为Kerberos和模拟配置Tomcat [英] Configure Tomcat for Kerberos and Impersonation

问题描述

我想将Tomcat配置为能够连接到AD并相应地对用户进行身份验证.

I would like to configure Tomcat to be able to connect to AD and authenticate users accordingly.

此外，我还想使用客户端凭据来调用某些Web服务(在本例中为Share Point).

In addition, I would also like to invoke some web services (in this case, Share Point) using the client credentials.

到目前为止，我已经成功配置了Tomcat以使用SPNEGO身份验证，如

So far, I've managed to successfully configure Tomcat to use SPNEGO authentication, as described in the tutorial at http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. Note that I have used Tomcat's SPNEGO authentication (not Source Forge's or Waffle).

我没有使用Source Forge的实现，因为我想保持简单并使用开箱即用的Tomcat.另外，我希望所有身份验证和授权都由Tomcat处理，使用SPNEGO作为WEB.XML中的身份验证方法以及Tomcat的JNDI领域进行授权.

I did not use Source Forge's implementation since I wanted to keep things simple and use Tomcat's as provided out of the box. In addition, I wanted all the authentication and authorization to be handled by Tomcat, using the SPNEGO as the authentication method in WEB.XML and Tomcat's JNDI realm for authorization.

我还没有使用过WAFFLE，因为这仅是Windows.

Also I have not used WAFFLE, since this is Windows only.

我正在使用CXF作为我的Web服务堆栈.根据 http://cxf.apache.org/docs/client-http-transport-includes-ssl-support.html#ClientHTTPTransport%28includesSSLsupport%29-SpnegoAuthentication%28Kerberos%29 ，所有您需要的使用Web服务(在我的情况下为Share Point)进行身份验证的步骤是:

I'm using CXF as my Web Service stack. According to the CXF documentation at http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html#ClientHTTPTransport%28includingSSLsupport%29-SpnegoAuthentication%28Kerberos%29, all you need to do to authenticate with the a web service (in my case, Share Point) is to use:

 <conduit name="{http://example.com/}HelloWorldServicePort.http-conduit"
   xmlns="http://cxf.apache.org/transports/http/configuration">
   <authorization>
      <AuthorizationType>Negotiate</AuthorizationType>
      <Authorization>CXFClient</Authorization>
   </authorization>
 </conduit>

并在jaas.conf中配置CXFClient(在我的情况下，是Tomcat的服务器JAAS配置所在的位置，使得我的jass.conf看起来像:

and configure CXFClient in jaas.conf (in my case, where Tomcat's server JAAS configuration is located, such that my jass.conf looks like:

CXFClient {
    com.sun.security.auth.module.Krb5LoginModule required client=true useTicketCache=true debug=true;
};

com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/tomcatsrv.corporate.intra@CORPORATE.INTRA"
    useKeyTab=true
    keyTab="C:/Program Files/Apache/apache-tomcat-7.0.27/conf/tomcatsrv.keytab"
    storeKey=true
    debug=true;
};

com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/tomcatsrv.corporate.intra@CORPORATE.INTRA"
    useKeyTab=true
    keyTab="C:/Program Files/Apache/apache-tomcat-7.0.27/conf/tomcatsrv.keytab"
    storeKey=true
    debug=true;
};

但是，当我调用Web服务时，它是在服务用户名(即在AD和tomcatsrv.keytab中配置的Tomcat用户名)下而不是客户端的用户名(例如duncan.attard)下调用的.

Yet, when I'm invoking the web service, it is invoked under the service username (i.e. Tomcat's username configured in AD and in tomcatsrv.keytab), rather than the client's username (e.g. duncan.attard).

所以我的问题是:是否可以通过某种方式将客户端的用户名委派(或使用某种模拟方式)给CXF，以便在我调用Share Point的Web服务时(例如，我想使用复制上载文件) .asmx)，则文件以duncan.attard而不是tomcat.srv的形式上传.

So my question is this: Is there some way in which the client's username can be delegated (or use some sort of impersonation) to CXF so that when I invoke Share Point's web service (e.g. I want to upload a file using Copy.asmx), the file is uploaded as duncan.attard and not as tomcat.srv.

谢谢，非常感谢您的帮助.

Thanks all, your help is much appreciated.

推荐答案

从技术上讲，这很完美.这是食谱:

Technically, this works perfectly. Here's the recipe:

1. 如果您使用凭据委派，则不需要登录模块名称.
2. 您必须确保该用户帐户有资格进行委派.

看看Tomcat的

Take a look at the implementation of Tomcat's GenericPrincipal, it will save you the GSS credential if there is one. Cast request.getPrincipal to GenericPrincipal and get the credential.

现在说您具有凭据:

1. 构造一个 Subject ，其中Principal和GSSCredential作为私人证书.
2. 将CXF代码包装到 .
3. 将构造的主题和特权操作的实例传递给Subject.doAs方法，系统将代表传递的主题构造AccessControlContext，并代表该上下文调用JAAS中的所有内容.如果正确实施，CXF应该使用那些 .就像Unix上的su或sudo.

1. Construct a Subject with the Principal and the GSSCredential as private credential.
2. Wrap the CXF code into a PrivilegedAction.
3. Pass the constructed subject and an instance of your privileged action to the Subject.doAs method and the system will construct an AccessControlContext on behalf of the passed subject and will invoke everything in JAAS on behalf of that context. CXF should use those if it is implemented correctly. This is like su or sudo on Unix.

最简单的测试方法是代表Active Directory的客户端在特权操作中创建InitialDirContext.这就是我测试工作凭据委派环境的方式.

The easiest way to test that is to create an InitialDirContext in the privileged action on behalf of the client to your Active Directory. This is how I test a working credential delegation environment.

这篇关于为Kerberos和模拟配置Tomcat的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！