引起:java.security.PrivilegedActionException:GSSException:检测到有缺陷的令牌(机制级别:GSSHeader找不到正确的标签)

时间:2015-01-07 07:00:44

标签: jboss spring-security

为了实现SSO,我们只需要修改Jboss Spring安全文件并放置kerberos设置配置。 但我们无法弄清楚为什么会发生GSS例外。

Kerberos和jboss正在不同的机器上运行。请查看spring文件的代码,我们是否有任何错误?

krb5.conf文件 

[libdefaults]
    default_realm = LAB.LOCAL
    dns_lookup_kdc = false
    dns_lookup_realm = false
    permitted_enctypes = RC4-HMAC aes128-cts aes256-cts arcfour-hmac-md5
    default_tgs_enctypes = RC4-HMAC aes128-cts aes256-cts arcfour-hmac-md5
    default_tkt_enctypes = RC4-HMAC aes128-cts aes256-cts arcfour-hmac-md5
[domain_realm] 
.lab.local= LAB.LOCAL
lab.local= LAB.LOCAL
[realms]
  LAB.LOCAL = {
    kdc = 172.18.0.64:88
    default_domain = LAB.LOCAL
  }

弹簧安全-07-portal.xml 

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:util="http://www.springframework.org/schema/util"
  xmlns:sec="http://www.springframework.org/schema/security"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

  <!-- Configure security for the web interface. -->
 <sec:http pattern="/**" use-expressions="false" entry-point-ref="spnegoEntryPoint" >
    <!-- This is needed for CSRF protection and must not be removed -->
    <sec:custom-filter ref="csrfChannelProcessingFilter" before="FILTER_SECURITY_INTERCEPTOR" />
<!-- Added a filter for spnego -->
    <sec:custom-filter ref="spnegoAuthenticationProcessingFilter" position="PRE_AUTH_FILTER" />
    <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />

    <sec:request-cache ref="appianRequestCache"/>

    <sec:anonymous enabled="false"/>

   <!-- <sec:form-login login-page="#{pageUrls.login}" login-processing-url="/auth"
      username-parameter="un" password-parameter="pw"
      authentication-success-handler-ref="appianAuthenticationSuccessHandler"
      authentication-failure-handler-ref="appianAuthenticationFailureHandler"
      authentication-details-source-ref="portalAuthenticationDetailsSource"/> -->

    <sec:session-management session-authentication-strategy-ref="portalSessionAuthenticationStrategy"/>

    <sec:logout logout-url="#{pageUrls.logout}" invalidate-session="true" success-handler-ref="logoutSuccessHandler"/>

   <sec:remember-me services-ref="appianRememberMeServices"/>
  </sec:http>

    <bean id="spnegoEntryPoint"
            class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />

  <bean id="logoutSuccessHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
    <property name="defaultTargetUrl" value="/"/>
    <property name="alwaysUseDefaultTargetUrl" value="true"/>
  </bean>

  <bean id="appianRequestCache" class="com.appiancorp.security.auth.AppianHttpSessionRequestCache" />

  <!-- These configurations are not yet available through the security namespace,
  so we use a BeanPostProcessor to apply settings required by the Portal environment. -->
  <bean id="appianSpringSecurityBeanPostProcessor" class="com.appiancorp.security.auth.BeanPostProcessorForPortalAuth">
    <property name="allowPostOnlyForAuthentication" value="false"/>
    <property name="useForwardForLoginPage" value="true"/>
  </bean>


    <!--These lines have been added to handle SSO with Kerberos -->
    <bean id="spnegoAuthenticationProcessingFilter" class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter"> 
        <property name="failureHandler" ref="failureHandler"/> 
        <property name="authenticationManager" ref="authenticationManager" /> 
    </bean> 

    <bean id="failureHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler"> 
        <property name="defaultFailureUrl" value="/portal/loginPage.none?" /> 
    </bean>

</beans>

Spring security-03-auth-mgr.xml 

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:util="http://www.springframework.org/schema/util"
  xmlns:sec="http://www.springframework.org/schema/security"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <!-- Spengo authentication entry point -->

 <bean id="spnegoEntryPoint" class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />
 <bean id="spnegoAuthenticationProcessingFilter"
        class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
        <property name="authenticationManager" ref="authenticationManager" />
 </bean>


    <!-- Authentication manager configuration, specifying the class(es) responsible for performing the authentication. -->
  <sec:authentication-manager alias="authenticationManager" erase-credentials="true">
  <sec:authentication-provider ref="kerberosServiceAuthenticationProviderWrapped"/>
  </sec:authentication-manager>

<!-- Need to wrap the Authentication Provider using the Authentication Provider Wrapper class. See Appian Forum for details -->
  <bean id="kerberosServiceAuthenticationProviderWrapped" class="com.appiancorp.suiteapi.security.auth.AuthenticationProviderWrapper">
        <constructor-arg ref="kerberosServiceAuthenticationProvider"/>
     </bean>

  <!--Kerberos Authentication Provider -->
                 <bean id="kerberosServiceAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
                                <property name="ticketValidator" ref="kerberosTicketValidator"/>
                                <property name="userDetailsService" ref="appianUserDetailsServiceNoPwMgmt" />
                </bean>


                <bean id="kerberosTicketValidator" class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
                                <property name="servicePrincipal" value="HTTP/user01@lab.local" />
                                <property name="keyTabLocation" value="file:///usr/local/appian/ear/suite.ear/web.war/WEB-INF/conf/appianrdserver.keytab" />
                                <property name="debug" value="true" />
                </bean>   
                <bean class="org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig" >
                                <property name="debug" value="true" />
                                <property name="krbConfLocation" value="file:///etc/krb5.conf"/>
                </bean>  
  <bean id="appianAuthenticationProvider" class="com.appiancorp.suiteapi.security.auth.AuthenticationProviderWrapper">
    <constructor-arg ref="appianAuthenticationProviderInternal"/>
    <constructor-arg ref="scsKeyChangeHandlerNoOp"/>
  </bean>

  <bean id="appianAuthenticationProviderInternal" class="com.appiancorp.security.auth.AppianAuthenticationProvider">
    <constructor-arg ref="appianUserDetailsService"/>
  </bean>

  <bean id="appianUserDetailsService" class="com.appiancorp.suiteapi.security.auth.AppianUserDetailsService"/>
  <bean id="appianUserDetailsServiceForRememberMe" class="com.appiancorp.suiteapi.security.auth.AppianUserDetailsService">
    <constructor-arg value="false"/>
  </bean>

  <bean id="rememberMeConfiguration" class="com.appiancorp.security.auth.rememberme.RememberMeConfiguration">
    <constructor-arg name="enabled" value="false"/>
    <constructor-arg name="tokenValiditySec" value="1209600"/>
  </bean>

  <bean id="rememberMeScsHandler" class="com.appiancorp.security.auth.rememberme.RememberMeScsHandler">
    <constructor-arg ref="rememberMeConfiguration" />
  </bean>

  <bean id="appianRememberMeServices" class="com.appiancorp.security.auth.rememberme.AppianPersistentTokenBasedRememberMeServices">
    <constructor-arg ref="rememberMeConfiguration"/>
    <constructor-arg ref="rememberMeTokenService"/>
    <constructor-arg ref="appianUserDetailsServiceForRememberMe"/>
    <constructor-arg ref="rememberMeTokenRepository"/>
    <constructor-arg ref="rememberMeScsHandler" />
    <constructor-arg ref="portalAuthenticationDetailsSource"/>
    <property name="seriesLength" value="32"/>
    <property name="tokenLength" value="32"/>
  </bean>

  <bean id="beanPostProcessorForAuthMgr" class="com.appiancorp.security.auth.BeanPostProcessorForAuthMgr">
    <property name="authenticationEventPublisher" ref="appianAuthenticationEventPublisher"/>
    <property name="rememberMeConfiguration" ref="rememberMeConfiguration"/>
  </bean>

  <bean id="appianAuthenticationEventPublisher" class="com.appiancorp.security.auth.AppianAuthenticationEventPublisher"/>


    <bean id="appianUserDetailsContextMapper" class="com.appiancorp.suiteapi.common.spring.security.BasicUserDetailsContextMapper">
       <constructor-arg ref="appianUserDetailsServiceNoPwMgmt"/>
     </bean>

       <bean id="appianUserDetailsServiceNoPwMgmt" class="com.appiancorp.suiteapi.security.auth.AppianUserDetailsService">
    <constructor-arg value="false"/>
  </bean>

</beans>

服务器日志

&#13;
&#13; 
18:03:43,879 INFO  [stdout] (http-/0.0.0.0:8080-1) 2015-01-06 18:03:43,879 [http-/0.0.0.0:8080-1] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Calling Authentication entry point.
18:03:43,879 INFO  [stdout] (http-/0.0.0.0:8080-1) 2015-01-06 18:03:43,879 [http-/0.0.0.0:8080-1] DEBUG org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint - Sending back Negotiate Header for request: http://172.18.0.78:8080/suite/designer

18:03:43,912 INFO  [stdout] (http-/0.0.0.0:8080-1) 2015-01-06 18:03:43,912 [http-/0.0.0.0:8080-1] DEBUG org.springframework.security.web.FilterChainProxy - /designer at position 3 of 10 in additional filter chain; firing Filter: 'SpnegoAuthenticationProcessingFilter'
18:03:43,913 INFO  [stdout] (http-/0.0.0.0:8080-1) 2015-01-06 18:03:43,913 [http-/0.0.0.0:8080-1] DEBUG org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter - Received Negotiate Header for request http://172.18.0.78:8080/suite/designer: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAHIXAAAADw==
18:03:43,917 INFO  [stdout] (http-/0.0.0.0:8080-1) 2015-01-06 18:03:43,917 [http-/0.0.0.0:8080-1] DEBUG org.springframework.security.authentication.ProviderManager - Authentication attempt using com.appiancorp.suiteapi.security.auth.AuthenticationProviderWrapper
18:03:43,918 INFO  [stdout] (http-/0.0.0.0:8080-1) 2015-01-06 18:03:43,917 [http-/0.0.0.0:8080-1] DEBUG org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider - Try to validate Kerberos Token
18:03:43,952 INFO  [stdout] (http-/0.0.0.0:8080-1) 2015-01-06 18:03:43,951 [http-/0.0.0.0:8080-1] WARN  com.appiancorp.security.auth.AuthenticationEventLoggerListener - Cannot retrieve authentication details. Please update your Spring Security XML configuration, so that com.appiancorp.security.auth.AppianAuthenticationDetailsSource is used as the authenticationDetailsSource. (Expected an instance of com.appiancorp.security.auth.AuthenticationDetails, but got null.)
18:03:43,963 INFO  [stdout] (http-/0.0.0.0:8080-1) 2015-01-06 18:03:43,961 [http-/0.0.0.0:8080-1] WARN  org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter - Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAHIXAAAADw==
18:03:43,964 INFO  [stdout] (http-/0.0.0.0:8080-1) org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull
18:03:43,964 INFO  [stdout] (http-/0.0.0.0:8080-1) 	at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:69)
18:03:43,964 INFO  [stdout] (http-/0.0.0.0:8080-1) 	at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:86)
18:03:43,965 INFO  [stdout] (http-/0.0.0.0:8080-1) 	at com.appiancorp.suiteapi.security.auth.AuthenticationProviderWrapper.authenticate(AuthenticationProviderWrapper.java:86)
18:03:43,965 INFO  [stdout] (http-/0.0.0.0:8080-1) 	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
18:03:43,965 INFO  [stdout] (http-/0.0.0.0:8080-1) 	at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:147)
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
18:03:43,973 INFO  [stdout] (http-/0.0.0.0:8080-1) 	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
18:03:43,974 INFO  [stdout] (http-/0.0.0.0:8080-1) 	at java.lang.Thread.run(Thread.java:745)
18:03:43,974 INFO  [stdout] (http-/0.0.0.0:8080-1) Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
18:03:43,974 INFO  [stdout] (http-/0.0.0.0:8080-1) 	at java.security.AccessController.doPrivileged(Native Method)
18:03:43,974 INFO  [stdout] (http-/0.0.0.0:8080-1) 	at javax.security.auth.Subject.doAs(Subject.java:415)
18:03:43,974 INFO  [stdout] (http-/0.0.0.0:8080-1) 	at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:67)
18:03:43,974 INFO  [stdout] (http-/0.0.0.0:8080-1) 	... 45 more
18:03:43,975 INFO  [stdout] (http-/0.0.0.0:8080-1) Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
18:03:43,975 INFO  [stdout] (http-/0.0.0.0:8080-1) 	at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
18:03:43,975 INFO  [stdout] (http-/0.0.0.0:8080-1) 	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
18:03:43,975 INFO  [stdout] (http-/0.0.0.0:8080-1) 	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
18:03:43,975 INFO  [stdout] (http-/0.0.0.0:8080-1) 	at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:146)
18:03:43,975 INFO  [stdout] (http-/0.0.0.0:8080-1) 	at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:136)
18:03:43,975 INFO  [stdout] (http-/0.0.0.0:8080-1) 	... 48 more
18:03:43,976 INFO  [stdout] (http-/0.0.0.0:8080-1) 2015-01-06 18:03:43,976 [http-/0.0.0.0:8080-1] DEBUG org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler - Redirecting to /portal/loginPage.none?
18:03:43,977 INFO  [stdout] (http-/0.0.0.0:8080-1) 2015-01-06 18:03:43,977 [http-/0.0.0.0:8080-1] DEBUG org.springframework.security.web.DefaultRedirectStrategy - Redirecting to '/suite/portal/loginPage.none?appian_environment=designer&'
&#13;
&#13;
&#13;

0 个答案:

没有答案
相关问题
最新问题