我在使用 Spring Security Kerberos/SPNEGO Extension 示例时遇到了麻烦。我在用:
- 窗口 2008
- 雄猫 7
- Spring Security Kerberos/SPNEGO 扩展
- 1.7 jdk1.7.0_09
我正在使用此博客设置示例: http: //blog.springsource.com/2009/09/28/spring-security-kerberos/ 所以我开始:在 Windows 2008 服务器中,我使用命令创建了主体:
C:\>ktpass -princ HTTP/XENA2.mydomain.org@MYDOMAIN.ORG -pass xena2 -mapuser MYDOMAIN\xena2 -out c:\xena2.keytab -kvno 0 -ptype KRB5_NT_PRINCIPAL -mapop set -crypto All
并得到了这个结果:
Targeting domain controller: SERVAS.mydomain.org
Using legacy password setting method
Successfully mapped HTTP/XENA2.mydomain.org to xena2.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to c:\xena2.keytab:
Keytab version: 0x502
keysize 59 HTTP/XENA2.mydomain.org@MYDOMAIN.ORG ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x1 (DES-CBC-CRC) keylength 8 (0xa8fbb6cde346579e)
keysize 59 HTTP/XENA2.mydomain.org@MYDOMAIN.ORG ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x3 (DES-CBC-MD5) keylength 8 (0xa8fbb6cde346579e)
keysize 67 HTTP/XENA2.mydomain.org@MYDOMAIN.ORG ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x17 (RC4-HMAC) keylength 16 (0x9200ac342847bbeb60bdc8a5821a5fac)
keysize 83 HTTP/XENA2.mydomain.org@MYDOMAIN.ORG ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x12 (AES256-SHA1) keylength 32 (0x904dbaf53675f18254aaacdcef91cd29f5bb0a3d10919b983c76b9f00014d966)
keysize 67 HTTP/XENA2.mydomain.org@MYDOMAIN.ORG ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x11 (AES128-SHA1) keylength 16 (0x56fd36768f184efeb729eb8b22c4c168)
之后,我将 xena2.keytab 文件复制到计算机(XENA2)并测试与服务器的连接:
C:\>kinit HTTP/XENA2.mydomain.org@MYDOMAIN.ORG -k -t xena2.keytab
New ticket is stored in cache file C:\Users\xena2\krb5cc_xena2
直到现在对我来说都很好。
向 Tomcat 启动添加变量:
-Djava.security.krb5.conf=C:\krb5.conf
-Djava.security.krb5.realm=MYDOMAIN.ORG
-Djava.security.krb5.kdc=servas.MYDOMAIN.ORG
在 C: 磁盘中创建文件krb5.conf :
[libdefaults]
default_realm = MYDOMAIN.ORG
default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
[realms]
MYDOMAIN.ORG = {
kdc = servas.mydomain.org
default_domain = MYDOMAIN.ORG
}
[domain_realm]
.MYDOMAIN.ORG = MYDOMAIN.ORG
像这样更新spnego.xml文件:
<property name="servicePrincipal" value="HTTP/XENA2.mydomain.org@MYDOMAIN.ORG" />
<property name="keyTabLocation" value="classpath:xena2.keytab" />
也试过:
<property name="keyTabLocation" value="FILE:C:/xena2.keytab" />
将项目部署到 tomcat 运行它(在与服务器不同的计算机上),进入受限位置,写入用户并通过并得到 HTTP 500 错误。日志文件看起来像这样(有点清理):
2012-10-26 15:48:25 Commons Daemon procrun stdout initialized
Root WebApplicationContext: initialization started
Refreshing Root WebApplicationContext: startup date [Fri Oct 26 15:48:28 EEST 2012]; root of context hierarchy
Loading XML bean definitions from ServletContext resource [/WEB-INF/spnego.xml]
Using JAXP provider [com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl]
Loading schema mappings from [META-INF/spring.schemas]
Loaded schema mappings: {http://www.springframework.org/schema/util/spring-util.xsd=org/springframework/beans/factory/xml/spring-util-3.0.xsd, http://www.springframework.org/schema/task/spring-task.xsd=org/springframework/scheduling/config/spring-task-3.0.xsd, http://www.springframework.org/schema/security/spring-security-2.0.2.xsd=org/springframework/security/config/spring-security-2.0.2.xsd, http://www.springframework.org/schema/aop/spring-aop-3.0.xsd=org/springframework/aop/config/spring-aop-3.0.xsd, http://www.springframework.org/schema/aop/spring-aop-2.0.xsd=org/springframework/aop/config/spring-aop-2.0.xsd, http://www.springframework.org/schema/tool/spring-tool-2.5.xsd=org/springframework/beans/factory/xml/spring-tool-2.5.xsd, http://www.springframework.org/schema/beans/spring-beans.xsd=org/springframework/beans/factory/xml/spring-beans-3.0.xsd, http://www.springframework.org/schema/jee/spring-jee-2.5.xsd=org/springframework/ejb/config/spring-jee-2.5.xsd, http://www.springframework.org/schema/aop/spring-aop.xsd=org/springframework/aop/config/spring-aop-3.0.xsd, http://www.springframework.org/schema/beans/spring-beans-2.0.xsd=org/springframework/beans/factory/xml/spring-beans-2.0.xsd, http://www.springframework.org/schema/beans/spring-beans-3.0.xsd=org/springframework/beans/factory/xml/spring-beans-3.0.xsd, http://www.springframework.org/schema/security/spring-security-2.0.1.xsd=org/springframework/security/config/spring-security-2.0.1.xsd, http://www.springframework.org/schema/task/spring-task-3.0.xsd=org/springframework/scheduling/config/spring-task-3.0.xsd, http://www.springframework.org/schema/security/spring-security-2.0.xsd=org/springframework/security/config/spring-security-2.0.xsd, http://www.springframework.org/schema/security/spring-security-3.0.xsd=org/springframework/security/config/spring-security-3.0.xsd, http://www.springframework.org/schema/tx/spring-tx-2.5.xsd=org/springframework/transaction/config/spring-tx-2.5.xsd, http://www.springframework.org/schema/context/spring-context-2.5.xsd=org/springframework/context/config/spring-context-2.5.xsd, http://www.springframework.org/schema/tool/spring-tool-3.0.xsd=org/springframework/beans/factory/xml/spring-tool-3.0.xsd, http://www.springframework.org/schema/tx/spring-tx.xsd=org/springframework/transaction/config/spring-tx-3.0.xsd, http://www.springframework.org/schema/tool/spring-tool-2.0.xsd=org/springframework/beans/factory/xml/spring-tool-2.0.xsd, http://www.springframework.org/schema/util/spring-util-2.5.xsd=org/springframework/beans/factory/xml/spring-util-2.5.xsd, http://www.springframework.org/schema/lang/spring-lang.xsd=org/springframework/scripting/config/spring-lang-3.0.xsd, http://www.springframework.org/schema/lang/spring-lang-2.5.xsd=org/springframework/scripting/config/spring-lang-2.5.xsd, http://www.springframework.org/schema/security/spring-security-2.0.4.xsd=org/springframework/security/config/spring-security-2.0.4.xsd, http://www.springframework.org/schema/jee/spring-jee-3.0.xsd=org/springframework/ejb/config/spring-jee-3.0.xsd, http://www.springframework.org/schema/jee/spring-jee-2.0.xsd=org/springframework/ejb/config/spring-jee-2.0.xsd, http://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-3.0.xsd, http://www.springframework.org/schema/context/spring-context.xsd=org/springframework/context/config/spring-context-3.0.xsd, http://www.springframework.org/schema/jee/spring-jee.xsd=org/springframework/ejb/config/spring-jee-3.0.xsd, http://www.springframework.org/schema/aop/spring-aop-2.5.xsd=org/springframework/aop/config/spring-aop-2.5.xsd, http://www.springframework.org/schema/tx/spring-tx-2.0.xsd=org/springframework/transaction/config/spring-tx-2.0.xsd, http://www.springframework.org/schema/tx/spring-tx-3.0.xsd=org/springframework/transaction/config/spring-tx-3.0.xsd, http://www.springframework.org/schema/context/spring-context-3.0.xsd=org/springframework/context/config/spring-context-3.0.xsd, http://www.springframework.org/schema/tool/spring-tool.xsd=org/springframework/beans/factory/xml/spring-tool-3.0.xsd, http://www.springframework.org/schema/util/spring-util-3.0.xsd=org/springframework/beans/factory/xml/spring-util-3.0.xsd, http://www.springframework.org/schema/lang/spring-lang-3.0.xsd=org/springframework/scripting/config/spring-lang-3.0.xsd, http://www.springframework.org/schema/util/spring-util-2.0.xsd=org/springframework/beans/factory/xml/spring-util-2.0.xsd, http://www.springframework.org/schema/lang/spring-lang-2.0.xsd=org/springframework/scripting/config/spring-lang-2.0.xsd, http://www.springframework.org/schema/beans/spring-beans-2.5.xsd=org/springframework/beans/factory/xml/spring-beans-2.5.xsd}
Found XML schema [http://www.springframework.org/schema/beans/spring-beans-2.0.xsd] in classpath: org/springframework/beans/factory/xml/spring-beans-2.0.xsd
Found XML schema [http://www.springframework.org/schema/security/spring-security-3.0.xsd] in classpath: org/springframework/security/config/spring-security-3.0.xsd
Loading bean definitions
Loaded NamespaceHandler mappings: {http://www.springframework.org/schema/p=org.springframework.beans.factory.xml.SimplePropertyNamespaceHandler, http://www.springframework.org/schema/util=org.springframework.beans.factory.xml.UtilNamespaceHandler, http://www.springframework.org/schema/jee=org.springframework.ejb.config.JeeNamespaceHandler, http://www.springframework.org/schema/aop=org.springframework.aop.config.AopNamespaceHandler, http://www.springframework.org/schema/security=org.springframework.security.config.SecurityNamespaceHandler, http://www.springframework.org/schema/tx=org.springframework.transaction.config.TxNamespaceHandler, http://www.springframework.org/schema/task=org.springframework.scheduling.config.TaskNamespaceHandler, http://www.springframework.org/schema/lang=org.springframework.scripting.config.LangNamespaceHandler, http://www.springframework.org/schema/context=org.springframework.context.config.ContextNamespaceHandler}
Checking sorted filter chain: [Root bean: class [org.springframework.security.web.context.SecurityContextPersistenceFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 300, <spnegoAuthenticationProcessingFilter>, order = 1200, Root bean: class [org.springframework.security.web.savedrequest.RequestCacheAwareFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1300, Root bean: class [org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1400, Root bean: class [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1600, Root bean: class [org.springframework.security.web.session.SessionManagementFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1700, Root bean: class [org.springframework.security.web.access.ExceptionTranslationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1800, <org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0>, order = 1900]
Neither XML 'id' nor 'name' specified - using generated bean name [org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator#1a40cf5]
Neither XML 'id' nor 'name' specified - using generated bean name [org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig#0]
Loaded 18 bean definitions from location pattern [/WEB-INF/spnego.xml]
...
Eagerly caching bean 'kerberosServiceAuthenticationProvider' to allow for resolving potential circular references
Creating instance of bean 'org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator#1a40cf5'
Invoking afterPropertiesSet() on bean with name 'org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator#1a40cf5'
Your keytab is in the classpath. This file needs special protection and shouldn't be in the classpath. JAAS may also not be able to load this file from classpath.
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is file:/C:/Program%20Files/Apache%20Software%20Foundation/Tomcat%207.0/webapps/spring-security-kerberos-sample-1.0.0.M2/WEB-INF/classes/xena2.keytab refreshKrb5Config is false principal is HTTP/XENA2.mydomain.org@MYDOMAIN.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal is HTTP/XENA2.mydomain.org@MYDOMAIN.ORG
Will use keytab
Ordering keys wrt default_tkt_enctypes list
Config name: classpath:krb5.conf
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
Commit Succeeded
Finished creating instance of bean 'org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator#1a40cf5'
Creating shared instance of singleton bean 'dummyUserDetailsService'
Creating instance of bean 'dummyUserDetailsService'
Eagerly caching bean 'dummyUserDetailsService' to allow for resolving potential circular references
Finished creating instance of bean 'dummyUserDetailsService'
...
HttpSession returned null object for SPRING_SECURITY_CONTEXT
No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@12ef3bb. A new one will be created.
/secure/index.jsp at position 2 of 8 in additional filter chain; firing Filter: 'org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter@2b7684'
/secure/index.jsp at position 3 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.savedrequest.RequestCacheAwareFilter@171ff47'
/secure/index.jsp at position 4 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@12ec880'
/secure/index.jsp at position 5 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.AnonymousAuthenticationFilter@2a3db5'
Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faeba70: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffbcba8: RemoteIpAddress: 192.168.189.1; SessionId: 3FBB484FF373A965218474C88211DFA7; Granted Authorities: ROLE_ANONYMOUS'
/secure/index.jsp at position 6 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.session.SessionManagementFilter@139406a'
/secure/index.jsp at position 7 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.access.ExceptionTranslationFilter@1b42103'
/secure/index.jsp at position 8 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor@e38854'
Converted URL to lowercase, from: '/secure/index.jsp'; to: '/secure/index.jsp'
Candidate is: '/secure/index.jsp'; pattern is /secure/**; matched=true
Secure object: FilterInvocation: URL: /secure/index.jsp; Attributes: [IS_AUTHENTICATED_FULLY]
Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faeba70: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffbcba8: RemoteIpAddress: 192.168.189.1; SessionId: 3FBB484FF373A965218474C88211DFA7; Granted Authorities: ROLE_ANONYMOUS
Voter: org.springframework.security.access.vote.RoleVoter@183b617, returned: 0
Voter: org.springframework.security.access.vote.AuthenticatedVoter@27cff7, returned: -1
Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:203)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:152)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
所以问题是为什么我收到这个错误:org.springframework.security.access.AccessDeniedException: Access is denied
难道是keytab文件没有使用成功?如果是,那么为什么?另外我认为这个错误产生了另一个错误: 原因:GSSException:检测到有缺陷的令牌(机制级别:GSSHeader没有找到正确的标签)
我希望这是足够的信息,有人会帮助我。
提前致谢。