Java SPNEGO身份验证和Kerberos约束委派(KCD)到后端服务 [英] Java SPNEGO Authentication & Kerberos Constrained Delegation (KCD) to backend service

问题描述

我有一个Java Web应用程序，该应用程序在Windows Active Directory环境中对客户端进行SPNEGO身份验证. 为了验证用户身份，我们使用了很好的旧SPNEGO SourceForge项目中的代码.

I have a Java web application which do SPNEGO authentication of clients in a Windows Active Directory environment. To authenticate the user we use code from the good old SPNEGO SourceForge project.

String encodedAuthToken = (String) credentials;
LOG.debug("Encoded auth token: " + encodedAuthToken);
byte[] authToken = B64Code.decode(encodedAuthToken);
GSSManager manager = GSSManager.getInstance();

try {
    Oid krb5Oid = new Oid("1.3.6.1.5.5.2");
    GSSName gssName = manager.createName(_targetName, null);
    GSSCredential serverCreds = manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME, krb5Oid, GSSCredential.INITIATE_AND_ACCEPT);
    GSSContext gContext = manager.createContext(serverCreds);

    if (gContext != null) { 
        while (!gContext.isEstablished()) {
            authToken = gContext.acceptSecContext(authToken, 0, authToken.length);
        }
        if (gContext.isEstablished()) {
            // Login succeeded!
            String clientName = gContext.getSrcName().toString();
        }
    }
}

身份验证效果很好，但是我们还需要使用约束委派将用户凭据委派给后端服务(Exchange EWS). 在我们的广告中进行配置时，看起来差别不大，但事实并非如此.看: 广告代理设置

The authentication works good but we also have a requirement to delegate the user credentials to a back-end service (Exchange EWS), using constrained delegation. When configuring this in our AD it looks like a small difference, but it's not. See: AD delegation settings

差异在这里描述:msdn.microsoft.com/en-us/library/cc246080.aspx?f=255&MSPPError=-2147217396 使用不受约束的委派，我们可以在调用后端服务时简单地使用可用的委派凭据，这一切都很好:

The difference is described here: msdn.microsoft.com/en-us/library/cc246080.aspx?f=255&MSPPError=-2147217396 With unconstrained delegation we could simply use the available delegated credentials when we call the back-end service and it would all be good:

GSSCredential delegatedCreds = gContext.getDelegCred()
SpnegoHttpURLConnection conn = new SpnegoHttpURLConnection(clientCreds);

在受约束的委派下，我们无法访问用户TGT，并且似乎我们需要使用Java 8应该支持的MS-SFU(S4U2proxy)Kerberos扩展. 我可以找到的唯一示例就是这个示例: https://github.com/ymartin59/java-kerberos -sfudemo (感谢Yves Martin！)

With constrained delegation we have no access to the users TGT and it seems we need to use the MS-SFU (S4U2proxy) Kerberos extension which Java 8 is suppose to support. The only example I could find is this one: https://github.com/ymartin59/java-kerberos-sfudemo (thanks Yves Martin for that!)

现在是我的问题...经过身份验证后，我基本上得到的是经过身份验证的用户的用户名(请参见上面的代码中的"clientName").

Now to my problem... After my authentication I basically end up with the username of the authenticated user (see "clientName" in code above).

我们真的需要使用S4U2self机制来模拟用户吗? 客户端刚刚向我们发送了它的Kerberos服务票证(包装在我无法解码的SPNEGO令牌中). 理想情况下，我们应该能够使用该服务票证和我自己的服务的TGT来验证用户身份(使用S4U2proxy机制)? 但是我不知道如何.

Do we really need to use the S4U2self mechanism to impersonate the user here? The client just sent us it's Kerberos Service Ticket (wrapped in the SPNEGO token I can't decode). Ideally we should be able to use that service ticket and my own service's TGT to authenticate the user (using the S4U2proxy mechanism)? But I do not understand how.

所以现在我想知道是否可以将SPNEGO身份验证与S4U2proxy委托结合在一起?

So now I'm wondering if it's possible to tie together our SPNEGO authentication with S4U2proxy delegation?

非常感谢您对此的任何投入.

Many thanks for any input on this.

推荐答案

我最近实际上一直在做类似的事情，但是我正在使用spring security kerberos.我在github 此处上放置了一个示例.我发现需要设置以使用像您想要的约束委派和S4U2Proxy的关键是要确保(如果使用的是Oracle/OpenJDK)在JAAS Config中设置isInitiator=true，以便在调用getDelegCred时您会得到一个Krb5ProxyCredential.请参阅评论此处.有了该凭证，您就可以使用它为用户(代表您以常规方式使用的服务)代表用户创建服务票证令牌，例如

I've actually been doing something like this recently but am using spring security kerberos. I put an example on github here. The key thing that I found that I needed set up to use constrained delegation like you want it and S4U2Proxy was to make sure (if you're using Oracle/OpenJDK) you set isInitiator=true in your JAAS Config so that when getDelegCred is called you get back a Krb5ProxyCredential. See comment here. With that credential, you can use it to create service ticket tokens on the Users behalf for the services you are constrained to use in the normal fashion, like this.

这篇关于Java SPNEGO身份验证和Kerberos约束委派(KCD)到后端服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！