使用Kerberos进行域身份验证失败 [英] Domain authentication with Kerberos fails
问题描述
applicationContext.xml
$ b
<< ; beans
...
< sec:http entry-point-ref =spnegoEntryPoint>
< sec:intercept-url pattern =/ **access =IS_AUTHENTICATED_FULLY/>
< sec:custom-filter ref =spnegoAuthenticationProcessingFilter
position =BASIC_AUTH_FILTER/>
< / sec:http>
< bean id =spnegoEntryPoint
class =org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint/>
< bean id =spnegoAuthenticationProcessingFilter
class =org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter>
< property name =authenticationManagerref =authenticationManager/>
< / bean>
< sec:authentication-manager alias =authenticationManager>
< sec:authentication-provider ref =kerberosServiceAuthenticationProvider/>
< / sec:authentication-manager>
< bean id =kerberosServiceAuthenticationProvider
class =org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider>
< property name =ticketValidator>
< bean class =org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator>
< property name =servicePrincipalvalue =HTTP/my.host.com@MY.DOMAIN.COM/>
< / bean>
< / property>
< property name =userDetailsServiceref =dummyUserDetailsService/>
< / bean>
< bean class =org.springframework.security.kerberos.authentication.sun.GlobalSunJaasKerberosConfig>
< property name =debugvalue =true/>
< property name =krbConfLocationvalue =/ etc / krb5.conf/>
< / bean>
< bean id =dummyUserDetailsService
class =com.spring.security.kerberos.sample.user.DummyUserDetailsService/>
< / beans>
当我部署我的应用并在浏览器中输入我的域名登录名/密码时, Fiddler:
GET http://my.host.com:8080/myapp HTTP / 1.1
Accept:text / html,application / xhtml + xml,* / *
Accept-Language:ru-RU
User-Agent:Mozilla / 5.0(Windows NT 6.1; WOW64; Trident / 7.0; rv:11.0) Gecko
Accept-Encoding:gzip,deflate
Host:my.host.com:8080
Cookie:JSESSIONID = EDE49792033A8FC877427704DBE26D85
Proxy-Connection:保持活动
DNT :1
Authorization:Negotiate YIIHDw ... =
据我所知,Kerberos域身份验证那是成功的。但在网页上,我看到:
java.lang.NullPointerException
at org.springframework.security.kerberos。 authentication.sun.SunJaasKerberosTicketValidator $ KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:162)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator $ KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:151)
at java.security.AccessController.doPrivileged(Native方法)
位于javax.security.auth.Subject.doAs(Subject.java:422)
位于org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator .validateTicket(SunJaasKerberosTicketValidator.java:66)
at org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64)
at org.springframework.security.authentication.ProviderManager.authenticate (ProviderManager.java:156)
....
String user = context.getSrcName()。toString();
因为context.getSrcName()== null。 什么是错?
PS:再一次:当我输入错误的密码时,它再次向我提出要求。
我找到了解决方案:只需将jdk1.8更改为jdk1.7。
My app is using Grails, Spring, Kerberos.
applicationContext.xml
<beans
...
<sec:http entry-point-ref="spnegoEntryPoint">
<sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<sec:custom-filter ref="spnegoAuthenticationProcessingFilter"
position="BASIC_AUTH_FILTER" />
</sec:http>
<bean id="spnegoEntryPoint"
class="org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint" />
<bean id="spnegoAuthenticationProcessingFilter"
class="org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider ref="kerberosServiceAuthenticationProvider" />
</sec:authentication-manager>
<bean id="kerberosServiceAuthenticationProvider"
class="org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider">
<property name="ticketValidator">
<bean class="org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator">
<property name="servicePrincipal" value="HTTP/my.host.com@MY.DOMAIN.COM" />
<property name="keyTabLocation" value="file:/u/tomcat/app/apache-tomcat-7.0.11/lib/http-web.keytab"/>
<property name="debug" value="true" />
</bean>
</property>
<property name="userDetailsService" ref="dummyUserDetailsService" />
</bean>
<bean class="org.springframework.security.kerberos.authentication.sun.GlobalSunJaasKerberosConfig">
<property name="debug" value="true" />
<property name="krbConfLocation" value="/etc/krb5.conf" />
</bean>
<bean id="dummyUserDetailsService"
class="com.spring.security.kerberos.sample.user.DummyUserDetailsService" />
</beans>
When I deploy my app and enter my domain login/password in browser, I get the following request in Fiddler:
GET http://my.host.com:8080/myapp HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: ru-RU
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: my.host.com:8080
Cookie: JSESSIONID=EDE49792033A8FC877427704DBE26D85
Proxy-Connection: Keep-Alive
DNT: 1
Authorization: Negotiate YIIHDw...=
As I understand, Kerberos domain authentication was successful. But on a web page I see:
java.lang.NullPointerException
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:162)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:151)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:66)
at org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
....
NPE appears in line
String user = context.getSrcName().toString();
because context.getSrcName() == null. What's wrong?
P.S.: One more moment: when I enter wrong password, it asks on me for it one more time.
I've found the solution: just changed jdk1.8 to jdk1.7.
这篇关于使用Kerberos进行域身份验证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!