使用kerberos的AccessControlException

时间:2012-11-14 10:38:55

标签: java tomcat7 kerberos

我们在tomcat7中部署的应用程序中使用Spring Security和kerberos。 如果我们激活java.security,我们会得到异常:

java.security.AccessControlException: access denied ("javax.security.auth.PrivateCredentialPermission" "javax.security.auth.kerberos.KeyTab" "read")
java.security.AccessControlContext.checkPermission(AccessControlContext.java:366)
java.security.AccessController.checkPermission(AccessController.java:555)
java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
javax.security.auth.Subject$SecureSet$1.next(Subject.java:1024)
sun.security.jgss.krb5.Krb5Util$ServiceCreds.getKKeys(Krb5Util.java:283)
sun.security.jgss.krb5.Krb5Util$ServiceCreds.getEKeys(Krb5Util.java:301)
sun.security.jgss.krb5.Krb5AcceptCredential.getKrb5EncryptionKeys(Krb5AcceptCredential.java:156)
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:768)
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:871)
sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:544)
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:153)
org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:1)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAs(Subject.java:415)
org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:69)

PrivateCredentialPermission的javadoc说,我必须在catalina.policy中添加类似的内容

grant { permission javax.security.auth.PrivateCredentialPermission 
"com.sun.PrivateCredential javax.security.auth.kerberos.KeyTab \"duke\"", "read";    
};

其中公爵是我的校长或只是*。不幸的是,这不起作用。

com.sun.PrivateCredential的正确替换是什么?

0 个答案:

没有答案
相关问题
最新问题