使用Tomcat为Web应用程序配置Kerberos身份验证

时间:2015-05-05 13:27:13

标签: tomcat7 windows-authentication kerberos

我正在使用windows authentication with tomcat 7

我已完成域控制器设置和tomcat实例设置 我无法使用tomcat配置我的Web应用程序 我的意思是我不知道我必须在web.xml,context.xml和server.xml

中更改

将在域控制器上创建的tomcat.keytab文件复制到$ CATALINA_BASE / conf / tomcat.keytab。 创建kerberos配置文件$ CATALINA_BASE / conf / krb5.ini。本方法文档中使用的文件包含: 

    [libdefaults]
    default_realm = DEV.LOCAL
    default_keytab_name = FILE:c:\apache-tomcat-7.0.x\conf\tomcat.keytab
    default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
    default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
    forwardable=true

    [realms]
    DEV.LOCAL = {
            kdc = win-dc01.dev.local:88
    }

可以通过设置java.security.krb5.conf系统属性来更改此文件的位置。 创建JAAS登录配置文件$ CATALINA_BASE / conf / jaas.conf。本方法文档中使用的文件包含: 

    [domain_realm]
    dev.local= DEV.LOCAL
    .dev.local= DEV.LOCAL


    com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/win-tc01.dev.local@DEV.LOCAL"
    useKeyTab=true
    keyTab="c:/apache-tomcat-7.0.x/conf/tomcat.keytab"
    storeKey=true;
};

com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/win-tc01.dev.local@DEV.LOCAL"
    useKeyTab=true
    keyTab="c:/apache-tomcat-7.0.x/conf/tomcat.keytab"
    storeKey=true;
};

1 个答案:

答案 0 :(得分:0)

在Web应用程序的web.xml中,您必须设置登录方法,安全角色和安全约束。

<login-config>
    <auth-method>SPNEGO</auth-method>
</login-config>

<security-role>
    <description>Users</description>
    <role-name>WebAppUsers</role-name>
</security-role>
<security-role>
    <description>Admins</description>
    <role-name>WebAppAdmins</role-name>
</security-role>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Common Area</web-resource-name>
        <url-pattern>/common/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>WebAppUser</role-name>
        <role-name>WebAppAdmin</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

对server.xml的更改

<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
    <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="off"/>
<Listener className="org.apache.catalina.core.JasperListener"/>
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
<Service name="Catalina">
    <Connector port="8080" maxSavePostSize="2097152" URIEncoding="UTF-8" 
        maxHttpHeaderSize="65536"/>
    <Engine name="Catalina" defaultHost="localhost">
        <Realm className="org.apache.catalina.realm.JNDIRealm"
            connectionURL="ldap://dc.mydomain.com:3268" 
            userSubtree="true"
            userBase="cn=Users,dc=mydomain,dc=com" 
            userSearch="(sAMAccountName={0})"
            userRoleName="memberOf" 
            roleBase="cn=Users,dc=mydomain,dc=com" 
            roleName="cn"
            roleSearch="(member={0})" 
            roleSubtree="true" 
            roleNested="true"/>
        <Host name="localhost" appBase="webapps">
            <Context docBase="ROOT.war" path="">
                <Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator"
                    storeDelegatedCredential="true" />
            </Context>
           </Host>
        </Engine>
    </Service>
</Server>
相关问题
最新问题