbyDOMk4k2g26IuNeg8VNZhC2MjEi47IiteDu gJKUopjmv1PZ26rtNL78Oawygcxk9F2uIBUoOsCX0S9Nl2aNjfzIxWPlQ0w4kwFCDmsdbzEHD7mfZhNIWQd0CJEhJ 6lrxAXGM7nq86kcFXVE/329G9/HiRtTrnHTwCF4AJCMt4im2OaEjFewgRQZwOqxT72/bGLsbOxYws6Qj0pVJhiXhmRDJiirfjXSzevMp1NANgrfQmlFD W/d2lY8gPLNQmGGNwmY5TQcdngsxI7ALVB1v8acegka 9AxO3b ElypvjePVbhZYH6t6AcJlwu4M7Kka94zDtA0ZTWBLmUCHEh8e470zMj H8kUo6gKSDe tOrtEjmlGHEiJbg2w/0BcpVUtBqmMTeq7Vf0UvGwBK7JZy6GdWJTDMYpJUD 8w9UEb GTWCEDfboQcxCIs8ny6qKK8e92BvIrYgm2jAZM2y4VsOSdfPb21bYHhJybtDVvlLpAVlCY/L0NvcIgNWTdi8UCD7OfROCqqjU2B eftR 1vmhzb7PT/tDm8TXHFcLyNE7W5W/Tp1ncRpq1T7nWbdmefZe8StyfcmxvOje1uMNShWNY3yJFFUUHKsxuz5mvH4tklaPFof7VW1PNTAqAimdCNRIBoWBg7FSKcBnsqOnJoNv8qpvN9nLDwOTlMt3aIREgUxFgLBx2kvU1GbsbhGk10MWZqz/23Xz8BKPmZrE4cTDyCUasKp 7VOkGLDtVtxnLM1vQE1AD8pDRRkrF/EaK3fTNvpsV2dTIzFjFSS89HOGTH8TuNMcnAfFJcn/FRgEI/BJQLDSNB3MRfR 2CwmOaB1rB iYthTDnd965Y4GpKfE7PpYrYrPiXznZ oG2JFt/KwGuPAp54x68PgbFNyi g5fixfsn9o0iGo8UNn6XRNMpZT55jODkIEATZhDWIpPsDMvOnc0wIYZt2Trc0K By/drx hfMYNgFnLCoJZOIbjEEneYKbBdkxeVKjUrHILzucfYSu Eq5He6r9fHTDkHOR23Bn7PmQGZQ8gu7zP7NQE7qvABA8Le4TPWmBGVmnZqYJKlyufFMUmIIuosx6Fe/pBV9 L fMPuGcbUgFINvYWHavKk3fWWHyfS bWhphZxoCQ59HpfvVQ4lCvAnd8c5s/tEVgD 1Sek84zRVh76cCsYa/6ybCNKeHveEJJGcZ6mX7KT3EVzByifgTskk1vieYIoPGCoB67x/h8gZDDXiFboSwNIrXCu2qL5WKuAAAr1eyfh6i zQC5Nw1SoTggdFE0hmLeCqSCAWAwggFcoAMCAReiggFTBIIBT5hccN26LqNklPkMvzsPMEa1y0OIs/pZHZG8ZvCpgxLmu2wpPpt9F2hy sXsBgI63x/ZzS6z6omPMM8g1PdDjUQazYvSly3LKY7I/FX8sq1pRjtXqm0bG5UMk9pcB9t38jpYW/XwZvACJava 6kmyZxiK/jG8yMrsHokmEnIKUu7TPMgFxkBqJx7yZU63LYp55jlyX eWnGYC533pjB1nsWMKy5uMUbYungzrj6qB/q4OMaUNmApNX0OSCPjNYOm0ruvA/A2F7ZuoBSkiztTWgRsuPQuyFE0cU1naqjmVllFEX8ThCXxYwjigU6Ms5mQ6HYddCXSFE5/LCSqafJAj4v3CNmefvUNez dK/ibzPjiGGYQMaZHtrRgLtierTdAmelHIU8wkl5OOOePYLjqUMUVZMA3V 4Eb5nv1eyGI44ltdCNfJME/OEYecl ICC1
org.springframework.security.authentication.BadCredentialsException: GSSContext name of the context initiator is null
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:165)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:152)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:67)
at org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:192)
at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:456)
at org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:145)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:205)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:617)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1521)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1478)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
我的设置是:
服务器:Windows Server 2012 R2
客户端:Windows 8.0
Java服务器:debian上的Tomcat 8
所有机器都只在内部网络的虚拟盒中.
Windows服务器设置:
IP:10.0.0.1
到DNS添加了vmi.biuro.local
还为帐户设置了spn:
setspn -A HTTP/vmi.biuro.local vmi
Keytab文件是由此命令生成的(在Windows服务器下),也是在没有/ kvno的情况下尝试:
ktpass /out c:\wrzuta\vmi.keytab /mapuser vmi@BIURO.LOCAL /princ HTTP/vmi.biuro.local@BIURO.LOCAL /pass ZAQ!2wsx /ptype KRB5_NT
_PRINCIPAL /crypto All /kvno 0
Linux tomcat服务器:
IP:10.0.0.3
在linux机器下我可以使用keytab文件来kinit:
root@debian:/# kinit -kt vmi.keytab HTTP/vmi.biuro.local@BIURO.LOCAL
root@debian:/# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/vmi.biuro.local@BIURO.LOCAL
Valid starting Expires Service principal
17.07.2015 10:06:03 17.07.2015 20:06:03 krbtgt/BIURO.LOCAL@BIURO.LOCAL
renew until 18.07.2015 10:06:03
客户:
IP:10.0.0.2
在Internet Explorer中,我将域添加到可信站点.
当我在浏览器中浏览安全内容时,它显示基本的身份验证登录表单,当我输入有效的帐户详细信息时,我得到上面提到的错误.
当我在基本auth弹出窗口中取消取消时,我得到html登录表单,当我输入正确的数据时,我登录成功并在日志下我有:
Debug is true storeKey true useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[Krb5LoginModule] user entered username: grzesiek
principal is grzesiek@BIURO.LOCAL
EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 4B 83 C0 91 5E E5 73 6E 01 3B 2C BC E9 56 DA B1 K...^.sn.;,..V..
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: D5 E3 D0 F4 19 7A FB 94 E6 E5 B0 2A C8 2C 75 1A .....z.....*.,u.
0010: 98 76 97 E3 70 9D A4 46 .v..p..F
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 83 ED 52 4F AE E6 25 B9 40 6A B5 DE D4 7D 4A 21 ..RO..%.@j....J!
Added server's keyKerberos Principal grzesiek@BIURO.LOCALKey Version 0key EncryptionKey: keyType=17 keyBytes (hex dump)=
0000: 4B 83 C0 91 5E E5 73 6E 01 3B 2C BC E9 56 DA B1 K...^.sn.;,..V..
[Krb5LoginModule] added Krb5Principal grzesiek@BIURO.LOCAL to Subject
Added server's keyKerberos Principal grzesiek@BIURO.LOCALKey Version 0key EncryptionKey: keyType=16 keyBytes (hex dump)=
0000: D5 E3 D0 F4 19 7A FB 94 E6 E5 B0 2A C8 2C 75 1A .....z.....*.,u.
0010: 98 76 97 E3 70 9D A4 46 .v..p..F
[Krb5LoginModule] added Krb5Principal grzesiek@BIURO.LOCAL to Subject
Added server's keyKerberos Principal grzesiek@BIURO.LOCALKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 83 ED 52 4F AE E6 25 B9 40 6A B5 DE D4 7D 4A 21 ..RO..%.@j....J!
[Krb5LoginModule] added Krb5Principal grzesiek@BIURO.LOCAL to Subject
Commit Succeeded
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
解决方法: 在Linux上,krb5.conf Kerberos配置文件必须在/etc/krb5.conf位置可用,或者应该使用路径传递
-Djava.security.krb5.conf = / path / to / krb5.conf选项. 来源:https://www./content-3-276651.html
|
