如何生成Kerberos安全令牌?

时间:2014-06-06 05:03:55

标签: java gwt kerberos

我正在开发基于Web的应用程序,我的应用程序支持SSO(我们使用Kerberos协议.Active Directory映射和SPN配置都已完成)。

我们正在使用GWT 2.4作为GUI部分,我们支持应用程序的独立和SSO模式(我们可以使用实用程序在这些模式之间切换)。在正常的独立模式下,我们向用户显示一个登录屏幕,用户需要输入登录凭据。在SSO模式下,我们直接将用户带到绕过登录屏幕的应用程序。在客户端,我们曾经通过进行GWT RPC调用来控制这种行为。

这一切都很好。后来我们发现只有在IE浏览器的第一个标签页面打开时,应用程序才会显示空白屏幕。为了解决这个问题,我们用GWT RequestBuilder替换了GWT RPC。问题解决了。但是,SSO功能未按预期工作。

我介绍了跟踪并发现Authorization标头没有使用RequestBuilders显式设置。因此,我使用Base64对用户名:密码组合进行编码,并将其设置为Authorization标头。

例如:授权:基本QWxhZGRpbjpvcGVuIHNlc2FtZQ ==

但这也没有解决我的问题,我发现Negotiate标题没有设置。 我们如何设置Negotiate标头?当我使用与之前描述的相同配置的GWT RPC时,我从未用过显式设置Negotiate标头。

请解释此标题的重要性以及如何生成它?下面是我使用GWT RPC而不是RequestBuilder时生成的Negotiate标头的示例。

Negotiate       YIIMgQYGKwYBBQUCoIIMdTCCDHGgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCDDsEggw3YIIMMwYJKoZIhvcSAQICAQBuggwiMIIMHqADAgEFoQMCAQ6iBwMFACAAAACjggTXYYIE0zCCBM+gAwIBBaEfGx1URVNUQ09SRS5URVNULkRJUi5URUxTVFJBLkNPTaIuMCygAwIBAqElMCMbBEhUVFAbG2x4d2ViMDIyMS5pbi50ZWxzdHJhLmNvbS5hdaOCBHUwggRxoAMCARehAwIBDaKCBGMEggRfLXu0zawh9DwU3Stix9fB4HKqmDA/vuWFgB1k7sCNAf69MyQtNRWdjuWhXsN+yJQPXh6Zu1rKs7qD53NA5EvmVGQo29wrjtUA6KBvtC6L0IpvIbf32yl32oYQcWW0J8Zm5HSz4nNV7NhYo2hrPyDRqGzxTXGBql80W+9zKT+XmE8JMQkItLa3qdSd0ONZsTtofITB22TeBym5mR2usAoQOyfFIdtf19LUBO0ESM+5ix4w6/DZvSCslUfGzKFRefb9FR5L94uwfEfreDlC9UBJ1bLv02IDbM2Nd/5k8A9yfq/HvYDXtXnRwDWoF+UjAJ6k1xMJOVsgrHsxI/E5bqJN0eS+Sb6FIIOGEE/1F0At0auwWIeoOIRDFfT+KNnqKexY9fsGASZDUKvkHaT6IiAPCkB0byYwhSTcBsdP38dh/CclamSL7F6pknFPf4E2521sBINR3uhfwtpkzG3KweW/nNSfrOQUGf5GcU/1Xa2Yv3ArvQ5GvaK357secmkC3pOqg6tbL8LR1CJeTe5kf6yCwCcpxyxxfcpxmc0pcf0WGmINqky4TeeXfH909Xz5/8FODPd5lMbrtFubQP0jiNMxhoRf6Rt0FawAp1K0XbeT7ZBI09+q1NfWXJ3BVVih81nZqEUIGWWTEft4iL6DYTx6Ir5fqgmygJVzY5vk0gmlYZRYaE41GmHvjfUifdegXc3uK+bdC1fFbttEG9y/Pf24dccurXlowIiUhHLYGMPQrPwHwfLIR1+gmstbafW6HnYqdljOgsEphiuPPy58uuw9kfuM3pve4BL7uIylk7vslVs11vHplHLxLCk84b+5mB4ilsVrm6zs71JJOviPgjUo6W2akzVTXcGCeBVNPoqOSHH0ns4kXsqg1eyRNS4C3G/fGkj3D7JudvdnxawZkPDkd3QVrHVXdV4L7QFrZZUQcnHXh0VKXMJmsIDfcMvSIaI0KDEudXfTIq0tC4kuUf3hsiXwsUwW5lIH2uyWkPIoFoF9HdDOowPt7Md/FqvrUdeGBzx5zG8UShgg3NXqyAyRESuAq3uZ25flNPU+7tV7XTdFp5tacNF+lOdp3FAayWacMebAyYzAZnrE3uN6LgPhrM6ybYUumNuSqZ3Razs6et9BfYkLcF6/wH53frjElIol7UDK+tZGtIpTufw3c+CgadoinMCtQB7HraNR4xyNkeXNJdAqyzG2FVDfNN+nAARLnwBhV/+EUo7zxmS6IVNPDHOiwpC6wFAMVXw8RTknD9gRbJITQCa+0tqBhtKb+vmaWBWr51+LlRgjRLZk48d2uvEm7YD/VmfeND63NrWt6yiAQENOoM3RBYK2qt1wq/q+370xrrpEXu6yR33ZrRKFzQj+TIr6VPk8PPSZsig4KLrGqn8VZKTX/w7JpKHhfMyk0kIOFHJ2BS+VLNnwIWKeT8PFcxp8LgGZLrzdCgf90icMS7Hzr7if+DSe/hkuxLNLQeuoMkyFvLM0uvaoeZCApIIHLDCCByigAwIBF6KCBx8EggcbdcF5k5hMPZ8YFGTWLUnCMW4Xb+yRTIZqX1PM+2ArUtZ5fFK+JP0KAeZ6pBihfl7PKZNBu1nR+gQV54p55nExVBrZiGoB0iwV8dyTnRcsVQ7zZiMtGEZ2Q6ILHj07T2KsN1JV+oa9//TsFJq8a7/p19aWV+gDlv+dGYz5WYe51/WB6P2bb1xz1WXSPLus/TPCeF+7ybr0hOeVtqo7IR4YyRuUT5BAXqMuqf7q8Ng6S2Y5LCYGrmQYCK6FNtzMNVNwLzIngdw2Au7iA2bUHdVK0zrhtGvLB3K+HrfHkk39aUev8nwvX0TBHpp6sriz3F0Sm9WY/1RLFCM9DZG4Q4gGi/Ts0NXlarSXVQtB4+U0ZoQ4+iH+xjd4mTIlowqDfHQl4DXlGESPR/H576+ibRepLXdxU8uNxtmey7T+TPIjhTjD5gPQuWHPPwr4jnuixNKuHiRrCxdeZwcbKOzuyYjUfg1qLjhIkC4zFTfhmNNveeH7nvbFNHHqatJY0zoQwn+2mrwgwHfhAJzGLKHrA09tjnGejt9Miqike4B8G/7xuP/92oN1pfe1DmA077+/XVEoqeUlJbzW5txTykOzVa+LRVRLDiMdVkpaUqv3Kp59gaemYSl3QHRsucMGF4HbS8OzV6wJAx+rlK+ftxESwUevKIHMj71vLFpr57Yb27cPBoQDqBOChrHvxHRHxO7F88PS5ZHnlchT0Li5OdElOQLy/erg6c9pALoS4AWkB7bvajs5ATlieqR1jf6KrdUYAj4p0ammNIbKlZiNJd9VdPegwO+pGKNc5o9k18l8/54Obac5eCzQV+1b378s1+Ty2RCNr7bA/Fy9uda45bd4OD5hBypw/I86FUK8Kr7sTQLl1k2GCP19gqlzvkG74/S3h1XntHR/SxD54+vOhRQdJaS7W2EUYEOP3PfQRPIPKH9L88JOOj1w61iRADEfoNdJehtKZdIp0n5nJBz+5xcIVdmM7HarFd3RITOYcdKIvSJvidtN3RjY+XoWPmRMPGu3gUQzHGstsAR4xVycM6yFLElewaV9HmKKTkC3eci7ZyT/911uknNDsfv2lNi6nwoWXEU/su3fEYID7vt83NiOIc+RSfyDbdg+mzE4aK0cl0zryahlASt/RdOHujJ5rkaPB0egBEbhekQtFPO8UM/sSwCvyaZiPuBd8ToP1DtWwmmzim/gbOtA9QKDCAE3xSiLiQGRrqgr5d8Z9flGjg66wZn+RbQbiSHls+mlrcM5io2P4b0HTyPHxXQl9H3zdgvIKNoLls0ybfdTk6CK3j3UTbhkuWH9IoPmmuoUoVgxSRx7A8Wd+0sfUAwM27YwbfpVM6DF8OyNDfTloFF61V3p8RHEFNTKck3e4as1Y814QEOeKS3cYWSEWlLG1pXDl2atGgDCC0UiUR3pQVwGq7U5F1tgBxzdwlHZUG71u1KsQJe+CiUSXo0wEHb0Ic7dWM6DzH87XJ7eqynxfJZPMFFB1WdKMUVfZcqKh+F5tAYXsUtl3V2jE84F7tXEholWkK7ynMofIl6ckJ/Olg15f14mv5MT/p8gBbDJq/cTh55A8D2Y8Xb21w9wsj+BEup0LBB3w5il4nyrXENd81pAxn9amAiNohMxsXY+0R7LpS7QsBNm0FN9KsVBpvbn6K4sLQ8l8xHQ1CPz+DDHgO84l0/r608kQ0bEXwCRgef7zyS0/htHFa06nHV0+PC3NmKTXvhQSUH+8x5kfsvtYINT35/csL94zBr5YtB1ZkrFBU2kB33KyP/EBjQ85XoSLTStrziZOfi7zIxflldAbXRD0G98XbLNXilTN5h09EpCvqcS0D1ijRWLozY53VRoAUMhxmUEjXhF3FbBusakf/3mTT802ipIwt0qsiX+JMAX02nMBPJojtnhOcpzbZ+61wQRyvR6do0GUpNZERTbAaObbOT40w1ovL82XOVJPK+fMwZapRayNyaq4jAFmFSE8z0HTUq4/2GN8QZG3ZUeresn8UU6jGffgD4xuUoxkBQzzoiRbO29lUaNiuyL3W/6QLruB40C4tc9gTbHZRCsTK7D1E/OuunmnlzY1V081wsRikVg6M7HZgSBGhRU4UOGLKAl9A2ZudAhJPOyRewHsq4hkm9tp7p6+ToD6hNMxOiuC8ltkwM/8KA7I5ticvVPV60M+TWOLAn1IMB5es2uWSouzqewomkfQ3pXMVCgjOgQdA1521GLD2ly4aIq6F2LNA9azOdM4NewJHJTUClRK+r2Z/Eb54jhrVwphLoQI+1FanWFiORz1tKmZljY0T+hwU77Vt0hhSv+At77hp4hL4jpKlm/EWCPHAi0W1k5OEHmxXdCc35TZrrlZ6/MMZG2fMJJ5FRe8UGUpqq8pwGZLgilvjHXRPWiXYwvhtDYYGhvCyAvOBvzSlpdA7xWmBABGQ6DHw==

对此的任何帮助将不胜感激。

1 个答案:

答案 0 :(得分:3)

好的,所以这里。

你需要做两件事。 

1. Invoke the LoginContext functionality using JAAS and get the context associated with creating the token header.

2. Creating the negotiate header with it.

第1部分: - 

1.1 Create the file jaas.conf and put the following info inside it following :-

com.sun.security.jgss.krb5.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  doNotPrompt=false
  isInitiator=true
  debug=false;
};

1.2 Point to the file via java.security.auth.login.config to full path of this file.

1.3 LoginContext lc = new LoginContext(); lc.login().

1.3将提示输入用户名和密码,然后为部件创建适当的上下文。

现在实际创建标题: - 

2.1 Create class TokenGenerator which implements PrivilegedExceptionAction<String>. In its run method do the following:-

   2.1.1  GSSName gssServerName = manager.createName(ServiceNameYouWannaConnectTo, null);
   2.1.2: GSSContext context = manager.createContext(gssServerName,
                spnegoOid, null, GSSCredential.DEFAULT_LIFETIME);

   2.1.3: byte spnegoToken[] = context.initSecContext(spnegoToken, 0, spnegoToken.length);

   2.1.3: byte[] encodedToken =  Base64.encodeBase64(spnegoToken);

   2.1.4: return new String(encodedToken, "UTF-8");

2.2 String negotiateHeaderBody = Subject.doAs(lc.getSubject(), new TokenGenerator());

在此之后你可以预先&#34;谈判&#34;并且中提琴你有标题。重要的是要注意我的语法不完美但只是大致正确。我还省略了创建gssmanager和spnegoOid等步骤,这实际上是微不足道的。最后,这是创建令牌的最基本形式。有一些方法可以使jaas.conf编程,甚至可以更精细地控制用于令牌生成的参数。此外,这仅适用于Sun JDK,对于IBM JDK,jaas需要进行一些调整。

如果您有任何问题,请告诉我。

相关问题
最新问题