我有一个工作的tomcat实例,其中tomcat-manager applet使用SPNEGO进行身份验证。 当我部署CAS - 配置为使用SPNEGO - 时,会发生以下情况:
我假设应用程序不应该修改其他应用程序的行为,因此使用CAS进行身份验证是自愿的。如果这是真的,那么这种行为将是一个错误。如果没有,那么我认为CAS应该替换应用程序的身份验证,在这种情况下它仍然是一个错误。 但是我也假设我错过了一些关于CAS / tomcat应该如何工作的重要信息。 简而言之:报告是错误的,和/或我应该更多地了解CAS / tomcat应该如何工作(以及在哪里?)
尝试登录管理器小程序时出现异常:
Apr 30 08:57:03 127.0.0.1/127.0.0.1 1 2013-04-30T06:57:03.222Z tomcat http-bio-8080-exec-1 21438 192.168.1.10 - - [30/Apr/2013:06:57:03 +0000] "GET /manager/ HTTP/1.1" 302 -
Apr 30 08:57:03 127.0.0.1/127.0.0.1 1 2013-04-30T06:57:03.301Z tomcat http-bio-8080-exec-2 21438 192.168.1.10 - - [30/Apr/2013:06:57:03 +0000] "GET /manager/html?org.apache.catalina.filters.CSRF_NONCE=146B55AA6642928501CA00F62409FCE8 HTTP/1.1" 401 2486
Apr 30 08:57:03 127.0.0.1/127.0.0.1 1 2013-04-30T06:57:03.348Z tomcat http-bio-8080-exec-3 21438 192.168.1.10 - - [30/Apr/2013:06:57:03 +0000] "GET /manager/html?org.apache.catalina.filters.CSRF_NONCE=146B55AA6642928501CA00F62409FCE8 HTTP/1.1" 500 1000
Apr 30 08:57:04 s_catalina@tomcat Apr 30, 2013 6:57:03 AM org.apache.catalina.authenticator.SpnegoAuthenticator authenticate
Apr 30 08:57:04 s_catalina@tomcat SEVERE: Unable to login as the service principal
Apr 30 08:57:04 s_catalina@tomcat javax.security.auth.login.LoginException: No LoginModules configured for com.sun.security.jgss.krb5.accept
Apr 30 08:57:04 s_catalina@tomcat at javax.security.auth.login.LoginContext.init(LoginContext.java:273)
Apr 30 08:57:04 s_catalina@tomcat at javax.security.auth.login.LoginContext.<init>(LoginContext.java:349)
Apr 30 08:57:04 s_catalina@tomcat at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:195)
Apr 30 08:57:04 s_catalina@tomcat at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
Apr 30 08:57:04 s_catalina@tomcat at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
Apr 30 08:57:04 s_catalina@tomcat at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
Apr 30 08:57:04 s_catalina@tomcat at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
Apr 30 08:57:04 s_catalina@tomcat at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
Apr 30 08:57:04 s_catalina@tomcat at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
Apr 30 08:57:04 s_catalina@tomcat at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987)
Apr 30 08:57:04 s_catalina@tomcat at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579)
Apr 30 08:57:04 s_catalina@tomcat at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
Apr 30 08:57:04 s_catalina@tomcat at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
Apr 30 08:57:04 s_catalina@tomcat at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
Apr 30 08:57:04 s_catalina@tomcat at java.lang.Thread.run(Thread.java:722)
与CAS相同:
Apr 30 08:59:58 127.0.0.1/127.0.0.1 1 2013-04-30T06:59:58.104Z tomcat http-bio-8080-exec-4 21438 192.168.1.10 - - [30/Apr/2013:06:59:58 +0000] "GET /cas/ HTTP/1.1" 302 -
Apr 30 08:59:58 127.0.0.1/127.0.0.1 1 2013-04-30T06:59:58.937Z tomcat http-bio-8080-exec-5 21438 192.168.1.10 - - [30/Apr/2013:06:59:58 +0000] "GET /cas/login HTTP/1.1" 401 954
Apr 30 08:59:59 s_catalina@tomcat 2013-04-30 06:59:58,761 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Setting path for cookies to: /cas/>
Apr 30 08:59:59 s_catalina@tomcat jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException
Apr 30 08:59:59 s_catalina@tomcat at jcifs.spnego.Authentication.processKerberos(Authentication.java:447)
Apr 30 08:59:59 s_catalina@tomcat at jcifs.spnego.Authentication.processSpnego(Authentication.java:346)
Apr 30 08:59:59 s_catalina@tomcat at jcifs.spnego.Authentication.process(Authentication.java:235)
Apr 30 08:59:59 s_catalina@tomcat at org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler.doAuthentication(JCIFSSpnegoAuthenticationHandler.java:70)
Apr 30 08:59:59 s_catalina@tomcat at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate_aroundBody2(AbstractPreAndPostProcessingAuthenticationHandler.java:85)
Apr 30 08:59:59 s_catalina@tomcat at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate_aroundBody3$advice(AbstractPreAndPostProcessingAuthenticationHandler.java:57)
Apr 30 08:59:59 s_catalina@tomcat at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate(AbstractPreAndPostProcessingAuthenticationHandler.java:1)
Apr 30 08:59:59 s_catalina@tomcat at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticateAndObtainPrincipal(AuthenticationManagerImpl.java:93)
Apr 30 08:59:59 s_catalina@tomcat at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate_aroundBody0(AbstractAuthenticationManager.java:57)
Apr 30 08:59:59 s_catalina@tomcat at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate_aroundBody1$advice(AbstractAuthenticationManager.java:57)
Apr 30 08:59:59 s_catalina@tomcat at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:1)
Apr 30 08:59:59 s_catalina@tomcat at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[... 149 more]
Apr 30 08:59:59 s_catalina@tomcat Caused by: java.lang.reflect.InvocationTargetException
Apr 30 08:59:59 s_catalina@tomcat at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Apr 30 08:59:59 s_catalina@tomcat at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
Apr 30 08:59:59 s_catalina@tomcat at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Apr 30 08:59:59 s_catalina@tomcat at java.lang.reflect.Method.invoke(Method.java:601)
Apr 30 08:59:59 s_catalina@tomcat at jcifs.spnego.Authentication$ServerAction.run(Authentication.java:511)
Apr 30 08:59:59 s_catalina@tomcat at jcifs.spnego.Authentication.processKerberos(Authentication.java:430)
Apr 30 08:59:59 s_catalina@tomcat ... 160 more
Apr 30 08:59:59 s_catalina@tomcat Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
Apr 30 08:59:59 s_catalina@tomcat at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:81)
Apr 30 08:59:59 s_catalina@tomcat at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
Apr 30 08:59:59 s_catalina@tomcat at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:192)
Apr 30 08:59:59 s_catalina@tomcat at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:406)
Apr 30 08:59:59 s_catalina@tomcat at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
Apr 30 08:59:59 s_catalina@tomcat at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:153)
Apr 30 08:59:59 s_catalina@tomcat ... 166 more
Apr 30 08:59:59 s_catalina@tomcat Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication
Apr 30 08:59:59 s_catalina@tomcat at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:796)
Apr 30 08:59:59 s_catalina@tomcat at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:667)
Apr 30 08:59:59 s_catalina@tomcat at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:580)
Apr 30 08:59:59 s_catalina@tomcat at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Apr 30 08:59:59 s_catalina@tomcat at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
Apr 30 08:59:59 s_catalina@tomcat at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Apr 30 08:59:59 s_catalina@tomcat at java.lang.reflect.Method.invoke(Method.java:601)
Apr 30 08:59:59 s_catalina@tomcat at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
Apr 30 08:59:59 s_catalina@tomcat at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
Apr 30 08:59:59 s_catalina@tomcat at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721)
Apr 30 08:59:59 s_catalina@tomcat at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719)
Apr 30 08:59:59 s_catalina@tomcat at java.security.AccessController.doPrivileged(Native Method)
Apr 30 08:59:59 s_catalina@tomcat at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718)
Apr 30 08:59:59 s_catalina@tomcat at javax.security.auth.login.LoginContext.login(LoginContext.java:590)
Apr 30 08:59:59 s_catalina@tomcat at sun.security.jgss.GSSUtil.login(GSSUtil.java:255)
Apr 30 08:59:59 s_catalina@tomcat at sun.security.jgss.krb5.Krb5Util.getServiceCreds(Krb5Util.java:334)
Apr 30 08:59:59 s_catalina@tomcat at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:76)
Apr 30 08:59:59 s_catalina@tomcat at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:74)
Apr 30 08:59:59 s_catalina@tomcat at java.security.AccessController.doPrivileged(Native Method)
Apr 30 08:59:59 s_catalina@tomcat at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:73)
Apr 30 08:59:59 s_catalina@tomcat ... 171 more
Apr 30 08:59:59 s_catalina@tomcat 2013-04-30 06:59:59,163 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler failed authenticating unknown>
Apr 30 08:59:59 s_catalina@tomcat 2013-04-30 06:59:59,171 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
Apr 30 08:59:59 s_catalina@tomcat =============================================================
Apr 30 08:59:59 s_catalina@tomcat WHO: unknown
Apr 30 08:59:59 s_catalina@tomcat WHAT: supplied credentials: unknown
Apr 30 08:59:59 s_catalina@tomcat ACTION: AUTHENTICATION_FAILED
Apr 30 08:59:59 s_catalina@tomcat APPLICATION: CAS
Apr 30 08:59:59 s_catalina@tomcat WHEN: Tue Apr 30 06:59:59 GMT 2013
Apr 30 08:59:59 s_catalina@tomcat CLIENT IP ADDRESS: 192.168.1.10
Apr 30 08:59:59 s_catalina@tomcat SERVER IP ADDRESS: 192.168.1.29
Apr 30 08:59:59 s_catalina@tomcat =============================================================
Apr 30 08:59:59 s_catalina@tomcat >
Apr 30 08:59:59 s_catalina@tomcat 2013-04-30 06:59:59,174 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
Apr 30 08:59:59 s_catalina@tomcat =============================================================
Apr 30 08:59:59 s_catalina@tomcat WHO: unknown
Apr 30 08:59:59 s_catalina@tomcat WHAT: :jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException
Apr 30 08:59:59 s_catalina@tomcat ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
Apr 30 08:59:59 s_catalina@tomcat APPLICATION: CAS
Apr 30 08:59:59 s_catalina@tomcat WHEN: Tue Apr 30 06:59:59 GMT 2013
Apr 30 08:59:59 s_catalina@tomcat CLIENT IP ADDRESS: 192.168.1.10
Apr 30 08:59:59 s_catalina@tomcat SERVER IP ADDRESS: 192.168.1.29
Apr 30 08:59:59 s_catalina@tomcat =============================================================
Apr 30 08:59:59 s_catalina@tomcat >
答案 0 :(得分:0)
您的jaas.conf似乎写得不正确。例外
javax.security.auth.login.LoginException: No LoginModules configured for com.sun.security.jgss.krb5.accept
基本上意味着你的jaas.conf中缺少一个条目。在tomcat / conf文件夹中,你必须编写/修改jaas.conf
示例模块如下(将其附加到现有的jaas.conf): -
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="YOUR PRINCIPAL ASSOCIATED WITH KEYTAB"
useKeyTab=true
keyTab="CORRECT KEYTAB FILE"
storeKey=true
debug=true;
};
这是假设您有服务器端的密钥表。这也假设您没有在cas部署中手动指定自定义jaas.conf(也可能有一些其他名称)。如果是自定义部署,请将此条目附加到自定义jaas.conf
我假设(这里我可能错了)cas是客户端。在这种情况下,您需要在其默认的jaas.conf中指定com.sun.security.jgss.krb5.initiate模块(我不知道它的位置应该在哪里)。您可以使用以下方法使用SSO(单一身份验证): -
useTicketCache=true
并声明useKeyTab = false,它应该拾取您的默认凭据并生成主体名称。
如果仍有问题,请在tomcat和cas安装中提供所有* .conf文件的输出