嗨,我正在嘗試使用JAVA和spring設置SSO.為此,我使用此文檔:http://docs.spring.io/spring-security-kerberos/docs/1.0.0.RELEASE/reference/htmlsingle/
和第3段的代碼.Scnego談判.
但它不起作用我得到錯誤:
org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter doFilterWARNING: Negotiate Header was invalid: Negotiate YIIGywYGKwYBBQUCoIIGvzCCBrugMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBoUEggaBYIIGfQYJKoZIhvcSAQICAQBuggZsMIIGaKADAgEFoQMCAQ6iBwMFACAAAACjggTtYYIE6TCCBOWgAwIBBaENGwtCSVVSTy5MT0NBTKIiMCCgAwIBAqEZMBcbBEhUVFAbD3ZtaS5iaXVyby5sb2NhbKOCBKkwggSloAMCARehAwIBDqKCBJcEggSTURM5n5gBXc6mVdBmyns4DHBkvw0gqD1GxkYQQx8dWb/upu5sopCPZoxsir970evZKg6/3iDSOyQuGDzjK1xl0Sqma VNy4ZB9bA5RVCFMZqQT2poicYhaKQbkjazG6GeGUYh7NS91g9qqLXYXtI jeoOPIDwMCAjaEuq4bRN/JqOIZFLinK2qwEM7h62kRVoqF48cxVHdG chwLzHCSorp1 ZimU00nkdLk/WjDd88Om1K 735m2JsvGV4h5eSYiZ19fDF5fpbyDOMk4k2g26IuNeg8VNZhC2MjEi47IiteDu gJKUopjmv1PZ26rtNL78Oawygcxk9F2uIBUoOsCX0S9Nl2aNjfzIxWPlQ0w4kwFCDmsdbzEHD7mfZhNIWQd0CJEhJ 6lrxAXGM7nq86kcFXVE/329G9/HiRtTrnHTwCF4AJCMt4im2OaEjFewgRQZwOqxT72/bGLsbOxYws6Qj0pVJhiXhmRDJiirfjXSzevMp1NANgrfQmlFD W/d2lY8gPLNQmGGNwmY5TQcdngsxI7ALVB1v8acegka 9AxO3b ElypvjePVbhZYH6t6AcJlwu4M7Kka94zDtA0ZTWBLmUCHEh8e470zMj H8kUo6gKSDe tOrtEjmlGHEiJbg2w/0BcpVUtBqmMTeq7Vf0UvGwBK7JZy6GdWJTDMYpJUD 8w9UEb GTWCEDfboQcxCIs8ny6qKK8e92BvIrYgm2jAZM2y4VsOSdfPb21bYHhJybtDVvlLpAVlCY/L0NvcIgNWTdi8UCD7OfROCqqjU2B eftR 1vmhzb7PT/tDm8TXHFcLyNE7W5W/Tp1ncRpq1T7nWbdmefZe8StyfcmxvOje1uMNShWNY3yJFFUUHKsxuz5mvH4tklaPFof7VW1PNTAqAimdCNRIBoWBg7FSKcBnsqOnJoNv8qpvN9nLDwOTlMt3aIREgUxFgLBx2kvU1GbsbhGk10MWZqz/23Xz8BKPmZrE4cTDyCUasKp 7VOkGLDtVtxnLM1vQE1AD8pDRRkrF/EaK3fTNvpsV2dTIzFjFSS89HOGTH8TuNMcnAfFJcn/FRgEI/BJQLDSNB3MRfR 2CwmOaB1rB iYthTDnd965Y4GpKfE7PpYrYrPiXznZ oG2JFt/KwGuPAp54x68PgbFNyi g5fixfsn9o0iGo8UNn6XRNMpZT55jODkIEATZhDWIpPsDMvOnc0wIYZt2Trc0K By/drx hfMYNgFnLCoJZOIbjEEneYKbBdkxeVKjUrHILzucfYSu Eq5He6r9fHTDkHOR23Bn7PmQGZQ8gu7zP7NQE7qvABA8Le4TPWmBGVmnZqYJKlyufFMUmIIuosx6Fe/pBV9 L fMPuGcbUgFINvYWHavKk3fWWHyfS bWhphZxoCQ59HpfvVQ4lCvAnd8c5s/tEVgD 1Sek84zRVh76cCsYa/6ybCNKeHveEJJGcZ6mX7KT3EVzByifgTskk1vieYIoPGCoB67x/h8gZDDXiFboSwNIrXCu2qL5WKuAAAr1eyfh6i zQC5Nw1SoTggdFE0hmLeCqSCAWAwggFcoAMCAReiggFTBIIBT5hccN26LqNklPkMvzsPMEa1y0OIs/pZHZG8ZvCpgxLmu2wpPpt9F2hy sXsBgI63x/ZzS6z6omPMM8g1PdDjUQazYvSly3LKY7I/FX8sq1pRjtXqm0bG5UMk9pcB9t38jpYW/XwZvACJava 6kmyZxiK/jG8yMrsHokmEnIKUu7TPMgFxkBqJx7yZU63LYp55jlyX eWnGYC533pjB1nsWMKy5uMUbYungzrj6qB/q4OMaUNmApNX0OSCPjNYOm0ruvA/A2F7ZuoBSkiztTWgRsuPQuyFE0cU1naqjmVllFEX8ThCXxYwjigU6Ms5mQ6HYddCXSFE5/LCSqafJAj4v3CNmefvUNez dK/ibzPjiGGYQMaZHtrRgLtierTdAmelHIU8wkl5OOOePYLjqUMUVZMA3V 4Eb5nv1eyGI44ltdCNfJME/OEYecl ICC1org.springframework.security.authentication.BadCredentialsException: GSSContext name of the context initiator is null at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:165) at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:152) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:67) at org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:192) at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:456) at org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:145) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:205) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:617) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1521) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1478) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745)我的設置是:
服務器:Windows Server 2012 R2
客戶端:Windows 8.0
Java服務器:debian上的Tomcat 8
所有機器都只在內(nèi)部網(wǎng)絡的虛擬盒中.
Windows服務器設置:
IP:10.0.0.1
到DNS添加了vmi.biuro.local
還為帳戶設置了spn:
setspn -A HTTP/vmi.biuro.local vmiKeytab文件是由此命令生成的(在Windows服務器下),也是在沒有/ kvno的情況下嘗試:
ktpass /out c:\wrzuta\vmi.keytab /mapuser vmi@BIURO.LOCAL /princ HTTP/vmi.biuro.local@BIURO.LOCAL /pass ZAQ!2wsx /ptype KRB5_NT_PRINCIPAL /crypto All /kvno 0Linux tomcat服務器:
IP:10.0.0.3
在linux機器下我可以使用keytab文件來kinit:
root@debian:/# kinit -kt vmi.keytab HTTP/vmi.biuro.local@BIURO.LOCALroot@debian:/# klistTicket cache: FILE:/tmp/krb5cc_0Default principal: HTTP/vmi.biuro.local@BIURO.LOCALValid starting Expires Service principal17.07.2015 10:06:03 17.07.2015 20:06:03 krbtgt/BIURO.LOCAL@BIURO.LOCAL renew until 18.07.2015 10:06:03客戶:
IP:10.0.0.2
在Internet Explorer中,我將域添加到可信站點.
當我在瀏覽器中瀏覽安全內(nèi)容時,它顯示基本的身份驗證登錄表單,當我輸入有效的帳戶詳細信息時,我得到上面提到的錯誤.
當我在基本auth彈出窗口中取消取消時,我得到html登錄表單,當我輸入正確的數(shù)據(jù)時,我登錄成功并在日志下我有:
Debug is true storeKey true useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false [Krb5LoginModule] user entered username: grzesiekprincipal is grzesiek@BIURO.LOCALEncryptionKey: keyType=17 keyBytes (hex dump)=0000: 4B 83 C0 91 5E E5 73 6E 01 3B 2C BC E9 56 DA B1 K...^.sn.;,..V..EncryptionKey: keyType=16 keyBytes (hex dump)=0000: D5 E3 D0 F4 19 7A FB 94 E6 E5 B0 2A C8 2C 75 1A .....z.....*.,u.0010: 98 76 97 E3 70 9D A4 46 .v..p..FEncryptionKey: keyType=23 keyBytes (hex dump)=0000: 83 ED 52 4F AE E6 25 B9 40 6A B5 DE D4 7D 4A 21 ..RO..%.@j....J!Added server's keyKerberos Principal grzesiek@BIURO.LOCALKey Version 0key EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 4B 83 C0 91 5E E5 73 6E 01 3B 2C BC E9 56 DA B1 K...^.sn.;,..V.. [Krb5LoginModule] added Krb5Principal grzesiek@BIURO.LOCAL to SubjectAdded server's keyKerberos Principal grzesiek@BIURO.LOCALKey Version 0key EncryptionKey: keyType=16 keyBytes (hex dump)=0000: D5 E3 D0 F4 19 7A FB 94 E6 E5 B0 2A C8 2C 75 1A .....z.....*.,u.0010: 98 76 97 E3 70 9D A4 46 .v..p..F [Krb5LoginModule] added Krb5Principal grzesiek@BIURO.LOCAL to SubjectAdded server's keyKerberos Principal grzesiek@BIURO.LOCALKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 83 ED 52 4F AE E6 25 B9 40 6A B5 DE D4 7D 4A 21 ..RO..%.@j....J! [Krb5LoginModule] added Krb5Principal grzesiek@BIURO.LOCAL to SubjectCommit Succeeded [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject解決方法:
在Linux上,krb5.conf Kerberos配置文件必須在/etc/krb5.conf位置可用,或者應該使用路徑傳遞
-Djava.security.krb5.conf = / path / to / krb5.conf選項.
