2

我正在尝试通过 Kerberos/SPNEGO 在我的应用程序中集成 SSO,如此处所述https://docs.spring.io/spring-security-kerberos/docs/1.0.2.BUILD-SNAPSHOT/reference/htmlsingle/#samples- sec-server-win-auth

我的 context.xml 看起来像这样:

 <?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:sec="http://www.springframework.org/schema/security"
       xmlns:context="http://www.springframework.org/schema/context"
       xsi:schemaLocation="
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">


    <sec:authentication-manager alias="authenticationManager">
        <sec:authentication-provider ref="kerberosAuthenticationProvider"/>
        <sec:authentication-provider ref="kerberosServiceAuthenticationProvider"/>
    </sec:authentication-manager>

    <bean id="kerberosAuthenticationProvider" class="org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider">
        <property name="kerberosClient">
            <bean class="org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient">
                <property name="debug" value="true"/>
            </bean>
        </property>
        <property name="userDetailsService" ref="userDetailsService"/>
    </bean>

    <bean class="org.springframework.security.kerberos.authentication.sun.GlobalSunJaasKerberosConfig">
        <property name="debug" value="true"/>
    </bean>

    <bean id="spnegoEntryPoint" class="org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint">
        <constructor-arg value="/login"/>
    </bean>

    <bean id="spnegoAuthenticationProcessingFilter"
          class="org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter">
        <property name="authenticationManager" ref="authenticationManager" />
    </bean>

    <bean id="kerberosServiceAuthenticationProvider"
          class="org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider">
        <property name="ticketValidator">
            <bean class="org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator">
                <property name="servicePrincipal" value="${myapp.kerberos.servicePrincipal}" />
                <property name="keyTabLocation" value="${myapp.kerberos.keytabLocation}" />
                <property name="debug" value="true" />
                <property name="holdOnToGSSContext" value="true"/>
            </bean>
        </property>
        <property name="userDetailsService" ref="userDetailsService" />
    </bean>

    <bean id="kerberosLdapContextSource" class="org.springframework.security.kerberos.client.ldap.KerberosLdapContextSource">
        <constructor-arg value="${myapp.ldap.ldapServerUrl}"/>
        <property name="loginConfig">
            <bean class="org.springframework.security.kerberos.client.config.SunJaasKrb5LoginConfig">
                <property name="keyTabLocation" value="${myapp.kerberos.keytabLocation}"/>
                <property name="servicePrincipal" value="${myapp.kerberos.servicePrincipal}"/>
                <property name="debug" value="true"/>
                <property name="isInitiator" value="true"/>
                <property name="useTicketCache" value="true"/>
            </bean>
        </property>
    </bean>

    <sec:ldap-user-service id="ldapUserDetailsService" server-ref="kerberosLdapContextSource" 
    user-search-filter="(| (userPrincipalName={0}) (sAMAccountName={0}))" />
</beans>

当显式打开登录表单并输入 AD 凭据时,我可以访问我的应用程序的秘密部分(所以它似乎一般工作)。

当我尝试在没有先前显式登录的情况下访问机密部分(例如 /myapp/administration)时,我得到一个 BadCredentialsException,并显示“上下文启动器的 GSSContext 名称为空”。

2018-05-11 16:10:07,578 [http-apr-8080-exec-3] WARN  org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter - Negotiate Header was invalid: Negotiate YHcG(...)==
org.springframework.security.authentication.BadCredentialsException: GSSContext name of the context initiator is null
    at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:173)
    at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:153)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:422)
    at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:68)
    at org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
    at org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:145)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)

我认为异常表明从客户端发送回 Kerberos 的 TGT 已修改/未按预期进行,因此不假定客户端可信赖以接收服务票证。但我不太确定这是否正确。

所以....我错过了什么?

4

1 回答 1

0

我遇到了同样的问题,因为我使用了无效的密钥表文件。尝试替换它并检查您的密钥表创建过程。

于 2019-01-28T07:07:18.570 回答