那些遇到过的问题

Java SSO windows AD spring4 - 协商头无效:

Grz*_*cik 6 java linux spring tomcat single-sign-on

嗨,我正在尝试使用 JAVA 和 spring 设置 SSO。为此,我正在使用此文档:http : //docs.spring.io/spring-security-kerberos/docs/1.0.0.RELEASE/reference/htmlsingle/ 和第 3 段中的代码。Spnego Negotiate。

但它不起作用我收到错误:

org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter doFilter
WARNING: Negotiate Header was invalid: Negotiate YIIGywYGKwYBBQUCoIIGvzCCBrugMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBoUEggaBYIIGfQYJKoZIhvcSAQICAQBuggZsMIIGaKADAgEFoQMCAQ6iBwMFACAAAACjggTtYYIE6TCCBOWgAwIBBaENGwtCSVVSTy5MT0NBTKIiMCCgAwIBAqEZMBcbBEhUVFAbD3ZtaS5iaXVyby5sb2NhbKOCBKkwggSloAMCARehAwIBDqKCBJcEggSTURM5n5gBXc6mVdBmyns4DHBkvw0gqD1GxkYQQx8dWb/upu5sopCPZoxsir970evZKg6/3iDSOyQuGDzjK1xl0Sqma+VNy4ZB9bA5RVCFMZqQT2poicYhaKQbkjazG6GeGUYh7NS91g9qqLXYXtI+jeoOPIDwMCAjaEuq4bRN/JqOIZFLinK2qwEM7h62kRVoqF48cxVHdG+chwLzHCSorp1+ZimU00nkdLk/WjDd88Om1K++735m2JsvGV4h5eSYiZ19fDF5fpbyDOMk4k2g26IuNeg8VNZhC2MjEi47IiteDu+gJKUopjmv1PZ26rtNL78Oawygcxk9F2uIBUoOsCX0S9Nl2aNjfzIxWPlQ0w4kwFCDmsdbzEHD7mfZhNIWQd0CJEhJ+6lrxAXGM7nq86kcFXVE/329G9/HiRtTrnHTwCF4AJCMt4im2OaEjFewgRQZwOqxT72/bGLsbOxYws6Qj0pVJhiXhmRDJiirfjXSzevMp1NANgrfQmlFD+W/d2lY8gPLNQmGGNwmY5TQcdngsxI7ALVB1v8acegka+9AxO3b+ElypvjePVbhZYH6t6AcJlwu4M7Kka94zDtA0ZTWBLmUCHEh8e470zMj+H8kUo6gKSDe+tOrtEjmlGHEiJbg2w/0BcpVUtBqmMTeq7Vf0UvGwBK7JZy6GdWJTDMYpJUD+8w9UEb+GTWCEDfboQcxCIs8ny6qKK8e92BvIrYgm2jAZM2y4VsOSdfPb21bYHhJybtDVvlLpAVlCY/L0NvcIgNWTdi8UCD7OfROCqqjU2B+eftR+1vmhzb7PT/tDm8TXHFcLyNE7W5W/Tp1ncRpq1T7nWbdmefZe8StyfcmxvOje1uMNShWNY3yJFFUUHKsxuz5mvH4tklaPFof7VW1PNTAqAimdCNRIBoWBg7FSKcBnsqOnJoNv8qpvN9nLDwOTlMt3aIREgUxFgLBx2kvU1GbsbhGk10MWZqz/23Xz8BKPmZrE4cTDyCUasKp+7VOkGLDtVtxnLM1vQE1AD8pDRRkrF/EaK3fTNvpsV2dTIzFjFSS89HOGTH8TuNMcnAfFJcn/FRgEI/BJQLDSNB3MRfR+2CwmOaB1rB+iYthTDnd965Y4GpKfE7PpYrYrPiXznZ+oG2JFt/KwGuPAp54x68PgbFNyi+g5fixfsn9o0iGo8UNn6XRNMpZT55jODkIEATZhDWIpPsDMvOnc0wIYZt2Trc0K+By/drx+hfMYNgFnLCoJZOIbjEEneYKbBdkxeVKjUrHILzucfYSu+Eq5He6r9fHTDkHOR23Bn7PmQGZQ8gu7zP7NQE7qvABA8Le4TPWmBGVmnZqYJKlyufFMUmIIuosx6Fe/pBV9+L+fMPuGcbUgFINvYWHavKk3fWWHyfS+bWhphZxoCQ59HpfvVQ4lCvAnd8c5s/tEVgD+1Sek84zRVh76cCsYa/6ybCNKeHveEJJGcZ6mX7KT3EVzByifgTskk1vieYIoPGCoB67x/h8gZDDXiFboSwNIrXCu2qL5WKuAAAr1eyfh6i+zQC5Nw1SoTggdFE0hmLeCqSCAWAwggFcoAMCAReiggFTBIIBT5hccN26LqNklPkMvzsPMEa1y0OIs/pZHZG8ZvCpgxLmu2wpPpt9F2hy+sXsBgI63x/ZzS6z6omPMM8g1PdDjUQazYvSly3LKY7I/FX8sq1pRjtXqm0bG5UMk9pcB9t38jpYW/XwZvACJava+6kmyZxiK/jG8yMrsHokmEnIKUu7TPMgFxkBqJx7yZU63LYp55jlyX+eWnGYC533pjB1nsWMKy5uMUbYungzrj6qB/q4OMaUNmApNX0OSCPjNYOm0ruvA/A2F7ZuoBSkiztTWgRsuPQuyFE0cU1naqjmVllFEX8ThCXxYwjigU6Ms5mQ6HYddCXSFE5/LCSqafJAj4v3CNmefvUNez+dK/ibzPjiGGYQMaZHtrRgLtierTdAmelHIU8wkl5OOOePYLjqUMUVZMA3V+4Eb5nv1eyGI44ltdCNfJME/OEYecl+ICC1
org.springframework.security.authentication.BadCredentialsException: GSSContext name of the context initiator is null
        at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:165)
        at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:152)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)
        at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:67)
        at org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64)
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:192)
        at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:456)
        at org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:145)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:205)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:617)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1521)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1478)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)
Run Code Online (Sandbox Code Playgroud)

我的设置是:

服务器:Windows Server 2012 R2 客户端:Windows 8.0 Java 服务器:Tomcat 8 on debian 所有机器都在虚拟机中,只有内部网络。

Windows 服务器设置:

IP:10.0.0.1

添加到 DNS 的 vmi.biuro.local

还为帐户设置 spn:

setspn -A HTTP/vmi.biuro.local vmi
Run Code Online (Sandbox Code Playgroud)

Keytab 文件是由此命令生成的(在 Windows 服务器下),也尝试不使用 /kvno:

ktpass /out c:\wrzuta\vmi.keytab /mapuser vmi@BIURO.LOCAL /princ HTTP/vmi.biuro.local@BIURO.LOCAL /pass ZAQ!2wsx /ptype KRB5_NT
_PRINCIPAL /crypto All /kvno 0
Run Code Online (Sandbox Code Playgroud)

Linux tomcat服务器:

IP:10.0.0.3

在linux机器下,我可以使用keytab文件来kinit:

root@debian:/# kinit -kt vmi.keytab HTTP/vmi.biuro.local@BIURO.LOCAL
root@debian:/# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/vmi.biuro.local@BIURO.LOCAL

Valid starting       Expires              Service principal
17.07.2015 10:06:03  17.07.2015 20:06:03  krbtgt/BIURO.LOCAL@BIURO.LOCAL
        renew until 18.07.2015 10:06:03
Run Code Online (Sandbox Code Playgroud)

客户:

IP:10.0.0.2

在 Internet Explorer 中,我将域添加到受信任的站点。当我在浏览器中浏览安全内容时,它会显示基本的身份验证登录表单,当我输入有效的帐户详细信息时,出现上述错误。当我在基本身份验证弹出窗口中点击取消时,我得到 html 登录表单,当我输入正确的数据时,我登录成功,在日志下我有:

Debug is  true storeKey true useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
                [Krb5LoginModule] user entered username: grzesiek

principal is grzesiek@BIURO.LOCAL
EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 4B 83 C0 91 5E E5 73 6E   01 3B 2C BC E9 56 DA B1  K...^.sn.;,..V..

EncryptionKey: keyType=16 keyBytes (hex dump)=0000: D5 E3 D0 F4 19 7A FB 94   E6 E5 B0 2A C8 2C 75 1A  .....z.....*.,u.
0010: 98 76 97 E3 70 9D A4 46                            .v..p..F

EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 83 ED 52 4F AE E6 25 B9   40 6A B5 DE D4 7D 4A 21  ..RO..%.@j....J!

Added server's keyKerberos Principal grzesiek@BIURO.LOCALKey Version 0key EncryptionKey: keyType=17 keyBytes (hex dump)=
0000: 4B 83 C0 91 5E E5 73 6E   01 3B 2C BC E9 56 DA B1  K...^.sn.;,..V..


                [Krb5LoginModule] added Krb5Principal  grzesiek@BIURO.LOCAL to Subject
Added server's keyKerberos Principal grzesiek@BIURO.LOCALKey Version 0key EncryptionKey: keyType=16 keyBytes (hex dump)=
0000: D5 E3 D0 F4 19 7A FB 94   E6 E5 B0 2A C8 2C 75 1A  .....z.....*.,u.
0010: 98 76 97 E3 70 9D A4 46                            .v..p..F


                [Krb5LoginModule] added Krb5Principal  grzesiek@BIURO.LOCAL to Subject
Added server's keyKerberos Principal grzesiek@BIURO.LOCALKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 83 ED 52 4F AE E6 25 B9   40 6A B5 DE D4 7D 4A 21  ..RO..%.@j....J!


                [Krb5LoginModule] added Krb5Principal  grzesiek@BIURO.LOCAL to Subject
Commit Succeeded

                [Krb5LoginModule]: Entering logout
                [Krb5LoginModule]: logged out Subject
Run Code Online (Sandbox Code Playgroud)

nag*_*a.c 2

在 Linux 上,krb5.confKerberos 配置文件必须在某个位置可用/etc/krb5.conf,或者应使用 -Djava.security.krb5.conf=/path/to/krb5.conf选项传递路径。

归档时间:

查看次数:

5524 次

最近记录:

9 年,12 月 前
相关归档
java:将float转换为String,将String转换为float 206
如何将Reader转换为InputStream,将Writer转换为OutputStream? 87
Ant使用的是错误的java版本 68
为什么我的onResume被调用两次? 47
docker-compose up导致"客户端和服务器没有相同的版本(客户端:1.14,服务器:1.12)"错误,但客户端和服务器具有相同的版本 39
收到的Cookie标头包含无效的Cookie. 15
如何通过 Rust 在 Mac OS 上交叉编译 openssL 库? 14
Mavericks,RBENV,您的Ruby版本是2.0.0,但您的Gemfile指定为2.1.1 9
在HTTP 307的情况下上传文件 7
用Tomcat和Hibernate一起使用JBoss进行Hibernate 5
难疑归档
为什么GCC不优化a*a*a*a*a*a到(a*a*a)*(a*a*a)? 2083
如何在Python中小写一个字符串? 1908
使用jQuery中止Ajax请求 1775
如何为C#Auto-Property提供默认值? 1773
如何退出PostgreSQL命令行实用程序:psql 1770
你如何改变用matplotlib绘制的数字的大小? 1726
如何在JavaScript中将数字格式化为美元货币字符串? 1711
静态类和单例模式之间的区别? 1708
UNION和UNION ALL有什么区别? 1350
AngularJS中指令范围内的'@'和'='有什么区别? 1053