配置好Tomcat SSO后,尝试从本机IE去访问,报告错误如下:
HTTP Status 500 – Internal Server Error
Type Exception Report
Message GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
Description The server encountered an unexpected condition that prevented it from fulfilling the request.
Exception
javax.servlet.ServletException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:287)
Root Cause
GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) sun.security.jgss.GSSHeader.<init>(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:487) net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:327) net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:283)
Note The full stack trace of the root cause is available in the server logs.
Apache Tomcat/8.5.24
其实这个问题不是个问题,从其他机器的IE访问就好了。
附上krb5.conf (C:\Program Files (x86)\Apache Software Foundation\Tomcat 8.5)的一个例子:
[libdefaults]
default_realm = BIB.BIZ
default_tkt_enctypes = rc4-hmac des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-md5
[realms]
BIB.BIZ = {
kdc = addom01.bib.biz:88
default_domain = bib.biz
}
[domain_realm]
.bib.biz = BIB.BIZ
还有login.conf (C:\Program Files (x86)\Apache Software Foundation\Tomcat 8.5)的例子
spnego-client {
com.sun.security.auth.module.Krb5LoginModule required;
};
spnego-server {
com.sun.security.auth.module.Krb5LoginModule required
isInitiator=false
storeKey=true
useKeyTab=true
keyTab="tomcat.keytab"
debug=true
principal="HTTP/wapp83.bib.biz@BIB.BIZ";
};
最后是web.xml(C:\Program Files (x86)\Apache Software Foundation\Tomcat 8.5\conf)的一点改动
<!--
<filter-mapping>
<filter-name>ssi</filter-name>
<url-pattern>*.shtml</url-pattern>
</filter-mapping>
-->
<filter>
<filter-name>SpnegoHttpFilter</filter-name>
<filter-class>net.sourceforge.spnego.SpnegoHttpFilter</filter-class>
<!-- autheNtication (authN) parameters -->
<init-param>
<param-name>spnego.allow.basic</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.allow.localhost</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>spnego.allow.unsecure.basic</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.login.client.module</param-name>
<param-value>spnego-client</param-value>
</init-param>
<init-param>
<param-name>spnego.krb5.conf</param-name>
<param-value>krb5.conf</param-value>
</init-param>
<init-param>
<param-name>spnego.login.conf</param-name>
<param-value>login.conf</param-value>
</init-param>
<init-param>
<param-name>spnego.preauth.username</param-name>
<param-value/>
</init-param>
<init-param>
<param-name>spnego.preauth.password</param-name>
<param-value/>
</init-param>
<init-param>
<param-name>spnego.login.server.module</param-name>
<param-value>spnego-server</param-value>
</init-param>
<init-param>
<param-name>spnego.prompt.ntlm</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.logger.level</param-name>
<param-value>1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SpnegoHttpFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<!-- ==================== Default Session Configuration ================= -->
<!-- You can set the default session timeout (in minutes) for all newly -->
<!-- created sessions by modifying the value below. -->
上面的krb5.conf和login.conf其实放置的目录就是Tomcat启动后的默认当前目录,这一点很重要的。
<end>