Wildfly 8.2中的Kerberos SQL Server数据源 [英] Kerberos sql server datasource in Wildfly 8.2
问题描述
我在针对Wildfly 8.2.0上的MS Sql Server设置使用Kerberos的集成身份验证时遇到问题.
I have a problem setting up integrated authentication with Kerberos towards a MS Sql Server on Wildfly 8.2.0.
这是我到目前为止所做的:
Here's what I've done so far:
-
设法使它在Wildfly 9.0.2上运行,只是因为Wildfly 9包含新"登录模块类org.jboss.security.negotiation.KerberosLoginModule.像这样配置的安全域:
Managed to get it going on Wildfly 9.0.2, simply because Wildfly 9 contains the "new" login module class org.jboss.security.negotiation.KerberosLoginModule. A security domain configured like this:
<login-module code="org.jboss.security.negotiation.KerberosLoginModule" flag="required" module="org.jboss.security.negotiation">
<module-option name="storeKey" value="false"/>
<module-option name="useKeyTab" value="false"/>
<module-option name="principal" value="app-srv@REALM"/>
<module-option name="useTicketCache" value="true"/>
<module-option name="debug" value="true"/>
<module-option name="refreshKrb5Config" value="true"/>
<module-option name="isInitiator" value="true"/>
<module-option name="addGSSCredential" value="true"/>
<module-option name="delegationCredential" value="USE"/>
</login-module>
完全正常.在将"addGSSCredential"添加到"true"之前,我遇到了错误主题中没有匹配的凭据!"但是后来我读到了这个人在这里说的话: https://developer.jboss.org/message/913652#913652 .
works perfectly fine. Before I added "addGSSCredential" to "true" I was getting the error "No matching credentials in Subject!" but then I read what this guy was saying here: https://developer.jboss.org/message/913652#913652.
现在,问题在于我不想要Wildfly 9,而是想在Wildfly 8.2上进行设置.应该可能吧?
Now, the problem is that I don't want Wildfly 9, I want to have it set up on Wildfly 8.2. Should be possible right?
因此,在Wildfly 8.2上:
So, on Wildfly 8.2:
- Wildfly 8.2没有KerberosLoginModule.而是使用指定的此处
- 一旦我从Wildfly 8中使用了Sun的登录模块(开箱即用,这使我不知道JBoss的家伙是否真的进行了此测试?-...因为加载了登录类的模块(org.picketbox)不依赖于sun.jdk模块,它通过classnotfoundexception异常失败),我偶然发现了与Wildfly 9相同的错误,然后添加了addGSSCredentials选项:主题中没有匹配的凭据!"
- 问题是,Sun登录模块类不支持addGSSCredentials.
那么,有没有人使用Sun类在Wildfly 8.2上为数据源设置Kerberos?还是必须升级库以从jboss-negotiation获得KerberosLoginModule?
So, has anybody ever set up Kerberos for a datasource on Wildfly 8.2 using the Sun class? Or must I upgrade the libraries to get the KerberosLoginModule from jboss-negotiation?
推荐答案
使它在WildFly 8.2.1中工作的唯一方法.最终是将jboss-negotiation-common-<version>.jar和jboss-negotiation-extras-<version>.jar从2.2.7.Final更新为3.0.2.Final,WildFly 10.1.0.Final随附的版本(对不起,我没有尝试使用WildFly 9中的版本).
The only way I can get this to work in WildFly 8.2.1.Final is to update the jboss-negotiation-common-<version>.jar and jboss-negotiation-extras-<version>.jar from 2.2.7.Final to 3.0.2.Final, the version supplied with WildFly 10.1.0.Final (sorry, I didn't try with those from WildFly 9).
您需要更新modules\system\layers\base\org\jboss\security\negotiation\main\来引用新的jar.
You need to update modules\system\layers\base\org\jboss\security\negotiation\main\ to reference the new jars.
或者,您也可以将整个org.jboss.security.negotiation模块替换为WildFly 10.1.0.Final中包含的版本.
Alternatively, you can just replace the entirety of the org.jboss.security.negotiation module with the version included with WildFly 10.1.0.Final.
作为参考,我在standalone.xml中的登录模块是:
For reference, my login module in standalone.xml is:
<login-module code="org.jboss.security.negotiation.KerberosLoginModule" flag="required" module="org.jboss.security.negotiation">
<module-option name="useTicketCache" value="true"/>
<module-option name="debug" value="true"/>
<module-option name="refreshKrb5Config" value="true"/>
<module-option name="addGSSCredential" value="true"/>
</login-module>
我发现我不需要设置isInitiator或delegationCredential选项.
I found that I didn't need to set the isInitiator or delegationCredential options.
PS.感谢您发布此问题! Kerberos身份验证存在很多问题,因为我一直将storeKey设置为true,直到遇到此问题为止.
PS. Thanks for posting this question! I had a lot of problems with Kerberos authentication because I was setting storeKey to true until I came across this.
PSS.我应该补充一点,我没有连接到MS SQL Server,而是连接到Apache Phoenix数据源,这可以解释为什么我不需要设置一些登录选项.
PSS. I should add that I am not connecting to a MS SQL Server, but to an Apache Phoenix data source, which may explain why I don't need to set some login options.
这篇关于Wildfly 8.2中的Kerberos SQL Server数据源的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
