Java 8更新161破坏了HTTPClient Kerberos身份验证 [英] Java 8 update 161 breaks HTTPClient Kerberos authentication
问题描述
我的HTTPClient Kerberos身份验证设置类似于
My HTTPClient Kerberos authentication set up is similar to this one. My login.conf looks like this:
com.sun.security.jgss.login {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
useKeyTab=true
storeKey=true
keyTab=<principal>
principal=<keytab>;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
此设置对jdk8u151一直有效,但是Oracle最近发布了jdk8u161,并且不再起作用.调试看起来像这样:
This setup has been working for me with jdk8u151, but Oracle released jdk8u161 recently, and it no longer works. Debug looks like this:
比较调试日志,jdk8u161停止在此行:
Comparing debug logs, jdk8u161 stops at this line:
CCacheInputStream:readFlags()
CCacheInputStream: readFlags()
而jdk8u151则以
while jdk8u151 follows that line with
不受支持的密钥类型找到了默认的TGT:18
unsupported key type found the default TGT: 18
我添加了
default_tkt_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
到krb5.conf
,但这无济于事.
推荐答案
找到了我自己的答案:
- 从login.conf中删除所有
useTicketCache=true
- 将
rc4-hmac
添加到default_tkt_enctypes
,default_tgs_enctypes
和permitted_enctypes
- Remove all
useTicketCache=true
from login.conf - Add
rc4-hmac
todefault_tkt_enctypes
,default_tgs_enctypes
, andpermitted_enctypes
login.conf现在看起来像这样:
login.conf now looks like this:
com.sun.security.jgss.login {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
和krb5.conf:
and krb5.conf:
[libdefaults]
...
default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
...
这篇关于Java 8更新161破坏了HTTPClient Kerberos身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!