java - Spring Security Kerberos/SPNEGO 扩展错误“访问被拒绝”

Question

我在使用 Spring Security Kerberos/SPNEGO Extension 示例时遇到了麻烦。我在用：

• 窗口 2008
• 雄猫 7
• Spring Security Kerberos/SPNEGO 扩展
• 1.7 jdk1.7.0_09

我正在使用此博客设置示例： http: //blog.springsource.com/2009/09/28/spring-security-kerberos/ 所以我开始：在 Windows 2008 服务器中，我使用命令创建了主体：

C:\>ktpass -princ HTTP/XENA2.mydomain.org@MYDOMAIN.ORG -pass xena2 -mapuser MYDOMAIN\xena2 -out c:\xena2.keytab -kvno 0 -ptype KRB5_NT_PRINCIPAL -mapop set -crypto All

并得到了这个结果：

Targeting domain controller: SERVAS.mydomain.org
Using legacy password setting method
Successfully mapped HTTP/XENA2.mydomain.org to xena2.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to c:\xena2.keytab:
Keytab version: 0x502
keysize 59 HTTP/XENA2.mydomain.org@MYDOMAIN.ORG ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x1 (DES-CBC-CRC) keylength 8 (0xa8fbb6cde346579e)
keysize 59 HTTP/XENA2.mydomain.org@MYDOMAIN.ORG ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x3 (DES-CBC-MD5) keylength 8 (0xa8fbb6cde346579e)
keysize 67 HTTP/XENA2.mydomain.org@MYDOMAIN.ORG ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x17 (RC4-HMAC) keylength 16 (0x9200ac342847bbeb60bdc8a5821a5fac)
keysize 83 HTTP/XENA2.mydomain.org@MYDOMAIN.ORG ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x12 (AES256-SHA1) keylength 32 (0x904dbaf53675f18254aaacdcef91cd29f5bb0a3d10919b983c76b9f00014d966)
keysize 67 HTTP/XENA2.mydomain.org@MYDOMAIN.ORG ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x11 (AES128-SHA1) keylength 16 (0x56fd36768f184efeb729eb8b22c4c168)

之后，我将 xena2.keytab 文件复制到计算机（XENA2）并测试与服务器的连接：

C:\>kinit HTTP/XENA2.mydomain.org@MYDOMAIN.ORG -k -t xena2.keytab
New ticket is stored in cache file C:\Users\xena2\krb5cc_xena2

直到现在对我来说都很好。

向 Tomcat 启动添加变量：

-Djava.security.krb5.conf=C:\krb5.conf
-Djava.security.krb5.realm=MYDOMAIN.ORG
-Djava.security.krb5.kdc=servas.MYDOMAIN.ORG

在 C: 磁盘中创建文件krb5.conf ：

[libdefaults]
    default_realm = MYDOMAIN.ORG
    default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
    default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
    permitted_enctypes   = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc

[realms]
    MYDOMAIN.ORG  = {
        kdc = servas.mydomain.org 
        default_domain = MYDOMAIN.ORG
}

[domain_realm]
    .MYDOMAIN.ORG = MYDOMAIN.ORG 

像这样更新spnego.xml文件：

<property name="servicePrincipal" value="HTTP/XENA2.mydomain.org@MYDOMAIN.ORG" />
<property name="keyTabLocation" value="classpath:xena2.keytab" />

也试过：

<property name="keyTabLocation" value="FILE:C:/xena2.keytab" />

将项目部署到 tomcat 运行它（在与服务器不同的计算机上），进入受限位置，写入用户并通过并得到 HTTP 500 错误。日志文件看起来像这样（有点清理）：

2012-10-26 15:48:25 Commons Daemon procrun stdout initialized
Root WebApplicationContext: initialization started 
Refreshing Root WebApplicationContext: startup date [Fri Oct 26 15:48:28 EEST 2012]; root of context hierarchy 
Loading XML bean definitions from ServletContext resource [/WEB-INF/spnego.xml] 
Using JAXP provider [com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl] 
Loading schema mappings from [META-INF/spring.schemas] 
Loaded schema mappings: {http://www.springframework.org/schema/util/spring-util.xsd=org/springframework/beans/factory/xml/spring-util-3.0.xsd, http://www.springframework.org/schema/task/spring-task.xsd=org/springframework/scheduling/config/spring-task-3.0.xsd, http://www.springframework.org/schema/security/spring-security-2.0.2.xsd=org/springframework/security/config/spring-security-2.0.2.xsd, http://www.springframework.org/schema/aop/spring-aop-3.0.xsd=org/springframework/aop/config/spring-aop-3.0.xsd, http://www.springframework.org/schema/aop/spring-aop-2.0.xsd=org/springframework/aop/config/spring-aop-2.0.xsd, http://www.springframework.org/schema/tool/spring-tool-2.5.xsd=org/springframework/beans/factory/xml/spring-tool-2.5.xsd, http://www.springframework.org/schema/beans/spring-beans.xsd=org/springframework/beans/factory/xml/spring-beans-3.0.xsd, http://www.springframework.org/schema/jee/spring-jee-2.5.xsd=org/springframework/ejb/config/spring-jee-2.5.xsd, http://www.springframework.org/schema/aop/spring-aop.xsd=org/springframework/aop/config/spring-aop-3.0.xsd, http://www.springframework.org/schema/beans/spring-beans-2.0.xsd=org/springframework/beans/factory/xml/spring-beans-2.0.xsd, http://www.springframework.org/schema/beans/spring-beans-3.0.xsd=org/springframework/beans/factory/xml/spring-beans-3.0.xsd, http://www.springframework.org/schema/security/spring-security-2.0.1.xsd=org/springframework/security/config/spring-security-2.0.1.xsd, http://www.springframework.org/schema/task/spring-task-3.0.xsd=org/springframework/scheduling/config/spring-task-3.0.xsd, http://www.springframework.org/schema/security/spring-security-2.0.xsd=org/springframework/security/config/spring-security-2.0.xsd, http://www.springframework.org/schema/security/spring-security-3.0.xsd=org/springframework/security/config/spring-security-3.0.xsd, http://www.springframework.org/schema/tx/spring-tx-2.5.xsd=org/springframework/transaction/config/spring-tx-2.5.xsd, http://www.springframework.org/schema/context/spring-context-2.5.xsd=org/springframework/context/config/spring-context-2.5.xsd, http://www.springframework.org/schema/tool/spring-tool-3.0.xsd=org/springframework/beans/factory/xml/spring-tool-3.0.xsd, http://www.springframework.org/schema/tx/spring-tx.xsd=org/springframework/transaction/config/spring-tx-3.0.xsd, http://www.springframework.org/schema/tool/spring-tool-2.0.xsd=org/springframework/beans/factory/xml/spring-tool-2.0.xsd, http://www.springframework.org/schema/util/spring-util-2.5.xsd=org/springframework/beans/factory/xml/spring-util-2.5.xsd, http://www.springframework.org/schema/lang/spring-lang.xsd=org/springframework/scripting/config/spring-lang-3.0.xsd, http://www.springframework.org/schema/lang/spring-lang-2.5.xsd=org/springframework/scripting/config/spring-lang-2.5.xsd, http://www.springframework.org/schema/security/spring-security-2.0.4.xsd=org/springframework/security/config/spring-security-2.0.4.xsd, http://www.springframework.org/schema/jee/spring-jee-3.0.xsd=org/springframework/ejb/config/spring-jee-3.0.xsd, http://www.springframework.org/schema/jee/spring-jee-2.0.xsd=org/springframework/ejb/config/spring-jee-2.0.xsd, http://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-3.0.xsd, http://www.springframework.org/schema/context/spring-context.xsd=org/springframework/context/config/spring-context-3.0.xsd, http://www.springframework.org/schema/jee/spring-jee.xsd=org/springframework/ejb/config/spring-jee-3.0.xsd, http://www.springframework.org/schema/aop/spring-aop-2.5.xsd=org/springframework/aop/config/spring-aop-2.5.xsd, http://www.springframework.org/schema/tx/spring-tx-2.0.xsd=org/springframework/transaction/config/spring-tx-2.0.xsd, http://www.springframework.org/schema/tx/spring-tx-3.0.xsd=org/springframework/transaction/config/spring-tx-3.0.xsd, http://www.springframework.org/schema/context/spring-context-3.0.xsd=org/springframework/context/config/spring-context-3.0.xsd, http://www.springframework.org/schema/tool/spring-tool.xsd=org/springframework/beans/factory/xml/spring-tool-3.0.xsd, http://www.springframework.org/schema/util/spring-util-3.0.xsd=org/springframework/beans/factory/xml/spring-util-3.0.xsd, http://www.springframework.org/schema/lang/spring-lang-3.0.xsd=org/springframework/scripting/config/spring-lang-3.0.xsd, http://www.springframework.org/schema/util/spring-util-2.0.xsd=org/springframework/beans/factory/xml/spring-util-2.0.xsd, http://www.springframework.org/schema/lang/spring-lang-2.0.xsd=org/springframework/scripting/config/spring-lang-2.0.xsd, http://www.springframework.org/schema/beans/spring-beans-2.5.xsd=org/springframework/beans/factory/xml/spring-beans-2.5.xsd} 
Found XML schema [http://www.springframework.org/schema/beans/spring-beans-2.0.xsd] in classpath: org/springframework/beans/factory/xml/spring-beans-2.0.xsd 
Found XML schema [http://www.springframework.org/schema/security/spring-security-3.0.xsd] in classpath: org/springframework/security/config/spring-security-3.0.xsd 
Loading bean definitions 
Loaded NamespaceHandler mappings: {http://www.springframework.org/schema/p=org.springframework.beans.factory.xml.SimplePropertyNamespaceHandler, http://www.springframework.org/schema/util=org.springframework.beans.factory.xml.UtilNamespaceHandler, http://www.springframework.org/schema/jee=org.springframework.ejb.config.JeeNamespaceHandler, http://www.springframework.org/schema/aop=org.springframework.aop.config.AopNamespaceHandler, http://www.springframework.org/schema/security=org.springframework.security.config.SecurityNamespaceHandler, http://www.springframework.org/schema/tx=org.springframework.transaction.config.TxNamespaceHandler, http://www.springframework.org/schema/task=org.springframework.scheduling.config.TaskNamespaceHandler, http://www.springframework.org/schema/lang=org.springframework.scripting.config.LangNamespaceHandler, http://www.springframework.org/schema/context=org.springframework.context.config.ContextNamespaceHandler} 
Checking sorted filter chain: [Root bean: class [org.springframework.security.web.context.SecurityContextPersistenceFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 300, <spnegoAuthenticationProcessingFilter>, order = 1200, Root bean: class [org.springframework.security.web.savedrequest.RequestCacheAwareFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1300, Root bean: class [org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1400, Root bean: class [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1600, Root bean: class [org.springframework.security.web.session.SessionManagementFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1700, Root bean: class [org.springframework.security.web.access.ExceptionTranslationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1800, <org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0>, order = 1900] 
Neither XML 'id' nor 'name' specified - using generated bean name [org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator#1a40cf5] 
Neither XML 'id' nor 'name' specified - using generated bean name [org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig#0] 
Loaded 18 bean definitions from location pattern [/WEB-INF/spnego.xml] 

...

Eagerly caching bean 'kerberosServiceAuthenticationProvider' to allow for resolving potential circular references 
Creating instance of bean 'org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator#1a40cf5' 
Invoking afterPropertiesSet() on bean with name 'org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator#1a40cf5' 
Your keytab is in the classpath. This file needs special protection and shouldn't be in the classpath. JAAS may also not be able to load this file from classpath. 
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is file:/C:/Program%20Files/Apache%20Software%20Foundation/Tomcat%207.0/webapps/spring-security-kerberos-sample-1.0.0.M2/WEB-INF/classes/xena2.keytab refreshKrb5Config is false principal is HTTP/XENA2.mydomain.org@MYDOMAIN.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal is HTTP/XENA2.mydomain.org@MYDOMAIN.ORG
Will use keytab
Ordering keys wrt default_tkt_enctypes list
Config name: classpath:krb5.conf
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
Commit Succeeded 

Finished creating instance of bean 'org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator#1a40cf5' 
Creating shared instance of singleton bean 'dummyUserDetailsService' 
Creating instance of bean 'dummyUserDetailsService' 
Eagerly caching bean 'dummyUserDetailsService' to allow for resolving potential circular references 
Finished creating instance of bean 'dummyUserDetailsService' 

...

HttpSession returned null object for SPRING_SECURITY_CONTEXT 
No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@12ef3bb. A new one will be created. 
/secure/index.jsp at position 2 of 8 in additional filter chain; firing Filter: 'org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter@2b7684' 
/secure/index.jsp at position 3 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.savedrequest.RequestCacheAwareFilter@171ff47' 
/secure/index.jsp at position 4 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@12ec880' 
/secure/index.jsp at position 5 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.AnonymousAuthenticationFilter@2a3db5' 
Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faeba70: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffbcba8: RemoteIpAddress: 192.168.189.1; SessionId: 3FBB484FF373A965218474C88211DFA7; Granted Authorities: ROLE_ANONYMOUS' 
/secure/index.jsp at position 6 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.session.SessionManagementFilter@139406a' 
/secure/index.jsp at position 7 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.access.ExceptionTranslationFilter@1b42103' 
/secure/index.jsp at position 8 of 8 in additional filter chain; firing Filter: 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor@e38854' 
Converted URL to lowercase, from: '/secure/index.jsp'; to: '/secure/index.jsp' 
Candidate is: '/secure/index.jsp'; pattern is /secure/**; matched=true 
Secure object: FilterInvocation: URL: /secure/index.jsp; Attributes: [IS_AUTHENTICATED_FULLY] 
Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faeba70: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffbcba8: RemoteIpAddress: 192.168.189.1; SessionId: 3FBB484FF373A965218474C88211DFA7; Granted Authorities: ROLE_ANONYMOUS 
Voter: org.springframework.security.access.vote.RoleVoter@183b617, returned: 0 
Voter: org.springframework.security.access.vote.AuthenticatedVoter@27cff7, returned: -1 
Access is denied (user is anonymous); redirecting to authentication entry point 
org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71)
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:203)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:152)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
    at java.lang.Thread.run(Thread.java:722)

所以问题是为什么我收到这个错误：org.springframework.security.access.AccessDeniedException: Access is denied

难道是keytab文件没有使用成功？如果是，那么为什么？另外我认为这个错误产生了另一个错误： 原因：GSSException：检测到有缺陷的令牌（机制级别：GSSHeader没有找到正确的标签）

我希望这是足够的信息，有人会帮助我。

提前致谢。

Answer 1

除了这个扩展是垃圾之外，您的客户端会向您发送一个 NTLM 令牌而不是 Kerberos 令牌。这种行为是绝对正确的，因为客户端可以协商（在这里它作为后备）。检查您的整个 Kerberos、DNS、AD 设置。使用 Wireshark！