我正在使用基于Windows域登录的SSO进行Web应用程序,为此我选择验证Kerberos票证.但是现在我遇到了一个我无法找到解决方案的问题.我设法验证没有异常的票证,但是当我试图获取userName时,抛出NullPointerException,因为用户名为null,我不知道问题出在哪里.
如果在验证期间没有出现任何异常,为什么用户名为null?
我如何获得userName:
String clientName = gssContext.getSrcName().toString();
我基于此创建了我的客户端:
更新1:
final Oid spnegoOid = new Oid("1.3.6.1.5.5.2");
GSSManager gssmgr = GSSManager.getInstance();
// tell the GSSManager the Kerberos name of the service
GSSName serviceName = gssmgr.createName(this.servicePrincipal, GSSName.NT_USER_NAME);
// get the service's credentials. note that this run() method was called by Subject.doAs(),
// so the service's credentials (Service Principal Name and password) are already
// available in the Subject
GSSCredential serviceCredentials = gssmgr.createCredential(serviceName,
GSSCredential.INDEFINITE_LIFETIME, spnegoOid, GSSCredential.ACCEPT_ONLY);
// create a security context for decrypting the service ticket
GSSContext gssContext = gssmgr.createContext(serviceCredentials);
// decrypt the service ticket
System.out.println("Entering accpetSecContext...");
System.out.println( new String (Base64.encodeBase64( gssContext.acceptSecContext(this.kerberosTicket, 0,
this.kerberosTicket.length) ) ));
// get the client name from the decrypted service ticket
// note that Active Directory created the service ticket, so we can trust it
String clientName = gssContext.getSrcName().toString();
更新2:
java.lang.NullPointerException at
org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:136)
at
org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:125)
at java.security.AccessController.doPrivileged(Native Method) at
javax.security.auth.Subject.doAs(Subject.java:422)
private static class KerberosValidateAction implements PrivilegedExceptionAction {
byte[] kerberosTicket;
public KerberosValidateAction(byte[] kerberosTicket) {
this.kerberosTicket = kerberosTicket;
}
@Override
public String run() throws Exception {
GSSContext context = GSSManager.getInstance().createContext((GSSCredential) null);
context.acceptSecContext(kerberosTicket, 0, kerberosTicket.length);
String user = context.getSrcName().toString(); // ERROR!
context.dispose();
return user;
}
}
更新3:
更新4:
首先.不要使用Java 1.8 b40和b45,它们都破坏了.并且不要在本地PC上测试它,它不起作用(我不知道为什么).
更改了最新的(b65)Java版本后,我得到了关于encription的异常(无法找到适当类型的密钥来解密AP REP – AES256 ……).我已经通过Java Cryptography Extension(JCE)修复了Java 1.8,并在我得到异常之后用/ crypto AES256-SHA1重新创建了keytab:
GSSException: Failure unspecified at GSS-API level (Mechanism level:
Checksum failed) at
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source) at
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) at
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) at
GssServer$GssServerAction.run(GssServer.java:159)
… 4 more
Caused by: KrbException: Checksum failed at
sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown
Source) at
sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown
Source) at sun.security.krb5.EncryptedData.decrypt(Unknown Source) at
sun.security.krb5.KrbApReq.authenticate(Unknown Source) at
sun.security.krb5.KrbApReq.(Unknown Source) at
sun.security.jgss.krb5.InitSecContextToken.(Unknown Source)
… 8 more
Caused by: java.security.GeneralSecurityException: Checksum
failed at
sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(Unknown
Source) at
sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(Unknown Source)
… 14 more
我尝试了this tutorial和其他方式来创建keytabfile,但我仍然没有解决方案.