Jus*_*tin 5 encryption tomcat spnego http-headers
我正在Linux tomcat 7.0安装上实现spnego sso身份验证,并遵循以下示例:http://spnego.sourceforge.net/index.html.我通过了飞行前的检查清单,实际上让它与Firefox中的'BASIC'票一起来回传递.
但是,当使用"Negotiate"Authorization标头时,我在catalina.out中收到以下错误消息:
INFO: Error parsing HTTP request header
IE和在soapUI中模拟请求时都会发生这种情况.回复给两者的回复是:
400 Bad Request
正如我所说,它在Firefox中工作,但只是部分地提示在那里登录,继续进行"基本"身份验证.(至少是这样做,直到我在web.xml过滤器配置中关闭它,所以我知道正在读取这些配置)
I'm using the following enctypes:
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac-md5
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac-md5
I suspect it has something to do with the 256 encryption, but I did download and put them into my java lib/security folder the unrestricted encryption jars as described in the following:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/jgss-features.html
However that did fix the issue (unless there is something there I am missing). I have searched extensively for the 'Error parsing...' http error which shows up in the catalina.out file, but have not found the solution. The other settings (realm, domain, etc) seem to be working fine as I have modified them and gotten different more specific errors.
Any ideas on the INFO: Error parsing HTTP request header error?
This is an internal corporate environment, and SSO has already been successfully implemented with httpd but we would like to move away from that to an all-tomcat solution.
Jus*_*tin 12
终于解决了这个问题.事实证明,"Negotiate"授权标头在Tomcat中将标头的大小推过默认的8kb最大大小,这导致了误导性错误.(我原以为一个更有用的错误信息会是"达到最大标题大小")
无论如何,我发现解决方案将在serverfault的以下答案中描述.
https://serverfault.com/questions/56691/whats-the-maximum-url-length-in-tomcat
为了完整性:
<Connector port="8080" maxHttpHeaderSize="65536" protocol="HTTP/1.1" ... />
| 归档时间: |
|
| 查看次数: |
4693 次 |
| 最近记录: |