Java 8 更新 161 破坏了 HTTPClient Kerberos 身份验证 [英] Java 8 update 161 breaks HTTPClient Kerberos authentication
问题描述
我的 HTTPClient Kerberos 身份验证设置类似于 这个.我的 login.conf 看起来像这样:
My HTTPClient Kerberos authentication set up is similar to this one. My login.conf looks like this:
com.sun.security.jgss.login {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
useKeyTab=true
storeKey=true
keyTab=<principal>
principal=<keytab>;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
这个设置对我来说用 jdk8u151 一直有效,但 Oracle 最近发布了 jdk8u161,它不再有效.调试看起来像这样:
This setup has been working for me with jdk8u151, but Oracle released jdk8u161 recently, and it no longer works. Debug looks like this:
对比调试日志,jdk8u161停在这一行:
Comparing debug logs, jdk8u161 stops at this line:
CCacheInputStream: readFlags()
CCacheInputStream: readFlags()
而 jdk8u151 遵循这一行
while jdk8u151 follows that line with
不受支持的密钥类型发现默认 TGT:18
unsupported key type found the default TGT: 18
我添加了
default_tkt_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
到krb5.conf
,但它没有帮助.
推荐答案
找到我自己的答案:
- 从 login.conf 中删除所有
useTicketCache=true
- 将
rc4-hmac
添加到default_tkt_enctypes
、default_tgs_enctypes
和permitted_enctypes
- Remove all
useTicketCache=true
from login.conf - Add
rc4-hmac
todefault_tkt_enctypes
,default_tgs_enctypes
, andpermitted_enctypes
login.conf 现在看起来像这样:
login.conf now looks like this:
com.sun.security.jgss.login {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab=<keytab>
principal=<principal>;
};
和 krb5.conf:
and krb5.conf:
[libdefaults]
...
default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
...
这篇关于Java 8 更新 161 破坏了 HTTPClient Kerberos 身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!