使用Java 8 S4U2Proxy - 需要一个很好的例子 [英] Using Java 8 S4U2Proxy - A good example needed

问题描述

我正在尝试使用Java 8中引入的S4U2Proxy。不幸的是，我没有成功找到那么多例子。我的要求是客户会发送证书。然后，我应该委托（使用kerberos）他的请求，连接到KDC，获取TGT，获得服务票证代表用户联系另一台服务器，然后通过提供服务票证最终联系实际服务。如果java 8没有提供干净的方法，你能不能指出我可能解决我的要求的其他工具。

I am trying to use S4U2Proxy introduced in Java 8. Unfortunately I was not successfull in finding those many examples. My requirement is the client would send its certificate. I should then delegate (using kerberos) his request, connect to KDC, get the TGT, get the service ticket to contact another server on user's behalf and then finally contact the actual service by providing the service ticket. If java 8 does not provide a clean approach, can you pls point me to other utilities which might solve my requirement.

Subject.doAs(subject, new PrivilegedAction<Object>() {
        @Override
        public Object run() {
            GSSManager manager = GSSManager.getInstance();
            GSSCredential self  = null;
            try {
                GSSName selfUser = manager.createName("serviceWhoWantstoImpersonate", GSSName.NT_USER_NAME);
                Oid krb5Oid = new Oid( "1.2.840.113554.1.2.2");
                self = manager.createCredential(selfUser.canonicalize(krb5Oid), GSSCredential.DEFAULT_LIFETIME, krb5Oid, GSSCredential.INITIATE_ONLY);
                GSSName user = manager.createName(clientName, GSSName.NT_USER_NAME);
                GSSCredential impCred = ((ExtendedGSSCredential) self).impersonate(user);
            } catch (GSSException e) {
                e.printStackTrace();
            }

            return null;
        }
    });

显然有关于如何在KDC中设置SPN的问题？该服务帐户是否获得授权？是否已将正确的SPN分配给该服务帐户？当用户猴子否认所有类型的授权？等等。现在我觉得我在KDC中做了正确的设置。我的问题是上面甚至在它击中KDC之前就已经发生了。任何有效的输入都会有所帮助。

Obviously there will be questions about how the SPN has been set in the KDC? Whether that service account is authorized for delegation? Has the right SPN been assigned to that service account? When the user "monkey" denies all sort of delegation? etc etc. Right now I feel I have made the right settings in KDC. My problem is the above is occurs even before it hits the KDC. Any valid inputs will help.

编辑：
经过一些研究后，我能够使用java 8执行S4u2self和s4u2proxy。被称为至少一个例子应该已由Oracle文档提供。无论如何，我现在正在进入下一阶段。
现在我需要处理的另一个场景是跨域kerberos证书委派。从我到目前为止看到的java 8文档，它推断出目前不支持跨领域。它仍然是真的吗？

After some reasearch, I was able to perform the S4u2self and s4u2proxy using java 8. Surpised that atleast one example should have been provided by Oracle documentation. Anyhow, I am now moving to next stage. Now another scenario that I have to handle is cross-domain kerberos certificate delegation. From the java 8 documentation that I have seen so far, it infers that currently cross-realm is not supported. Is it still true?

推荐答案

我已经为Java 8中的Kerberos SFU扩展功能构建了一个完整的独立演示应用程序： https://github.com/ymartin59/java-kerberos-sfudemo

I have built a complete standalone demonstration application for Kerberos SFU extensions features in Java 8: https://github.com/ymartin59/java-kerberos-sfudemo

以下是允许为模拟用户生成带有TGS票证的SPNEGO令牌的短代码段：

Here is the short code snippet that allows to generate a SPNEGO token with TGS ticket for an impersonated user:

GSSManager manager = GSSManager.getInstance();
GSSName userName = manager.createName("targetUser", GSSName.NT_USER_NAME);
GSSCredential impersonatedUserCreds =
  ((ExtendedGSSCredential)serviceCredentials).impersonate(userName);

final Oid KRB5_PRINCIPAL_OID = new Oid("1.2.840.113554.1.2.2.1");
GSSName servicePrincipal =
  manager.createName("HTTP/webservice-host.domain.ltd", KRB5_PRINCIPAL_OID);
ExtendedGSSContext extendedContext =
  (ExtendedGSSContext) manager.createContext(servicePrincipal,
                                             new Oid("1.3.6.1.5.5.2"),
                                             impersonatedUserCreds,
                                             GSSContext.DEFAULT_LIFETIME);
final byte[] token = extendedContext.initSecContext(new byte[0], 0, 0);

当心 extendedContext 尚未建立。可能需要多轮服务器。

Beware extendedContext is not established yet. Multiple rounds with server may be required.

Java 8 Kerberos代码尚不支持跨领域模拟：参考 JDK-8005819

Java 8 Kerberos code does not support cross-realm impersonation yet: refer to JDK-8005819

Java服务帐户可以托管在一个域中，并且此代码可以针对另一个域中的服务，只要该域明确地附加到SPN，如 HTTP /webservice-host.otherdomain.ltd@OTHERDOMAIN.LTD

The Java service account may be hosted in one realm and this code can target a service in another realm as far as this realm is explicitely appended to SPN, like HTTP/webservice-host.otherdomain.ltd@OTHERDOMAIN.LTD

对于其他领域中已知的用户，您应该将其附加到方法 createName（targetUser中的登录名@ OTHERDOMAIN.LTD，GSSName.NT_USER_NAME）

The same way for users known in other realm, you should append it to login name in method createName("targetUser@OTHERDOMAIN.LTD", GSSName.NT_USER_NAME)

这篇关于使用Java 8 S4U2Proxy - 需要一个很好的例子的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！