从Java6升级到Java7后Kerberos损坏 [英] Kerberos broken after upgrading from Java6 to Java7
问题描述
我有一个使用spring-security kerberos扩展的工作应用程序,它在jboss上运行,在Java 6上运行.
I have a working application using the spring-security kerberos extension, running on jboss, running java 6.
我正在将我的jvm从Java 6升级到Java7.当我这样做时,使用与Java 6相同的代码库和相同的密钥表,现在我在使用Java 7时收到错误消息.
I'm in the process of upgrading my jvm from java 6 to java 7. When I do that, using the same codebase and the same keytab that worked on java 6, I now receive an error when using java 7.
我始终收到: java.security.PrivilegedActionException:GSSException:未在GSS-API级别指定失败 (机制级别:无效的参数(400)- 找不到适当类型的密钥来解密带有HMAC的AP REP-RC4)
I consistently receive: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
我尝试使用其他论坛中描述的不同/crypto选项重新生成密钥表,但无济于事.
I've tried to regenerate the keytab with the different /crypto options that have been described in other forums to no avail.
我已经调试了Java 7代码,实际上,用于在启动时读取密钥表的类已从6更改为7.难道是我的密钥表不再被正确地读入应用程序了吗?我在使用Java6启动时看到的一些调试消息不再出现在7中,但是我无法确定这是设计使然还是表明还有其他事情在起作用?其他人是否有从6升级到7的问题,并且他们的kerberos集成中断了?有什么建议吗?
I have debugged the java 7 code and indeed, the classes that deal with reading the keytab on startup changed from 6 to 7. Could it be that my keytab isn't being read into the app correctly anymore? Some of the debug messages that I see on startup using Java6 don't appear anymore in 7, but I can't tell if that's by design or if that indicates something else is in play? Has anybody else had problems upgrading from 6 to 7 and had their kerberos integration break on them? Any advice?
使用spnego和kerberos调试登录进行启动时,我的日志显示:
With spnego and kerberos debug logging on for startup, my log shows:
2012-12-10 10:29:30,886 Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is jndi:/localhost/docfinity/WEB-INF/classes/config/common/security/http-docfinity.keytab refreshKrb5Config is false principal is HTTP/VMMSSDEV.TESTING.LOCAL@TESTING.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
2012-12-10 10:30:26,322 principal is HTTP/VMMSSDEV.TESTING.LOCAL@TESTING.LOCAL
2012-12-10 10:30:29,794 Will use keytab
2012-12-10 10:30:29,807 Ordering keys wrt default_tkt_enctypes list
2012-12-10 10:30:29,821 Config name: C:\Windows\krb5.ini
2012-12-10 10:30:29,827 Using builtin default etypes for default_tkt_enctypes
2012-12-10 10:30:29,832 default etypes for default_tkt_enctypes:
2012-12-10 10:30:29,837 17 aes128-cts-hmac-sha1-96
2012-12-10 10:30:29,839 16 des3-cbc-sha1-kd
2012-12-10 10:30:29,842 23 rc4-hmac
2012-12-10 10:30:29,846 1 des-cbc-crc
2012-12-10 10:30:29,849 3 des-cbc-md5
2012-12-10 10:30:29,851 .
2012-12-10 10:30:29,855 Commit Succeeded
另一个问题-您将看到它正在尝试读取C:\ Windows \ krb5.ini.我的服务器上没有这样的文件.我需要一个吗?我也没有一个使用Java 6的工具,而且效果很好.
One other question - you'll see it's trying to read C:\Windows\krb5.ini. I don't have such a file on my server. Do I need one? I didn't have one with java 6 either and that worked.
aaron
推荐答案
是的!我们修补了SunJaasKerberosTicketValidator使其看起来像这样,并且有效:
Yes! We patched SunJaasKerberosTicketValidator to look like this and it worked:
String keyTabPath = this.keyTabLocation.getURL().toExternalForm();
String runtimeVersion = System.getProperty("java.version");
if (runtimeVersion.startsWith("1.7"))
{
LOG.info("Detected jdk 7. Modifying keytabpath");
if (keyTabPath != null)
{
if (keyTabPath.startsWith("file:"))
{
keyTabPath = keyTabPath.substring(5);
}
}
}
LOG.info("KeyTabPath: " + keyTabPath);
LoginConfig loginConfig = new LoginConfig(keyTabPath, this.servicePrincipal,
this.debug);
这篇关于从Java6升级到Java7后Kerberos损坏的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!