嗨,我正在尝试使用JAVA和spring设置SSO.为此,我使用此文档:http://docs.spring.io/spring-security-kerberos/docs/1.0.0.RELEASE/reference/htmlsingle/
和第3段的代码.Scnego谈判.
但它不起作用我得到错误:
org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter doFilter
WARNING: Negotiate Header was invalid: Negotiate YIIGywYGKwYBBQUCoIIGvzCCBrugMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBoUEggaBYIIGfQYJKoZIhvcSAQICAQBuggZsMIIGaKADAgEFoQMCAQ6iBwMFACAAAACjggTtYYIE6TCCBOWgAwIBBaENGwtCSVVSTy5MT0NBTKIiMCCgAwIBAqEZMBcbBEhUVFAbD3ZtaS5iaXVyby5sb2NhbKOCBKkwggSloAMCARehAwIBDqKCBJcEggSTURM5n5gBXc6mVdBmyns4DHBkvw0gqD1GxkYQQx8dWb/upu5sopCPZoxsir970evZKg6/3iDSOyQuGDzjK1xl0Sqma+VNy4ZB9bA5RVCFMZqQT2poicYhaKQbkjazG6GeGUYh7NS91g9qqLXYXtI+jeoOPIDwMCAjaEuq4bRN/JqOIZFLinK2qwEM7h62kRVoqF48cxVHdG+chwLzHCSorp1+ZimU00nkdLk/WjDd88Om1K++735m2JsvGV4h5eSYiZ19fDF5fpbyDOMk4k2g26IuNeg8VNZhC2MjEi47IiteDu+gJKUopjmv1PZ26rtNL78Oawygcxk9F2uIBUoOsCX0S9Nl2aNjfzIxWPlQ0w4kwFCDmsdbzEHD7mfZhNIWQd0CJEhJ+6lrxAXGM7nq86kcFXVE/329G9/HiRtTrnHTwCF4AJCMt4im2OaEjFewgRQZwOqxT72/bGLsbOxYws6Qj0pVJhiXhmRDJiirfjXSzevMp1NANgrfQmlFD+W/d2lY8gPLNQmGGNwmY5TQcdngsxI7ALVB1v8acegka+9AxO3b+ElypvjePVbhZYH6t6AcJlwu4M7Kka94zDtA0ZTWBLmUCHEh8e470zMj+H8kUo6gKSDe+tOrtEjmlGHEiJbg2w/0BcpVUtBqmMTeq7Vf0UvGwBK7JZy6GdWJTDMYpJUD+8w9UEb+GTWCEDfboQcxCIs8ny6qKK8e92BvIrYgm2jAZM2y4VsOSdfPb21bYHhJybtDVvlLpAVlCY/L0NvcIgNWTdi8UCD7OfROCqqjU2B+eftR+1vmhzb7PT/tDm8TXHFcLyNE7W5W/Tp1ncRpq1T7nWbdmefZe8StyfcmxvOje1uMNShWNY3yJFFUUHKsxuz5mvH4tklaPFof7VW1PNTAqAimdCNRIBoWBg7FSKcBnsqOnJoNv8qpvN9nLDwOTlMt3aIREgUxFgLBx2kvU1GbsbhGk10MWZqz/23Xz8BKPmZrE4cTDyCUasKp+7VOkGLDtVtxnLM1vQE1AD8pDRRkrF/EaK3fTNvpsV2dTIzFjFSS89HOGTH8TuNMcnAfFJcn/FRgEI/BJQLDSNB3MRfR+2CwmOaB1rB+iYthTDnd965Y4GpKfE7PpYrYrPiXznZ+oG2JFt/KwGuPAp54x68PgbFNyi+g5fixfsn9o0iGo8UNn6XRNMpZT55jODkIEATZhDWIpPsDMvOnc0wIYZt2Trc0K+By/drx+hfMYNgFnLCoJZOIbjEEneYKbBdkxeVKjUrHILzucfYSu+Eq5He6r9fHTDkHOR23Bn7PmQGZQ8gu7zP7NQE7qvABA8Le4TPWmBGVmnZqYJKlyufFMUmIIuosx6Fe/pBV9+L+fMPuGcbUgFINvYWHavKk3fWWHyfS+bWhphZxoCQ59HpfvVQ4lCvAnd8c5s/tEVgD+1Sek84zRVh76cCsYa/6ybCNKeHveEJJGcZ6mX7KT3EVzByifgTskk1vieYIoPGCoB67x/h8gZDDXiFboSwNIrXCu2qL5WKuAAAr1eyfh6i+zQC5Nw1SoTggdFE0hmLeCqSCAWAwggFcoAMCAReiggFTBIIBT5hccN26LqNklPkMvzsPMEa1y0OIs/pZHZG8ZvCpgxLmu2wpPpt9F2hy+sXsBgI63x/ZzS6z6omPMM8g1PdDjUQazYvSly3LKY7I/FX8sq1pRjtXqm0bG5UMk9pcB9t38jpYW/XwZvACJava+6kmyZxiK/jG8yMrsHokmEnIKUu7TPMgFxkBqJx7yZU63LYp55jlyX+eWnGYC533pjB1nsWMKy5uMUbYungzrj6qB/q4OMaUNmApNX0OSCPjNYOm0ruvA/A2F7ZuoBSkiztTWgRsuPQuyFE0cU1naqjmVllFEX8ThCXxYwjigU6Ms5mQ6HYddCXSFE5/LCSqafJAj4v3CNmefvUNez+dK/ibzPjiGGYQMaZHtrRgLtierTdAmelHIU8wkl5OOOePYLjqUMUVZMA3V+4Eb5nv1eyGI44ltdCNfJME/OEYecl+ICC1
org.springframework.security.authentication.BadCredentialsException: GSSContext name of the context initiator is null
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:165)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:152)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:67)
at org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:192)
at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:456)
at org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:145)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:205)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:617)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1521)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1478)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
我的设置是:
服务器:Windows Server 2012 R2
客户端:Windows 8.0
Java服务器:debian上的Tomcat 8
所有机器都只在内部网络的虚拟盒中.
Windows服务器设置:
IP:10.0.0.1
到DNS添加了vmi.biuro.local
还为帐户设置了spn:
setspn -A HTTP/vmi.biuro.local vmi
Keytab文件是由此命令生成的(在Windows服务器下),也是在没有/ kvno的情况下尝试:
ktpass /out c:\wrzuta\vmi.keytab /mapuser vmi@BIURO.LOCAL /princ HTTP/vmi.biuro.local@BIURO.LOCAL /pass ZAQ!2wsx /ptype KRB5_NT
_PRINCIPAL /crypto All /kvno 0
Linux tomcat服务器:
IP:10.0.0.3
在linux机器下我可以使用keytab文件来kinit:
root@debian:/# kinit -kt vmi.keytab HTTP/vmi.biuro.local@BIURO.LOCAL
root@debian:/# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/vmi.biuro.local@BIURO.LOCAL
Valid starting Expires Service principal
17.07.2015 10:06:03 17.07.2015 20:06:03 krbtgt/BIURO.LOCAL@BIURO.LOCAL
renew until 18.07.2015 10:06:03
客户:
IP:10.0.0.2
在Internet Explorer中,我将域添加到可信站点.
当我在浏览器中浏览安全内容时,它显示基本的身份验证登录表单,当我输入有效的帐户详细信息时,我得到上面提到的错误.
当我在基本auth弹出窗口中取消取消时,我得到html登录表单,当我输入正确的数据时,我登录成功并在日志下我有:
Debug is true storeKey true useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[Krb5LoginModule] user entered username: grzesiek
principal is grzesiek@BIURO.LOCAL
EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 4B 83 C0 91 5E E5 73 6E 01 3B 2C BC E9 56 DA B1 K...^.sn.;,..V..
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: D5 E3 D0 F4 19 7A FB 94 E6 E5 B0 2A C8 2C 75 1A .....z.....*.,u.
0010: 98 76 97 E3 70 9D A4 46 .v..p..F
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 83 ED 52 4F AE E6 25 B9 40 6A B5 DE D4 7D 4A 21 ..RO..%.@j....J!
Added server's keyKerberos Principal grzesiek@BIURO.LOCALKey Version 0key EncryptionKey: keyType=17 keyBytes (hex dump)=
0000: 4B 83 C0 91 5E E5 73 6E 01 3B 2C BC E9 56 DA B1 K...^.sn.;,..V..
[Krb5LoginModule] added Krb5Principal grzesiek@BIURO.LOCAL to Subject
Added server's keyKerberos Principal grzesiek@BIURO.LOCALKey Version 0key EncryptionKey: keyType=16 keyBytes (hex dump)=
0000: D5 E3 D0 F4 19 7A FB 94 E6 E5 B0 2A C8 2C 75 1A .....z.....*.,u.
0010: 98 76 97 E3 70 9D A4 46 .v..p..F
[Krb5LoginModule] added Krb5Principal grzesiek@BIURO.LOCAL to Subject
Added server's keyKerberos Principal grzesiek@BIURO.LOCALKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 83 ED 52 4F AE E6 25 B9 40 6A B5 DE D4 7D 4A 21 ..RO..%.@j....J!
[Krb5LoginModule] added Krb5Principal grzesiek@BIURO.LOCAL to Subject
Commit Succeeded
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
