使用Kerberos进行域身份验证失败

时间:2015-04-20 12:12:12

标签: grails kerberos spring-security-kerberos

我的应用正在使用Grails,Spring,Kerberos。

的applicationContext.xml 

<beans 
    ...
    <sec:http entry-point-ref="spnegoEntryPoint">
        <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
        <sec:custom-filter ref="spnegoAuthenticationProcessingFilter"
            position="BASIC_AUTH_FILTER" />
    </sec:http>

    <bean id="spnegoEntryPoint"
        class="org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint" />

    <bean id="spnegoAuthenticationProcessingFilter"
        class="org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter">
        <property name="authenticationManager" ref="authenticationManager" />
    </bean>

    <sec:authentication-manager alias="authenticationManager">
        <sec:authentication-provider ref="kerberosServiceAuthenticationProvider" />
    </sec:authentication-manager>

    <bean id="kerberosServiceAuthenticationProvider"
        class="org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider">
        <property name="ticketValidator">
            <bean class="org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator">
                <property name="servicePrincipal" value="HTTP/my.host.com@MY.DOMAIN.COM" />
                <property name="keyTabLocation" value="file:/u/tomcat/app/apache-tomcat-7.0.11/lib/http-web.keytab"/>
                <property name="debug" value="true" />
            </bean>
        </property>
        <property name="userDetailsService" ref="dummyUserDetailsService" />
    </bean>

    <bean class="org.springframework.security.kerberos.authentication.sun.GlobalSunJaasKerberosConfig">
        <property name="debug" value="true" />
        <property name="krbConfLocation" value="/etc/krb5.conf" />
    </bean>

    <bean id="dummyUserDetailsService"
        class="com.spring.security.kerberos.sample.user.DummyUserDetailsService" />
</beans>

当我部署我的应用程序并在浏览器中输入我的域登录名/密码时,我在Fiddler中收到以下请求:

GET http://my.host.com:8080/myapp HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: ru-RU
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: my.host.com:8080
Cookie: JSESSIONID=EDE49792033A8FC877427704DBE26D85
Proxy-Connection: Keep-Alive
DNT: 1
Authorization: Negotiate YIIHDw...=

据我所知,Kerberos域身份验证成功。但在网页上我看到:

java.lang.NullPointerException
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:162)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:151)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:66)
at org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
....

NPE出现在行

String user = context.getSrcName().toString();

因为context.getSrcName()== null。 出了什么问题?

P.S。:还有一刻:当我输入错误的密码时,它会再次询问我。

1 个答案:

答案 0 :(得分:0)

我找到了解决方案:刚刚将jdk1.8更改为jdk1.7。

相关问题
最新问题