Java 8 更新 161 破坏了 HTTPClient Kerberos 身份验证 [英] Java 8 update 161 breaks HTTPClient Kerberos authentication

查看:41
本文介绍了Java 8 更新 161 破坏了 HTTPClient Kerberos 身份验证的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我的 HTTPClient Kerberos 身份验证设置类似于 这个.我的 login.conf 看起来像这样:

My HTTPClient Kerberos authentication set up is similar to this one. My login.conf looks like this:

com.sun.security.jgss.login {
  com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=true
  useKeyTab=true
  storeKey=true
  keyTab=<keytab>
  principal=<principal>;
};
com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=true
  useKeyTab=true
  storeKey=true
  keyTab=<principal>
  principal=<keytab>;
};
com.sun.security.jgss.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=true
  useKeyTab=true
  storeKey=true
  keyTab=<keytab>
  principal=<principal>;
};

这个设置对我来说用 jdk8u151 一直有效,但 Oracle 最近发布了 jdk8u161,它不再有效.调试看起来像这样:

This setup has been working for me with jdk8u151, but Oracle released jdk8u161 recently, and it no longer works. Debug looks like this:

对比调试日志,jdk8u161停在这一行:

Comparing debug logs, jdk8u161 stops at this line:

CCacheInputStream: readFlags()

CCacheInputStream: readFlags()

而 jdk8u151 遵循这一行

while jdk8u151 follows that line with

不受支持的密钥类型发现默认 TGT:18

unsupported key type found the default TGT: 18

我添加了

default_tkt_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc

krb5.conf,但它没有帮助.

推荐答案

找到我自己的答案:

  • 从 login.conf 中删除所有 useTicketCache=true
  • rc4-hmac 添加到 default_tkt_enctypesdefault_tgs_enctypespermitted_enctypes
  • Remove all useTicketCache=true from login.conf
  • Add rc4-hmac to default_tkt_enctypes, default_tgs_enctypes, and permitted_enctypes

login.conf 现在看起来像这样:

login.conf now looks like this:

com.sun.security.jgss.login {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  storeKey=true
  keyTab=<keytab>
  principal=<principal>;
};
com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  storeKey=true
  keyTab=<keytab>
  principal=<principal>;
};
com.sun.security.jgss.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  storeKey=true
  keyTab=<keytab>
  principal=<principal>;
};

和 krb5.conf:

and krb5.conf:

[libdefaults]
  ...
  default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
  default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
  permitted_enctypes = aes256-cts aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
  ...

这篇关于Java 8 更新 161 破坏了 HTTPClient Kerberos 身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
Java开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆