0

我有一个可用的 tomcat 实例,其中 tomcat-manager 小程序使用 SPNEGO 进行身份验证。当我部署 CAS - 配置为使用 SPNEGO - 时,会发生以下情况:

  • 部署后,管理器小程序和 CAS 都按预期工作
  • Tomcat重启后,它们都不起作用,它们都抛出异常(见下文)
  • 如果我取消部署 CAS,管理器小程序在 tomcat 重新启动之前仍然无法工作

我假设应用程序不应该修改其他应用程序的行为,因此使用 CAS 进行身份验证是自愿的。如果这是真的,那么这种行为将是一个错误。如果不是,那么我会假设 CAS 应该替换应用程序的身份验证,在这种情况下它仍然是一个错误。但是,我也假设我错过了一些关于 CAS/tomcat 应该如何工作的重要信息。简而言之:这是一个需要报告的错误,和/或我应该了解更多关于 CAS/tomcat 应该如何工作(以及在哪里工作?)

尝试登录管理器小程序时出现异常:

Apr 30 08:57:03 127.0.0.1/127.0.0.1 1 2013-04-30T06:57:03.222Z tomcat http-bio-8080-exec-1 21438   192.168.1.10 - - [30/Apr/2013:06:57:03 +0000] "GET /manager/ HTTP/1.1" 302 -
Apr 30 08:57:03 127.0.0.1/127.0.0.1 1 2013-04-30T06:57:03.301Z tomcat http-bio-8080-exec-2 21438   192.168.1.10 - - [30/Apr/2013:06:57:03 +0000] "GET /manager/html?org.apache.catalina.filters.CSRF_NONCE=146B55AA6642928501CA00F62409FCE8 HTTP/1.1" 401 2486
Apr 30 08:57:03 127.0.0.1/127.0.0.1 1 2013-04-30T06:57:03.348Z tomcat http-bio-8080-exec-3 21438   192.168.1.10 - - [30/Apr/2013:06:57:03 +0000] "GET /manager/html?org.apache.catalina.filters.CSRF_NONCE=146B55AA6642928501CA00F62409FCE8 HTTP/1.1" 500 1000
Apr 30 08:57:04 s_catalina@tomcat Apr 30, 2013 6:57:03 AM org.apache.catalina.authenticator.SpnegoAuthenticator authenticate
Apr 30 08:57:04 s_catalina@tomcat SEVERE: Unable to login as the service principal
Apr 30 08:57:04 s_catalina@tomcat javax.security.auth.login.LoginException: No LoginModules configured for com.sun.security.jgss.krb5.accept
Apr 30 08:57:04 s_catalina@tomcat   at javax.security.auth.login.LoginContext.init(LoginContext.java:273)
Apr 30 08:57:04 s_catalina@tomcat   at javax.security.auth.login.LoginContext.<init>(LoginContext.java:349)
Apr 30 08:57:04 s_catalina@tomcat   at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:195)
Apr 30 08:57:04 s_catalina@tomcat   at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
Apr 30 08:57:04 s_catalina@tomcat   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
Apr 30 08:57:04 s_catalina@tomcat   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
Apr 30 08:57:04 s_catalina@tomcat   at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
Apr 30 08:57:04 s_catalina@tomcat   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
Apr 30 08:57:04 s_catalina@tomcat   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
Apr 30 08:57:04 s_catalina@tomcat   at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987)
Apr 30 08:57:04 s_catalina@tomcat   at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579)
Apr 30 08:57:04 s_catalina@tomcat   at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
Apr 30 08:57:04 s_catalina@tomcat   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
Apr 30 08:57:04 s_catalina@tomcat   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
Apr 30 08:57:04 s_catalina@tomcat   at java.lang.Thread.run(Thread.java:722)

与 CAS 相同:

Apr 30 08:59:58 127.0.0.1/127.0.0.1 1 2013-04-30T06:59:58.104Z tomcat http-bio-8080-exec-4 21438   192.168.1.10 - - [30/Apr/2013:06:59:58 +0000] "GET /cas/ HTTP/1.1" 302 -
Apr 30 08:59:58 127.0.0.1/127.0.0.1 1 2013-04-30T06:59:58.937Z tomcat http-bio-8080-exec-5 21438   192.168.1.10 - - [30/Apr/2013:06:59:58 +0000] "GET /cas/login HTTP/1.1" 401 954
Apr 30 08:59:59 s_catalina@tomcat 2013-04-30 06:59:58,761 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Setting path for cookies to: /cas/>
Apr 30 08:59:59 s_catalina@tomcat jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException
Apr 30 08:59:59 s_catalina@tomcat   at jcifs.spnego.Authentication.processKerberos(Authentication.java:447)
Apr 30 08:59:59 s_catalina@tomcat   at jcifs.spnego.Authentication.processSpnego(Authentication.java:346)
Apr 30 08:59:59 s_catalina@tomcat   at jcifs.spnego.Authentication.process(Authentication.java:235)
Apr 30 08:59:59 s_catalina@tomcat   at org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler.doAuthentication(JCIFSSpnegoAuthenticationHandler.java:70)
Apr 30 08:59:59 s_catalina@tomcat   at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate_aroundBody2(AbstractPreAndPostProcessingAuthenticationHandler.java:85)
Apr 30 08:59:59 s_catalina@tomcat   at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate_aroundBody3$advice(AbstractPreAndPostProcessingAuthenticationHandler.java:57)
Apr 30 08:59:59 s_catalina@tomcat   at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate(AbstractPreAndPostProcessingAuthenticationHandler.java:1)
Apr 30 08:59:59 s_catalina@tomcat   at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticateAndObtainPrincipal(AuthenticationManagerImpl.java:93)
Apr 30 08:59:59 s_catalina@tomcat   at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate_aroundBody0(AbstractAuthenticationManager.java:57)
Apr 30 08:59:59 s_catalina@tomcat   at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate_aroundBody1$advice(AbstractAuthenticationManager.java:57)
Apr 30 08:59:59 s_catalina@tomcat   at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:1)
Apr 30 08:59:59 s_catalina@tomcat   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

[... 149 more]

Apr 30 08:59:59 s_catalina@tomcat Caused by: java.lang.reflect.InvocationTargetException
Apr 30 08:59:59 s_catalina@tomcat   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Apr 30 08:59:59 s_catalina@tomcat   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
Apr 30 08:59:59 s_catalina@tomcat   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Apr 30 08:59:59 s_catalina@tomcat   at java.lang.reflect.Method.invoke(Method.java:601)
Apr 30 08:59:59 s_catalina@tomcat   at jcifs.spnego.Authentication$ServerAction.run(Authentication.java:511)
Apr 30 08:59:59 s_catalina@tomcat   at jcifs.spnego.Authentication.processKerberos(Authentication.java:430)
Apr 30 08:59:59 s_catalina@tomcat   ... 160 more
Apr 30 08:59:59 s_catalina@tomcat Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
Apr 30 08:59:59 s_catalina@tomcat   at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:81)
Apr 30 08:59:59 s_catalina@tomcat   at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
Apr 30 08:59:59 s_catalina@tomcat   at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192)
Apr 30 08:59:59 s_catalina@tomcat   at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406)
Apr 30 08:59:59 s_catalina@tomcat   at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
Apr 30 08:59:59 s_catalina@tomcat   at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153)
Apr 30 08:59:59 s_catalina@tomcat   ... 166 more
Apr 30 08:59:59 s_catalina@tomcat Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication 
Apr 30 08:59:59 s_catalina@tomcat   at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:796)
Apr 30 08:59:59 s_catalina@tomcat   at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:667)
Apr 30 08:59:59 s_catalina@tomcat   at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:580)
Apr 30 08:59:59 s_catalina@tomcat   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Apr 30 08:59:59 s_catalina@tomcat   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
Apr 30 08:59:59 s_catalina@tomcat   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Apr 30 08:59:59 s_catalina@tomcat   at java.lang.reflect.Method.invoke(Method.java:601)
Apr 30 08:59:59 s_catalina@tomcat   at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
Apr 30 08:59:59 s_catalina@tomcat   at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
Apr 30 08:59:59 s_catalina@tomcat   at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721)
Apr 30 08:59:59 s_catalina@tomcat   at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719)
Apr 30 08:59:59 s_catalina@tomcat   at java.security.AccessController.doPrivileged(Native Method)
Apr 30 08:59:59 s_catalina@tomcat   at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718)
Apr 30 08:59:59 s_catalina@tomcat   at javax.security.auth.login.LoginContext.login(LoginContext.java:590)
Apr 30 08:59:59 s_catalina@tomcat   at sun.security.jgss.GSSUtil.login(GSSUtil.java:255)
Apr 30 08:59:59 s_catalina@tomcat   at sun.security.jgss.krb5.Krb5Util.getServiceCreds(Krb5Util.java:334)
Apr 30 08:59:59 s_catalina@tomcat   at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:76)
Apr 30 08:59:59 s_catalina@tomcat   at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:74)
Apr 30 08:59:59 s_catalina@tomcat   at java.security.AccessController.doPrivileged(Native Method)
Apr 30 08:59:59 s_catalina@tomcat   at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:73)
Apr 30 08:59:59 s_catalina@tomcat   ... 171 more
Apr 30 08:59:59 s_catalina@tomcat 2013-04-30 06:59:59,163 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler failed authenticating unknown>
Apr 30 08:59:59 s_catalina@tomcat 2013-04-30 06:59:59,171 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
Apr 30 08:59:59 s_catalina@tomcat =============================================================
Apr 30 08:59:59 s_catalina@tomcat WHO: unknown
Apr 30 08:59:59 s_catalina@tomcat WHAT: supplied credentials: unknown
Apr 30 08:59:59 s_catalina@tomcat ACTION: AUTHENTICATION_FAILED
Apr 30 08:59:59 s_catalina@tomcat APPLICATION: CAS
Apr 30 08:59:59 s_catalina@tomcat WHEN: Tue Apr 30 06:59:59 GMT 2013
Apr 30 08:59:59 s_catalina@tomcat CLIENT IP ADDRESS: 192.168.1.10
Apr 30 08:59:59 s_catalina@tomcat SERVER IP ADDRESS: 192.168.1.29
Apr 30 08:59:59 s_catalina@tomcat =============================================================
Apr 30 08:59:59 s_catalina@tomcat >
Apr 30 08:59:59 s_catalina@tomcat 2013-04-30 06:59:59,174 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
Apr 30 08:59:59 s_catalina@tomcat =============================================================
Apr 30 08:59:59 s_catalina@tomcat WHO: unknown
Apr 30 08:59:59 s_catalina@tomcat WHAT: :jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException
Apr 30 08:59:59 s_catalina@tomcat ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
Apr 30 08:59:59 s_catalina@tomcat APPLICATION: CAS
Apr 30 08:59:59 s_catalina@tomcat WHEN: Tue Apr 30 06:59:59 GMT 2013
Apr 30 08:59:59 s_catalina@tomcat CLIENT IP ADDRESS: 192.168.1.10
Apr 30 08:59:59 s_catalina@tomcat SERVER IP ADDRESS: 192.168.1.29
Apr 30 08:59:59 s_catalina@tomcat =============================================================
Apr 30 08:59:59 s_catalina@tomcat >
4

1 回答 1

0

您的 jaas.conf 似乎写错了。例外

javax.security.auth.login.LoginException: No LoginModules configured for com.sun.security.jgss.krb5.accept

基本上意味着您的 jaas.conf 中缺少条目。在 tomcat/conf 文件夹中,您必须编写/修改 jaas.conf

示例模块如下(将其附加到现有的 jaas.conf):-

com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="YOUR PRINCIPAL ASSOCIATED WITH KEYTAB"
useKeyTab=true
keyTab="CORRECT KEYTAB FILE"
storeKey=true
debug=true;
};

这当然是假设您有一个服务器端的密钥表。这还假设您没有在 cas 部署中手动指定自定义 jaas.conf(也可以有一些其他名称)。如果是自定义部署,请将此条目附加到自定义 jaas.conf

我假设(这里我可能错了)cas 是客户。在这种情况下,您需要在其默认的 jaas.conf 中指定一个 com.sun.security.jgss.krb5.initiate 模块(我不知道它的位置在哪里或应该在哪里)。您可以通过以下方式使用 SSO(单点身份验证):-

useTicketCache=true

并声明 useKeyTab=false,这应该会获取您的默认凭据并生成一个主体名称。

如果仍然有问题,请在 tomcat 和 cas 安装中提供所有 *.conf 文件的输出

于 2013-05-02T11:24:09.553 回答