使用Kerberos进行域身份验证失败 [英] Domain authentication with Kerberos fails

问题描述

我的应用程序使用Grails，Spring，Kerberos。

applicationContext.xml
$ b

 << ; beans 
 ... 
< sec：http entry-point-ref =spnegoEntryPoint> 
< sec：intercept-url pattern =/ **access =IS_AUTHENTICATED_FULLY/> 
< sec：custom-filter ref =spnegoAuthenticationProcessingFilter
 position =BASIC_AUTH_FILTER/> 
< / sec：http> 
 
< bean id =spnegoEntryPoint
 class =org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint/> 
 
< bean id =spnegoAuthenticationProcessingFilter
 class =org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter> 
< property name =authenticationManagerref =authenticationManager/> 
< / bean> 
 
< sec：authentication-manager alias =authenticationManager> 
< sec：authentication-provider ref =kerberosServiceAuthenticationProvider/> 
< / sec：authentication-manager> 
 
< bean id =kerberosServiceAuthenticationProvider
 class =org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider> 
< property name =ticketValidator> 
< bean class =org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator> 
< property name =servicePrincipalvalue =HTTP/my.host.com@MY.DOMAIN.COM/> 
 < property name =debugvalue =true/> 
< / bean> 
< / property> 
< property name =userDetailsS​​erviceref =dummyUserDetailsS​​ervice/> 
< / bean> 
 
< bean class =org.springframework.security.kerberos.authentication.sun.GlobalSunJaasKerberosConfig> 
< property name =debugvalue =true/> 
< property name =krbConfLocationvalue =/ etc / krb5.conf/> 
< / bean> 
 
< bean id =dummyUserDetailsS​​ervice
 class =com.spring.security.kerberos.sample.user.DummyUserDetailsS​​ervice/> 
< / beans> 
  

当我部署我的应用并在浏览器中输入我的域名登录名/密码时， Fiddler：

  GET http://my.host.com:8080/myapp HTTP / 1.1 
 Accept：text / html，application / xhtml + xml，* / * 
 Accept-Language：ru-RU 
 User-Agent：Mozilla / 5.0（Windows NT 6.1; WOW64; Trident / 7.0; rv：11.0） Gecko 
 Accept-Encoding：gzip，deflate 
 Host：my.host.com:8080 
 Cookie：JSESSIONID = EDE49792033A8FC877427704DBE26D85 
 Proxy-Connection：保持活动
 DNT ：1 
 Authorization：Negotiate YIIHDw ... = 
  

据我所知，Kerberos域身份验证那是成功的。但在网页上，我看到：

  java.lang.NullPointerException 
 at org.springframework.security.kerberos。 authentication.sun.SunJaasKerberosTicketValidator $ KerberosValidateAction.run（SunJaasKerberosTicketValidator.java:162）
 at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator $ KerberosValidateAction.run（SunJaasKerberosTicketValidator.java:151）
 at java.security.AccessController.doPrivileged（Native方法）
位于javax.security.auth.Subject.doAs（Subject.java:422）
位于org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator .validateTicket（SunJaasKerberosTicketValidator.java:66）
 at org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate（KerberosServiceAuthenticationProvider.java:64）
 at org.springframework.security.authentication.ProviderManager.authenticate （ProviderManager.java:156）
 .... 
  

NP E显示在行

  String user = context.getSrcName（）。toString（）; 
  

因为context.getSrcName（）== null。 什么是错？

PS：再一次：当我输入错误的密码时，它再次向我提出要求。

解决方案

我找到了解决方案：只需将jdk1.8更改为jdk1.7。

My app is using Grails, Spring, Kerberos.

applicationContext.xml

<beans 
    ...
    <sec:http entry-point-ref="spnegoEntryPoint">
        <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
        <sec:custom-filter ref="spnegoAuthenticationProcessingFilter"
            position="BASIC_AUTH_FILTER" />
    </sec:http>

    <bean id="spnegoEntryPoint"
        class="org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint" />

    <bean id="spnegoAuthenticationProcessingFilter"
        class="org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter">
        <property name="authenticationManager" ref="authenticationManager" />
    </bean>

    <sec:authentication-manager alias="authenticationManager">
        <sec:authentication-provider ref="kerberosServiceAuthenticationProvider" />
    </sec:authentication-manager>

    <bean id="kerberosServiceAuthenticationProvider"
        class="org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider">
        <property name="ticketValidator">
            <bean class="org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator">
                <property name="servicePrincipal" value="HTTP/my.host.com@MY.DOMAIN.COM" />
                <property name="keyTabLocation" value="file:/u/tomcat/app/apache-tomcat-7.0.11/lib/http-web.keytab"/>
                <property name="debug" value="true" />
            </bean>
        </property>
        <property name="userDetailsService" ref="dummyUserDetailsService" />
    </bean>

    <bean class="org.springframework.security.kerberos.authentication.sun.GlobalSunJaasKerberosConfig">
        <property name="debug" value="true" />
        <property name="krbConfLocation" value="/etc/krb5.conf" />
    </bean>

    <bean id="dummyUserDetailsService"
        class="com.spring.security.kerberos.sample.user.DummyUserDetailsService" />
</beans>

When I deploy my app and enter my domain login/password in browser, I get the following request in Fiddler:

GET http://my.host.com:8080/myapp HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: ru-RU
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: my.host.com:8080
Cookie: JSESSIONID=EDE49792033A8FC877427704DBE26D85
Proxy-Connection: Keep-Alive
DNT: 1
Authorization: Negotiate YIIHDw...=

As I understand, Kerberos domain authentication was successful. But on a web page I see:

java.lang.NullPointerException
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:162)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:151)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:66)
at org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
....

NPE appears in line

String user = context.getSrcName().toString();

because context.getSrcName() == null. What's wrong?

P.S.: One more moment: when I enter wrong password, it asks on me for it one more time.

解决方案

I've found the solution: just changed jdk1.8 to jdk1.7.

这篇关于使用Kerberos进行域身份验证失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！