Java 8更新161破坏了HTTPClient Kerberos身份验证 [英] Java 8 update 161 breaks HTTPClient Kerberos authentication

查看:198
本文介绍了Java 8更新161破坏了HTTPClient Kerberos身份验证的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我的HTTPClient Kerberos身份验证设置类似于

My HTTPClient Kerberos authentication set up is similar to this one. My login.conf looks like this:

com.sun.security.jgss.login {
  com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=true
  useKeyTab=true
  storeKey=true
  keyTab=<keytab>
  principal=<principal>;
};
com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=true
  useKeyTab=true
  storeKey=true
  keyTab=<principal>
  principal=<keytab>;
};
com.sun.security.jgss.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=true
  useKeyTab=true
  storeKey=true
  keyTab=<keytab>
  principal=<principal>;
};

此设置对jdk8u151一直有效,但是Oracle最近发布了jdk8u161,并且不再起作用.调试看起来像这样:

This setup has been working for me with jdk8u151, but Oracle released jdk8u161 recently, and it no longer works. Debug looks like this:

比较调试日志,jdk8u161停止在此行:

Comparing debug logs, jdk8u161 stops at this line:

CCacheInputStream:readFlags()

CCacheInputStream: readFlags()

而jdk8u151则以

while jdk8u151 follows that line with

不受支持的密钥类型找到了默认的TGT:18

unsupported key type found the default TGT: 18

我添加了

default_tkt_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc

krb5.conf,但这无济于事.

推荐答案

找到了我自己的答案:

  • 从login.conf中删除所有useTicketCache=true
  • rc4-hmac添加到default_tkt_enctypesdefault_tgs_enctypespermitted_enctypes
  • Remove all useTicketCache=true from login.conf
  • Add rc4-hmac to default_tkt_enctypes, default_tgs_enctypes, and permitted_enctypes

login.conf现在看起来像这样:

login.conf now looks like this:

com.sun.security.jgss.login {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  storeKey=true
  keyTab=<keytab>
  principal=<principal>;
};
com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  storeKey=true
  keyTab=<keytab>
  principal=<principal>;
};
com.sun.security.jgss.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  storeKey=true
  keyTab=<keytab>
  principal=<principal>;
};

和krb5.conf:

and krb5.conf:

[libdefaults]
  ...
  default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
  default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
  permitted_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
  ...

这篇关于Java 8更新161破坏了HTTPClient Kerberos身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
Java开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆