使用HTTP客户端的Kerberos连接 [英] Kerberos connection using HTTP Client

问题描述

我正在使用Kerberos身份验证编写HTTP连接。我有HTTP / 1.1 401 Unauthorized。你能告诉我应该检查什么吗？我认为有一些想法，但我没有看到它。

I'm writing HTTP connection with Kerberos authentication. I have "HTTP/1.1 401 Unauthorized". Could you recommend me what I should check? I think there's somethink trick, but I don't see it.

可能我应该用Negotiate设置标题WWW-Authenticate？

May be I should set header "WWW-Authenticate" with "Negotiate"?

非常感谢您提供任何帮助和想法。

Thank a lot in advanced for any help and ideas.

public class ClientKerberosAuthentication {

    public static void main(String[] args) throws Exception {

        System.setProperty("java.security.auth.login.config", "login.conf");
        System.setProperty("java.security.krb5.conf", "krb5.conf");
        System.setProperty("sun.security.krb5.debug", "true");
        System.setProperty("javax.security.auth.useSubjectCredsOnly","false");

        DefaultHttpClient httpclient = new DefaultHttpClient();
        try {
           NegotiateSchemeFactory nsf = new NegotiateSchemeFactory();
           httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, nsf);            

           List<String> authpref = new ArrayList<String>();
           authpref.add(AuthPolicy.BASIC);
           authpref.add(AuthPolicy.SPNEGO);
           httpclient.getParams().setParameter(AuthPNames.PROXY_AUTH_PREF, authpref);            


           httpclient.getCredentialsProvider().setCredentials(
                  new AuthScope(null, -1, AuthScope.ANY_REALM, AuthPolicy.SPNEGO), 
                  new UsernamePasswordCredentials("myuser", "mypass"));            

           System.out.println("----------------------------------------");
           HttpUriRequest request = new HttpGet("http://localhost:8084/web-app/webdav/213/_test.docx");
           HttpResponse response = httpclient.execute(request);
           HttpEntity entity = response.getEntity();

           System.out.println("----------------------------------------");
           System.out.println(response.getStatusLine());
           System.out.println("----------------------------------------");
           if (entity != null) {
               System.out.println(EntityUtils.toString(entity));
           }
           System.out.println("----------------------------------------");

           // This ensures the connection gets released back to the manager
           EntityUtils.consume(entity);

        } finally {
           httpclient.getConnectionManager().shutdown();
        }
    }
}

推荐答案

SPNEGO将无效，因为您使用 localhost 作为URL主机名。

SPNEGO will not work because you use localhost as URL hostname.

您的服务器配置为在ActiveDirectory服务帐户上注册的以 HTTP / 开头的SPN（或至少一个）的集合。感谢 setspn -l yourServiceAccount ，您可以从AD查询它们。

Your server is configured for a set of SPNs (or at least one) beginning with HTTP/ registered on the ActiveDirectory service account. You can query them from AD thanks to setspn -l yourServiceAccount.

您的网址必须使用已知的有效服务器主机名作为ActiveDirectory中的SPN，以便Apache Http客户端可以协商此服务的TGS并将其发送到您的服务器。

Your URL must use an effective server hostname known as SPN in ActiveDirectory so that Apache Http Client can negotiate a TGS for this service and send it to your server.

这篇关于使用HTTP客户端的Kerberos连接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！