是否可以在服务器端为客户端(远程用户)获取服务票证,以便使用该票证对另一个后端进行身份验证?
场景:用户(IE)==> AppServer(Websphere,Linux 下)==> 后端(webservice)
- 我们让 SPNEGO auth 在 AppServer 中运行和工作
- 运行 AppServer 的 AD 用户有权进行委派
提前致谢
======================
更新
@Michael-O 所以......这应该是一步一步的?
1)登录AppServer用户(有权做委托的人)
2)以他的名义执行特权行动
3)在这个用户和远程后端之间建立一个上下文
4) initSecContext 使用 REMOTE USER SERVICE TICKET
5) 作为上下文初始化的结果,我们应该有远程用户访问远程后端的服务票证
private static String getToken(byte[] remoteUserServiceTicket) {
String token = null;
byte[] serviceTicket = null;
try {
krb5Oid = new Oid("1.2.840.113554.1.2.2");
LoginContext loginCtx = new LoginContext("Krb5Login", new LoginCallbackHandler("APPSERVERUSER", "APPSERVERPASSWORD"));
loginCtx.login();
Subject subject = loginCtx.getSubject();
serviceTicket = Subject.doAs(subject, new PrivilegedAction<byte[]>(){
public byte[] run() {
try {
byte[] delegatedTokenForTheRemoteUser = new byte[0];
GSSManager manager = GSSManager.getInstance();
GSSName webServerUserName = manager.createName("APPSERVERUSER@MYDOMAIN", GSSName.NT_USER_NAME);
GSSCredential webServerCred = manager.createCredential(webServerUserName, 8 * 3600, krb5Oid,
GSSCredential.INITIATE_ONLY);
GSSName backendName = manager.createName("HTTP/mybackend@MYDOMAIN", null);
GSSContext context = manager.createContext(backendName, krb5Oid, webServerCred,
GSSContext.DEFAULT_LIFETIME);
delegatedTokenForTheRemoteUser = context.initSecContext(remoteUserServiceTicket, 0, remoteUserServiceTicket.length);
return delegatedTokenForTheRemoteUser;
} catch (GSSException e) {
e.printStackTrace();
return null;
}
}
});
} catch (Exception e) {
//exception handling omitted
}
token = Base64.encode(serviceTicket);
return token;
}