4

我正在使用http://spnego.sourceforge.net/spnego_tomcat.html教程来尝试配置 Tomcat 以使用 spnego。

Hello_KDC.java 工作,我能够进行身份验证。如果我使用错误的密码,我会得到错误异常,所以它正在工作。

但是当我尝试将该教程用于 Tomcat 时,它会中断。Tomcat ROOT/index.jsp 变为空白,并且在监视时我看到它返回 404。 log\host-manager.2013-02-22.log 具有以下内容:

Fev 22, 2013 1:39:03 PM org.apache.catalina.core.StandardContext filterStart
SEVERE: Exception starting filter SpnegoHttpFilter
javax.servlet.ServletException: javax.security.auth.login.LoginException: Cannot locate default realm
    at net.sourceforge.spnego.SpnegoHttpFilter.init(SpnegoHttpFilter.java:198)
    at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:281)
    at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:262)
    at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:107)
    at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4656)
    at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5309)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
    at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
    at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
    at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:633)
    at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1114)
    at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1673)
    at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
    at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
    at java.util.concurrent.FutureTask.run(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.auth.login.LoginException: Cannot locate default realm
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
    at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.access$000(Unknown Source)
    at javax.security.auth.login.LoginContext$4.run(Unknown Source)
    at javax.security.auth.login.LoginContext$4.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
    at javax.security.auth.login.LoginContext.login(Unknown Source)
    at net.sourceforge.spnego.SpnegoAuthenticator.<init>(SpnegoAuthenticator.java:161)
    at net.sourceforge.spnego.SpnegoHttpFilter.init(SpnegoHttpFilter.java:196)
    ... 17 more
Caused by: KrbException: Cannot locate default realm
    at sun.security.krb5.PrincipalName.<init>(Unknown Source)
    ... 32 more
Caused by: KrbException: Cannot locate default realm
    at sun.security.krb5.Config.getDefaultRealm(Unknown Source)
    ... 33 more
Caused by: KrbException: Generic error (description in e-text) (60) - Unable to locate Kerberos realm
    at sun.security.krb5.Config.getRealmFromDNS(Unknown Source)
    ... 34 more

这发生在 tomcat 启动期间,在从浏览器加载任何页面之前。当我尝试加载页面时,没有添加任何日志。

在 krb5.conf 中,我尝试了主机名和 IP 并得到相同的错误。krb5.conf 和 login.conf 正在被定位,因为如果我删除它们,我会得到这个日志:

Fev 22, 2013 1:46:05 PM org.apache.catalina.core.StandardContext filterStart
SEVERE: Exception starting filter SpnegoHttpFilter
java.lang.SecurityException: login.conf (tal arquivo ou diretório não existe)
    at com.sun.security.auth.login.ConfigFile.<init>(Unknown Source)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
    at java.lang.reflect.Constructor.newInstance(Unknown Source)
    at java.lang.Class.newInstance0(Unknown Source)
    at java.lang.Class.newInstance(Unknown Source)
    at javax.security.auth.login.Configuration$3.run(Unknown Source)
    at javax.security.auth.login.Configuration$3.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.Configuration.getConfiguration(Unknown Source)
    at net.sourceforge.spnego.SpnegoFilterConfig.doClientModule(SpnegoFilterConfig.java:176)
    at net.sourceforge.spnego.SpnegoFilterConfig.<init>(SpnegoFilterConfig.java:138)
    at net.sourceforge.spnego.SpnegoFilterConfig.getInstance(SpnegoFilterConfig.java:314)
    at net.sourceforge.spnego.SpnegoHttpFilter.init(SpnegoHttpFilter.java:193)
    at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:281)
    at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:262)
    at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:107)
    at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4656)
    at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5309)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
    at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
    at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
    at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:633)
    at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1114)
    at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1673)
    at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
    at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
    at java.util.concurrent.FutureTask.run(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: java.io.IOException: login.conf (tal arquivo ou diretório não existe)
    at com.sun.security.auth.login.ConfigFile.init(Unknown Source)
    ... 32 more

知道会发生什么吗?

4

3 回答 3

6

这可能意味着两件事:-

  1. 您的 krb5.conf 配置错误
  2. 您的 tomcat 机器位于没有 kdc 的领域

这是一个示例 krb5.conf 供参考。请注意,在这种情况下,我的 tomcat 主机位于 KERBOS.COM

[libdefaults]
default_realm = KERBOS.COM
ticket_lifetime = 36000

[realms]
KERBOS.COM = {
kdc = 10.1.2.3
admin_server = INQS28KERB01
default_domain = KERBOS.COM
}

[domain_realm]
.mycompany.com = KERBOS.COM

[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true

对我来说这有效。请提供您的 krb5.conf 以获取详细信息。此外,还请提供您所做的 tomcat 过滤器编辑,可能在那里配置错误。

于 2013-04-02T12:42:48.280 回答
6

异常的一个可能原因KrbException: Cannot locate default realm是登录模块无法找到您的krb5.conf.

为 Windows 集成身份验证配置 Tomcat的说明表明,krb5.conf如果您使用的是 Windows,则应将其放在 Tomcat 主目录中,例如 C:\Tomcat\。

但是,通常(即不特定于您所指的 Sourceforge 项目)登录模块将查找的默认位置在此处krb5.conf定义:

如果设置了系统属性 java.security.krb5.conf,则假定其值指定路径和文件名。

如果未设置该系统属性值,则在目录中查找配置文件:

  • \lib\security (Windows)
  • /lib/security(Solaris 和 Linux)

如果仍未找到该文件,则尝试按如下方式定位它:

  • /etc/krb5/krb5.conf (Solaris)
  • c:\winnt\krb5.ini (Windows)
  • /etc/krb5.conf (Linux)

设置一些额外的属性来激活调试日志有助于确定您的特定应用程序在哪里寻找 krb5.conf:

System.setProperty("sun.security.krb5.debug", "true");

根据您的情况,调试输出可能会打印以下部分或全部内容:

系统属性 java.security.krb5.conf 未设置,因此模块在默认系统特定位置查找:

Java config name: null
Native config name: /etc/krb5.conf
Loaded from native config

设置系统属性 java.security.krb5.conf 并找到文件:

Java config name: krb5.conf
Loaded from Java config

系统属性 java.security.krb5.conf 已设置但未找到文件:

Java config name: krb5.conf

请注意,在最后一个示例中,没有确认配置已加载。在这种情况下,您会看到异常消息:KrbException: Cannot locate default realm)

于 2017-10-04T07:42:59.673 回答
1

刚才我遇到了同样的问题,并意识到我的 krb5.conf 文件不在我的文件结构中的正确位置。它应该位于:

服务器 > Tomcat

服务器 > Tomcat > bin

这就是我在工作中设置的方式,现在一切正常。我已经更改了工作区,我需要添加它以使其正常工作。

于 2013-05-17T14:38:30.643 回答