我正在使用 kerberos 协议对 Java Swing 应用程序的用户进行身份验证。我能够在客户端成功进行身份验证,但是在服务器端获取用户凭据和角色时遇到问题,我有 ejb,它需要某些角色来创建这些 ejb。
jboss-app.xml 看起来像
<jboss-app>
<security-domain>java:/jaas/spnego-server</security-domain>
<loader-repository>paymenttracker:loader=paymenttracker.ear</loader-repository>
</jboss-app>
调用 Subject.doAs(s, lv) 的客户端类;lv 是一个扩展 PrivilegedExceptionAction 的类。
在 jboss 服务器中的服务器端 login-config.xml 得到以下设置
<application-policy name="spnego-server"><authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required" >
<module-option name="storeKey">true</module-option>
<module-option name="debug">true</module-option>
<module-option name="useKeyTab">true</module-option>
<module-option name="keyTab">file://c:/ker/tem.keytab</module-option>
<module-option name="principal">HTTP/ws6421.ebrd.com</module-option>
<module-option name="doNotPrompt">true</module-option>
<module-option name="isInitiator">false</module-option>
</login-module></authentication>
</application-policy>
收到以下错误:
16:09:28,990 INFO [STDOUT] Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true
ticketCache is null isInitiator false KeyTab is file://c:/kerberos/ws6421.keytab refreshKrb5Config is false pr
incipal is HTTP/ws6421.my.com tryFirstPass is false useFirstPass is false storePass is false clearPass is fa
lse
16:09:29,087 INFO [STDOUT] principal's key obtained from the keytab
16:09:29,087 INFO [STDOUT] principal is HTTP/ws6421.my.com@MY.COM
16:09:29,088 INFO [STDOUT] EncryptionKey: keyType=23 keyBytes (hex dump)=0000: A9 DD 6C AB C5 D3 A0 9D C8 4
4 18 52 78 3E AB 82 ..l......D.Rx>..
16:09:29,094 INFO [STDOUT] Added server's keyKerberos Principal HTTP/ws6421.ebrd.com@MY.COMKey Version 0key
EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: A9 DD 6C AB C5 D3 A0 9D C8 44 18 52 78 3E AB 82 ..l......D.Rx>..
16:09:29,095 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal HTTP/ws6421.my.com@MY.COM t
o Subject
16:09:29,098 INFO [STDOUT] Commit Succeeded
16:09:29,135 ERROR [SecurityInterceptor] Error in Security Interceptor
java.lang.SecurityException: Denied: caller with subject=Subject:
Principal: HTTP/ws6421.my.com@MY.COM
Private Credential: Kerberos Principal HTTP/ws6421.my.com@MY.COMKey Version 0key EncryptionKey: ke
yType=23 keyBytes (hex dump)=
0000: A9 DD 6C AB C5 D3 A0 9D C8 44 18 52 78 3E AB 82 ..l......D.Rx>..
and security context post-mapping roles=null: ejbMethod=public abstract services.ejb.login.SBLogin services.e
jb.login.SBLoginHome.create() throws javax.ejb.CreateException,java.rmi.RemoteException
at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:368)
at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:243)