Java的SSO:对Active Directory的Kerberos身份验证 [英] Java SSO: Kerberos authentication against Active Directory
问题描述
我仍然试图找到SSO一个基于Java的解决方案,我可以使用JBoss的授权针对Active Directory /域控制器(在* nix上运行)。我最初试图通过NTLM要做到这一点,但放弃了,因为这将不支持在Windows Server> = 2008。
I'm still trying to find a Java based solution for SSO (running on *nix), which I can use on JBoss to authorize against an Active Directory/domain controller. I initially tried to do this via NTLM, but gave up because it will be not supported on Windows Server >= 2008.
所以我想实现这个使用Kerberos,但似乎不可能找到一个正确的/工作方案。请点我在正确的方向解释如何建立这样的配置,如何验证对Active Directory和/或域控制器为:
Therefore I'm trying to implement this using Kerberos, but it seems impossible to find a correct/working solution. Please point me in the right direction explaining how to set up such a configuration, how to validate against the Active Directory and/or domain controller in order to:
- 找到了该帐户是有效的,
- 获取用户的组列表
任何帮助是AP preciated!
Any help is appreciated!
更新
我正在使用JCIFS-EXT-0.9.4和JCIFS-krb5-1.3.12的解决方案。我设置的web.xml中,如下所述:
I'm working on a solution using jcifs-ext-0.9.4 and jcifs-krb5-1.3.12. I set up the web.xml as described below:
<web-app>
<!-- servlet / servlet-mapping / welcome-file-list skipped -->
<filter>
<filter-name>auth</filter-name>
<filter-class>jcifs.http.AuthenticationFilter</filter-class>
<init-param>
<param-name>java.security.auth.login.config</param-name>
<param-value>/WEB-INF/login.conf</param-value>
</init-param>
<init-param>
<param-name>jcifs.spnego.servicePrincipal</param-name>
<param-value>HTTP/testconn@mydomain.com</param-value>
</init-param>
<init-param>
<param-name>jcifs.spnego.servicePassword</param-name>
<param-value>supersecret</param-value>
</init-param>
<init-param>
<param-name>sun.security.krb5.debug</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>java.security.krb5.realm</param-name>
<param-value>mydomain.com</param-value>
</init-param>
<init-param>
<param-name>java.security.krb5.kdc</param-name>
<param-value>testdom01.mydomain.com </param-value>
</init-param>
<init-param>
<param-name>jcifs.smb.client.domain</param-name>
<param-value>TESTDOMAIN</param-value>
</init-param>
<init-param>
<param-name>jcifs.http.enableNegotiate</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>jcifs.http.basicRealm</param-name>
<param-value>mydomain.com</param-value>
</init-param>
<init-param>
<param-name>jcifs.http.domainController</param-name>
<param-value>testdom01.mydomain.com</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>auth</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
这导致了以下堆栈跟踪,如果试图访问该应用程序:
This leads to the following stacktrace if trying to access the app:
2010-07-22 15:53:10,588 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/google].[default]] Servlet.service() for servlet default threw exception
java.lang.ArrayIndexOutOfBoundsException
at java.lang.System.arraycopy(Native Method)
at jcifs.ntlmssp.Type2Message.toByteArray(Type2Message.java:261)
at jcifs.spnego.Authentication.processNtlm(Authentication.java:265)
at jcifs.spnego.Authentication.process(Authentication.java:233)
at jcifs.http.Negotiate.authenticate(Negotiate.java:46)
at jcifs.http.AuthenticationFilter.doFilter(AuthenticationFilter.java:192)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
at java.lang.Thread.run(Thread.java:619)
任何帮助是AP preciated。
Any help is appreciated.
推荐答案
要做到这一点,你确实需要使用LDAP。幸运的是,Java有两个Kerberos和LDAP坚实的支持。详细的过程是在<一个href="http://java.sun.com/products/jndi/tutorial/ldap/security/gssapi.html">http://java.sun.com/products/jndi/tutorial/ldap/security/gssapi.html
To do this, you actually need to use LDAP. Luckily for you, Java has solid support for both Kerberos and LDAP. The detailed procedure is at http://java.sun.com/products/jndi/tutorial/ldap/security/gssapi.html .
步骤概述: - 要验证的Kerberos - 使用Kerberos假设用户身份 - 执行GSSAPI绑定到Active Directory LDAP服务器 - 取得了LDAP组列表
Overview of steps: - Authenticate to Kerberos - Use Kerberos to assume user identity - Perform GSSAPI bind to Active Directory LDAP server - Retrieve group list over LDAP
这篇关于Java的SSO:对Active Directory的Kerberos身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
