如何使用带有Kerberos身份验证的嵌入式Jetty Server 9?

时间:2014-12-11 16:24:04

标签: java rest jetty kerberos spnego

我正在尝试使用Jetty嵌入式服务器来公开我的Rest API,现在我想实现Kerberos身份验证。这就是我创建SecurityHandler的方式

    String domainRealm = "MY.COM";

    Constraint constraint = new Constraint();
    constraint.setName(Constraint.__SPNEGO_AUTH);
    constraint.setRoles(new String[]{domainRealm});
    constraint.setAuthenticate(true);

    ConstraintMapping cm = new ConstraintMapping();
    cm.setConstraint(constraint);
    cm.setPathSpec("/*");

    SpnegoLoginService loginService = new SpnegoLoginService();
    loginService.setConfig("/path/to/spnego.properties");
    loginService.setName(domainRealm);

    ConstraintSecurityHandler sh = new ConstraintSecurityHandler();
    sh.setAuthenticator(new SpnegoAuthenticator());
    sh.setLoginService(loginService);
    sh.setConstraintMappings(new ConstraintMapping[]{cm});
    sh.setRealmName(domainRealm);

这是我的spnego.properties:

targetName = HTTP/target.name.com

我的krb5.ini:

[libdefaults]
default_realm = HW.COM
default_keytab_name = FILE:/path/to/target.name.com.keytab
permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 
default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 
default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 

[realms]
MY.COM= {
    kdc = 12.13.14.222 #IP adress
    admin_server = 12.13.14.222 # IP ADDRESS
    default_domain = MY.COM
}

[domain_realm]
my.com= MY.COM
.my.com = MY.COM

[appdefaults]
autologin = true
forwardable = true

我的spnego.conf:

com.sun.security.jgss.initiate {
     com.sun.security.auth.module.Krb5LoginModule required
     principal="HTTP/target.name.com@MY.COM" 
     keyTab="/path/to/target.name.com.keytab" 
     useKeyTab=true
     storeKey=true 
     debug=true 
     isInitiator=false;
};

com.sun.security.jgss.accept {
     com.sun.security.auth.module.Krb5LoginModule required
     principal="HTTP/target.name.com@MY.COM" 
     useKeyTab=true
     keyTab="/path/to/target.name.com.keytab" 
     storeKey=true 
     debug=true 
     isInitiator=false;
};

设置系统属性:

    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
    System.setProperty("java.security.auth.login.config", "/path/to/spnego.conf");
    System.setProperty("java.security.krb5.conf", "/path/to/krb5.ini");

不幸的是,身份验证不起作用。我正在尝试调试SpnegoLoginService.login方法,因为

而登录失败
GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

您是否知道如何使用Kerberos身份验证设置嵌入式Jetty服务器?

由于

1 个答案:

答案 0 :(得分:6)

问题出在错误的密钥表文件