使用SSPI从Windows上运行的Java应用程序获取SSO [英] Using SSPI to get SSO from Java application running on Windows

问题描述

我在Windows上运行的Java应用程序需要使用Kerberos / SPNEGO对webapp进行身份验证。我知道如何配置JAAS来实现这一点，但我发现Java（JDK6和JDK7beta）Kerberos实现缺少一些我需要的重要功能。例如，支持引荐或使用DNS来确定主机的领域（我有一个多领域环境）。

I have a Java application running on Windows that needs to authenticate to a webapp using Kerberos/SPNEGO. I'm aware of how to configure JAAS to achieve this, but I find the Java (JDK6 and JDK7beta) Kerberos implementation to be lacking a couple important features I need. For example, support for referrals or using the DNS to figure out the realm of a host (I have a multi-realm environment).

是否有第三方模块可以使用Windows本机 SSPI 实现身份验证？我们已经遇到了将我们的Windows客户端配置为在我们的环境中工作的麻烦，不用再为Java做这件事会很好。我知道 Waffle 及其WindowsLoginModule，但它似乎没有做SSO，因为它要求用户重新输入他们的凭证到应用程序。

Is there a third-party module that can implement authentication using the Windows native SSPI? We've already gone through the trouble of configuring our Windows clients to work within our environment, it'd be nice to not have to do it again for Java. I'm aware of Waffle and its WindowsLoginModule, but it doesn't seem to do SSO as it requires users to re-enter their credentials into the application.

推荐答案

我们遇到了类似的问题。我们的主要问题是使用Windows UAC时GSS-API实现失败，我们使用Waffle解决了它。

We've had a similar issue. The main problem for us was that the GSS-API implementation fails when using Windows UAC and we solved it using Waffle.

Waffle 基本上是JNA调用SSPI的包装器。我们设法通过覆盖类来实现使用Waffle的SSO sun.net.www.protocol.http.NegotiatorImpl ：

Waffle is basically a wrapper for the JNA calls to SSPI. We've managed to implement SSO using Waffle by overriding the class sun.net.www.protocol.http.NegotiatorImpl:

package sun.net.www.protocol.http;

import java.io.IOException;
import waffle.windows.auth.impl.WindowsSecurityContextImpl;

public class NegotiatorImpl extends Negotiator {

private String serviceName;

public NegotiatorImpl(HttpCallerInfo hci) throws IOException {
    this.serviceName = "HTTP/" + hci.host.toLowerCase();
}

    @Override
    public byte[] firstToken() throws IOException {
        return WindowsSecurityContextImpl.getCurrent("Negotiate", serviceName).getToken();
    }

    @Override
    public byte[] nextToken(byte[] in) throws IOException {
        return new byte[0];
    }
}

然后你可以创建一个只持有这个类的JAR并将其与华夫饼干一起复制JNA JAR到你的JVM的 ./jre / lib / endorsed 。使用JVM的 Java认可的标准覆盖机制，替换JVM的默认 Negotiator 实现。

Then you can create a JAR with holding only this class and copy it along with the Waffle & JNA JARs to ./jre/lib/endorsed of your JVM. Using the Java Endorsed Standards Override Mechanism of the JVM, this replaces the default Negotiator implementation of the JVM.

这篇关于使用SSPI从Windows上运行的Java应用程序获取SSO的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！