我正在尝试使用Jetty嵌入式服务器来公开我的Rest API,现在我想实现Kerberos身份验证。这就是我创建SecurityHandler的方式
String domainRealm = "MY.COM";
Constraint constraint = new Constraint();
constraint.setName(Constraint.__SPNEGO_AUTH);
constraint.setRoles(new String[]{domainRealm});
constraint.setAuthenticate(true);
ConstraintMapping cm = new ConstraintMapping();
cm.setConstraint(constraint);
cm.setPathSpec("/*");
SpnegoLoginService loginService = new SpnegoLoginService();
loginService.setConfig("/path/to/spnego.properties");
loginService.setName(domainRealm);
ConstraintSecurityHandler sh = new ConstraintSecurityHandler();
sh.setAuthenticator(new SpnegoAuthenticator());
sh.setLoginService(loginService);
sh.setConstraintMappings(new ConstraintMapping[]{cm});
sh.setRealmName(domainRealm);
这是我的spnego.properties:
targetName = HTTP/target.name.com
我的krb5.ini:
[libdefaults]
default_realm = HW.COM
default_keytab_name = FILE:/path/to/target.name.com.keytab
permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5
default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5
default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5
[realms]
MY.COM= {
kdc = 12.13.14.222 #IP adress
admin_server = 12.13.14.222 # IP ADDRESS
default_domain = MY.COM
}
[domain_realm]
my.com= MY.COM
.my.com = MY.COM
[appdefaults]
autologin = true
forwardable = true
我的spnego.conf:
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/target.name.com@MY.COM"
keyTab="/path/to/target.name.com.keytab"
useKeyTab=true
storeKey=true
debug=true
isInitiator=false;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="HTTP/target.name.com@MY.COM"
useKeyTab=true
keyTab="/path/to/target.name.com.keytab"
storeKey=true
debug=true
isInitiator=false;
};
设置系统属性:
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
System.setProperty("java.security.auth.login.config", "/path/to/spnego.conf");
System.setProperty("java.security.krb5.conf", "/path/to/krb5.ini");
不幸的是,身份验证不起作用。我正在尝试调试SpnegoLoginService.login方法,因为
而登录失败GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
您是否知道如何使用Kerberos身份验证设置嵌入式Jetty服务器?
由于
答案 0 :(得分:6)
问题出在错误的密钥表文件
中