2

我们在部署在 tomcat7 中的应用程序中使用 Spring Security 和 kerberos。如果我们激活 java.security 我们得到异常:

java.security.AccessControlException: access denied ("javax.security.auth.PrivateCredentialPermission" "javax.security.auth.kerberos.KeyTab" "read")
java.security.AccessControlContext.checkPermission(AccessControlContext.java:366)
java.security.AccessController.checkPermission(AccessController.java:555)
java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
javax.security.auth.Subject$SecureSet$1.next(Subject.java:1024)
sun.security.jgss.krb5.Krb5Util$ServiceCreds.getKKeys(Krb5Util.java:283)
sun.security.jgss.krb5.Krb5Util$ServiceCreds.getEKeys(Krb5Util.java:301)
sun.security.jgss.krb5.Krb5AcceptCredential.getKrb5EncryptionKeys(Krb5AcceptCredential.java:156)
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:768)
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:871)
sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:544)
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:153)
org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:1)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAs(Subject.java:415)
org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:69)

PrivateCredentialPermission 的 javadoc 说,我必须在 catalina.policy 中添加类似的内容

grant { permission javax.security.auth.PrivateCredentialPermission 
"com.sun.PrivateCredential javax.security.auth.kerberos.KeyTab \"duke\"", "read";    
};

其中 duke 是我的校长的名字或只是 *. 不幸的是,这不起作用。

com.sun.PrivateCredential 的正确替换是什么?

4

0 回答 0