人们如何让Java SPNEGO客户端在Windows中运行? [英] How do people make Java SPNEGO client work in Windows?
问题描述
要在Windows上使用Java进行客户端HTTP SPNEGO身份验证,您需要设置Windows注册表项 allowtgtsessionkey 。这是有据可查的。我不明白的是人们如何解决这个问题?大多数企业站点永远不会接受在Windows中为了单个软件而更改此注册表项。如果需要在组织中的每个工作站上进行更改,请考虑一下麻烦。但这只是理论,因为我到目前为止还无法说服我们的任何客户更改此注册表项。
In order to do client-side HTTP SPNEGO authentication with Java on Windows you need to set the Windows Registry key allowtgtsessionkey. This is well documented. What I do not understand is how people get around this? Most corporate sites would never accept to change this registry key in Windows for the sake of a single piece of software. Also think about the hassle if this needs to be changed on every workstation in the organization. But that's just theory because I've so far been unable to convince any of our customers to change this registry key.
我不怪他们。大多数企业管理员会认为放松安全性,因此会反对。
I don't blame them. Most corporate administrators would see this a relaxing the security and will therefore object it.
我读过这个:
Java或命令行工具是否有办法使用本机SSPI API获取服务的Kerberos票证?
但它是现在相当古老。
but it is now rather old.
所以我真的,真的不明白人们如何使Windows + Java客户端+ Kerberos可以在除大学环境,家庭用户等之外的任何地方工作。
So I really, really don't understand how people can make Windows + Java client + Kerberos work on anything but university environments, home users, and the like.
我从公司管理员那里得到的问题是为什么我们需要在IE和Firefox等应用程序在没有时没有问题时设置此注册表项>设置这个键?好吧,我知道答案是什么。这是因为(很可能)IE和Firefox等应用程序基于Windows本机GSS API(SSPI)而Sun的Java使用自己的实现。
The question I get from corporate administrators is "why do we need to set this registry key when applications such as IE and Firefox have no problems doing SPNEGO without setting this key ?". Well, I know what answer is. It is because (most likely) that applications like IE and Firefox are based on the Windows native GSS API (SSPI) while Sun's Java uses its own implementation.
我是假设使用像 WAFFLE 这样的东西可以解决问题,但我赞成纯粹的Java解决方案。我还假设使用基于Java的解决方案(如Spring安全性或Apache HttpClient)无济于事,因为它们都会遇到这个问题。
I'm assuming that using something like WAFFLE would solve the problem but I would favor a pure Java solution. I'm also assuming that it won't help to use Java based solutions such as Spring security or Apache HttpClient as they will all be suffering from this problem.
非常感谢任何帮助或指示。
Any help or pointers would be greatly appreciated.
UPDATE1 :
我发现有一个 RFE 。 Oracle员工还有一个就此事提交的补丁和关于此功能的JDK邮件列表的讨论。除了我能理解的这一点,在目前的Java 7中没有这个功能,甚至不是实验性的。对吗?
I've found that there's an RFE for this in Oracle's bug database. There's also a patch submitted on the matter by an Oracle employee and discussions on the JDK mailing list about this feature. Doesn't make me much wiser other than as far as I can understand this is not available in current Java 7, not even as experimental. Right?
UPDATE2 :
问题现在是再次生效。
推荐答案
感谢您在security-dev邮件列表中引用我的线程;-)我的中期目标是让这个补丁可用于Java 6+通过认可的类路径。您可能对我最近创建的这张WAFFLE票证感兴趣: https://github.com/dblock/waffle/issues/ 50
Thanks for referencing my thread on the security-dev mailing list ;-) My mid-term goal is to make this patch available to Java 6+ through the endorsed class path. You might be interested in this WAFFLE ticket which I have created recently: https://github.com/dblock/waffle/issues/50
我也评估了WAFFLE,但它不像Java-GSS那样必须创建重复的代码,这是我想要的一定要避免。
I have evaluated WAFFLE too but it is so not-Java-GSS-like that one has to create duplicate code, this is something I want to avoid by all means.
这整个问题并不完全是甲骨文的错。 Microsoft只是通过LSA CallPackage 函数阻止对会话票证的任何调用。借口是安全。我真的想知道当我无法合理访问TGT时,SSPI如何能够创建服务票证。因此,这样一个封闭的源解决方案很糟糕。
This entire issue is not exactly Oracle's fault. Microsoft is simply blocking any call to the session ticket through the LSA CallPackage function. The pretext is security. I would really like to know how SSPI is able to create a service ticket when I cannot reasonable access the TGT. Therefore such a closed source solution sucks.
目前,您只有三个选择:
Right now at the moment, you have only three options:
- 通过Java再次获取TGT意味着
- 尝试WAFFLE
- 编写自定义代码
我已经埋没了糟糕的注册表项,因为它无论如何都不适用于拥有域帐户的本地管理员。在我的例子中,Windows上的Tomcat开发我在此期间使用了Java的kinit。
I have burried the crappy registry key because it does not work for local admin with domain accounts anyway. In my case, Tomcat dev on Windows I have resorted to call Java's kinit in the meantime.
这篇关于人们如何让Java SPNEGO客户端在Windows中运行?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
