|
嗨,我正在嘗試使用JAVA和spring設(shè)置SSO.為此,我使用此文檔:http://docs./spring-security-kerberos/docs/1.0.0.RELEASE/reference/htmlsingle/
和第3段的代碼.Scnego談判.
但它不起作用我得到錯誤:
org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter doFilter
WARNING: Negotiate Header was invalid: Negotiate YIIGywYGKwYBBQUCoIIGvzCCBrugMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBoUEggaBYIIGfQYJKoZIhvcSAQICAQBuggZsMIIGaKADAgEFoQMCAQ6iBwMFACAAAACjggTtYYIE6TCCBOWgAwIBBaENGwtCSVVSTy5MT0NBTKIiMCCgAwIBAqEZMBcbBEhUVFAbD3ZtaS5iaXVyby5sb2NhbKOCBKkwggSloAMCARehAwIBDqKCBJcEggSTURM5n5gBXc6mVdBmyns4DHBkvw0gqD1GxkYQQx8dWb/upu5sopCPZoxsir970evZKg6/3iDSOyQuGDzjK1xl0Sqma VNy4ZB9bA5RVCFMZqQT2poicYhaKQbkjazG6GeGUYh7NS91g9qqLXYXtI jeoOPIDwMCAjaEuq4bRN/JqOIZFLinK2qwEM7h62kRVoqF48cxVHdG chwLzHCSorp1 ZimU00nkdLk/WjDd88Om1K 735m2JsvGV4h5eSYiZ19fDF5fpbyDOMk4k2g26IuNeg8VNZhC2MjEi47IiteDu gJKUopjmv1PZ26rtNL78Oawygcxk9F2uIBUoOsCX0S9Nl2aNjfzIxWPlQ0w4kwFCDmsdbzEHD7mfZhNIWQd0CJEhJ 6lrxAXGM7nq86kcFXVE/329G9/HiRtTrnHTwCF4AJCMt4im2OaEjFewgRQZwOqxT72/bGLsbOxYws6Qj0pVJhiXhmRDJiirfjXSzevMp1NANgrfQmlFD W/d2lY8gPLNQmGGNwmY5TQcdngsxI7ALVB1v8acegka 9AxO3b ElypvjePVbhZYH6t6AcJlwu4M7Kka94zDtA0ZTWBLmUCHEh8e470zMj H8kUo6gKSDe tOrtEjmlGHEiJbg2w/0BcpVUtBqmMTeq7Vf0UvGwBK7JZy6GdWJTDMYpJUD 8w9UEb GTWCEDfboQcxCIs8ny6qKK8e92BvIrYgm2jAZM2y4VsOSdfPb21bYHhJybtDVvlLpAVlCY/L0NvcIgNWTdi8UCD7OfROCqqjU2B eftR 1vmhzb7PT/tDm8TXHFcLyNE7W5W/Tp1ncRpq1T7nWbdmefZe8StyfcmxvOje1uMNShWNY3yJFFUUHKsxuz5mvH4tklaPFof7VW1PNTAqAimdCNRIBoWBg7FSKcBnsqOnJoNv8qpvN9nLDwOTlMt3aIREgUxFgLBx2kvU1GbsbhGk10MWZqz/23Xz8BKPmZrE4cTDyCUasKp 7VOkGLDtVtxnLM1vQE1AD8pDRRkrF/EaK3fTNvpsV2dTIzFjFSS89HOGTH8TuNMcnAfFJcn/FRgEI/BJQLDSNB3MRfR 2CwmOaB1rB iYthTDnd965Y4GpKfE7PpYrYrPiXznZ oG2JFt/KwGuPAp54x68PgbFNyi g5fixfsn9o0iGo8UNn6XRNMpZT55jODkIEATZhDWIpPsDMvOnc0wIYZt2Trc0K By/drx hfMYNgFnLCoJZOIbjEEneYKbBdkxeVKjUrHILzucfYSu Eq5He6r9fHTDkHOR23Bn7PmQGZQ8gu7zP7NQE7qvABA8Le4TPWmBGVmnZqYJKlyufFMUmIIuosx6Fe/pBV9 L fMPuGcbUgFINvYWHavKk3fWWHyfS bWhphZxoCQ59HpfvVQ4lCvAnd8c5s/tEVgD 1Sek84zRVh76cCsYa/6ybCNKeHveEJJGcZ6mX7KT3EVzByifgTskk1vieYIoPGCoB67x/h8gZDDXiFboSwNIrXCu2qL5WKuAAAr1eyfh6i zQC5Nw1SoTggdFE0hmLeCqSCAWAwggFcoAMCAReiggFTBIIBT5hccN26LqNklPkMvzsPMEa1y0OIs/pZHZG8ZvCpgxLmu2wpPpt9F2hy sXsBgI63x/ZzS6z6omPMM8g1PdDjUQazYvSly3LKY7I/FX8sq1pRjtXqm0bG5UMk9pcB9t38jpYW/XwZvACJava 6kmyZxiK/jG8yMrsHokmEnIKUu7TPMgFxkBqJx7yZU63LYp55jlyX eWnGYC533pjB1nsWMKy5uMUbYungzrj6qB/q4OMaUNmApNX0OSCPjNYOm0ruvA/A2F7ZuoBSkiztTWgRsuPQuyFE0cU1naqjmVllFEX8ThCXxYwjigU6Ms5mQ6HYddCXSFE5/LCSqafJAj4v3CNmefvUNez dK/ibzPjiGGYQMaZHtrRgLtierTdAmelHIU8wkl5OOOePYLjqUMUVZMA3V 4Eb5nv1eyGI44ltdCNfJME/OEYecl ICC1
org.springframework.security.authentication.BadCredentialsException: GSSContext name of the context initiator is null
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:165)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:152)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:67)
at org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:192)
at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:456)
at org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:145)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:205)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:617)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1521)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1478)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
我的設(shè)置是:
服務(wù)器:Windows Server 2012 R2
客戶端:Windows 8.0
Java服務(wù)器:debian上的Tomcat 8
所有機器都只在內(nèi)部網(wǎng)絡(luò)的虛擬盒中.
Windows服務(wù)器設(shè)置:
IP:10.0.0.1
到DNS添加了vmi.biuro.local
還為帳戶設(shè)置了spn:
setspn -A HTTP/vmi.biuro.local vmi
Keytab文件是由此命令生成的(在Windows服務(wù)器下),也是在沒有/ kvno的情況下嘗試:
ktpass /out c:\wrzuta\vmi.keytab /mapuser vmi@BIURO.LOCAL /princ HTTP/vmi.biuro.local@BIURO.LOCAL /pass ZAQ!2wsx /ptype KRB5_NT
_PRINCIPAL /crypto All /kvno 0
Linux tomcat服務(wù)器:
IP:10.0.0.3
在linux機器下我可以使用keytab文件來kinit:
root@debian:/# kinit -kt vmi.keytab HTTP/vmi.biuro.local@BIURO.LOCAL
root@debian:/# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/vmi.biuro.local@BIURO.LOCAL
Valid starting Expires Service principal
17.07.2015 10:06:03 17.07.2015 20:06:03 krbtgt/BIURO.LOCAL@BIURO.LOCAL
renew until 18.07.2015 10:06:03
客戶:
IP:10.0.0.2
在Internet Explorer中,我將域添加到可信站點.
當我在瀏覽器中瀏覽安全內(nèi)容時,它顯示基本的身份驗證登錄表單,當我輸入有效的帳戶詳細信息時,我得到上面提到的錯誤.
當我在基本auth彈出窗口中取消取消時,我得到html登錄表單,當我輸入正確的數(shù)據(jù)時,我登錄成功并在日志下我有:
Debug is true storeKey true useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[Krb5LoginModule] user entered username: grzesiek
principal is grzesiek@BIURO.LOCAL
EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 4B 83 C0 91 5E E5 73 6E 01 3B 2C BC E9 56 DA B1 K...^.sn.;,..V..
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: D5 E3 D0 F4 19 7A FB 94 E6 E5 B0 2A C8 2C 75 1A .....z.....*.,u.
0010: 98 76 97 E3 70 9D A4 46 .v..p..F
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 83 ED 52 4F AE E6 25 B9 40 6A B5 DE D4 7D 4A 21 ..RO..%.@j....J!
Added server's keyKerberos Principal grzesiek@BIURO.LOCALKey Version 0key EncryptionKey: keyType=17 keyBytes (hex dump)=
0000: 4B 83 C0 91 5E E5 73 6E 01 3B 2C BC E9 56 DA B1 K...^.sn.;,..V..
[Krb5LoginModule] added Krb5Principal grzesiek@BIURO.LOCAL to Subject
Added server's keyKerberos Principal grzesiek@BIURO.LOCALKey Version 0key EncryptionKey: keyType=16 keyBytes (hex dump)=
0000: D5 E3 D0 F4 19 7A FB 94 E6 E5 B0 2A C8 2C 75 1A .....z.....*.,u.
0010: 98 76 97 E3 70 9D A4 46 .v..p..F
[Krb5LoginModule] added Krb5Principal grzesiek@BIURO.LOCAL to Subject
Added server's keyKerberos Principal grzesiek@BIURO.LOCALKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 83 ED 52 4F AE E6 25 B9 40 6A B5 DE D4 7D 4A 21 ..RO..%.@j....J!
[Krb5LoginModule] added Krb5Principal grzesiek@BIURO.LOCAL to Subject
Commit Succeeded
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
解決方法: 在Linux上,krb5.conf Kerberos配置文件必須在/etc/krb5.conf位置可用,或者應(yīng)該使用路徑傳遞
-Djava.security.krb5.conf = / path / to / krb5.conf選項. 來源:https://www./content-3-276651.html
|
